637a7a01786bfa5a6297fd00d7bccf64a6fc6a12e99b5fcbcc34f3cf69b66f8d

General

Target

a239be57fd3ea173cb942f0fc6962901.exe
Size

355KB
MD5

a239be57fd3ea173cb942f0fc6962901
SHA1

8b66da72a6bee38b0270e09011418d96128a305c
SHA256

637a7a01786bfa5a6297fd00d7bccf64a6fc6a12e99b5fcbcc34f3cf69b66f8d
SHA512

6c0cd928c3bc5f43e57842e91f5b133420e2ac05e8c51a7c2026c67d836721d82191ceb286015586202b2e1df7d5f1cb507ee3ce772d064cdd76f9049b4139d0
SSDEEP

6144:+Y400b2DUdwIsa7eIt/wf1cNwPLvoqg0R2VhPefm0To63vUmyGj0gWtxdV7HMyLE:e00XsGNw1c2obY7QTGjFWtxTzMyLvjI

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation	server.exe

Executes dropped EXE 1 IoCs

pid	Process
4776	server.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a239be57fd3ea173cb942f0fc6962901.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D544C22D-1F70-4B1E-873D-D8DABEB26695}\	server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D544C22D-1F70-4B1E-873D-D8DABEB26695}\InProcServer32	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D544C22D-1F70-4B1E-873D-D8DABEB26695}\InProcServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\MSINFO\\atmQQ2.dll"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D544C22D-1F70-4B1E-873D-D8DABEB26695}\InProcServer32\ThreadingModel = "Apartment"	server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D544C22D-1F70-4B1E-873D-D8DABEB26695}	server.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4776	server.exe
4776	server.exe
4776	server.exe
4776	server.exe
4776	server.exe
4776	server.exe
4776	server.exe
4776	server.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 4776	3076	a239be57fd3ea173cb942f0fc6962901.exe	84
PID 3076 wrote to memory of 4776	3076	a239be57fd3ea173cb942f0fc6962901.exe	84
PID 3076 wrote to memory of 4776	3076	a239be57fd3ea173cb942f0fc6962901.exe	84
PID 4776 wrote to memory of 3972	4776	server.exe	87
PID 4776 wrote to memory of 3972	4776	server.exe	87
PID 4776 wrote to memory of 3972	4776	server.exe	87

C:\Users\Admin\AppData\Local\Temp\a239be57fd3ea173cb942f0fc6962901.exe
"C:\Users\Admin\AppData\Local\Temp\a239be57fd3ea173cb942f0fc6962901.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BT.BAT" "
    3⤵
    PID:3972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BT.BAT

Filesize
152B

MD5
e74319a75d8701ef34e7a2d8d5df838c

SHA1
b1f7b0c8379986ae34a5dc87c2f1dcc714df97f8

SHA256
221f70980dc3a29ebf3b121af458d34e1b8031556831cd7ed329f1017ea2cb84

SHA512
985d6464780119c9fdb8e2d148e34ad9dd58158b76668722d78cac4ed74e61487f88a30c4f04361d4aec8eeee0530b1e256adbec65d17c0528b4525d9619260b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
50KB

MD5
cb2967dbe1e6d0e843b329e487a30d2d

SHA1
ba8667c537ffee001f9fb672f64e472bcd9e2fa6

SHA256
bbbc9455e63cfcf7b6c4e6ad0ccbb61bfa3192a94e9b96105b6ee59f16380184

SHA512
422b6ddc71ffc258f752c3e345b17c776b89734e446a023f86026991b0c10e25203ae2d61e60f0d41f4155930dc16e21753a90ca2c551cc50c65899031ae9703

Download Submit
memory/3076-18-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/3076-19-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/3076-4-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/3076-5-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/3076-6-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/3076-7-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/3076-8-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/3076-9-0x0000000002BC0000-0x0000000002BC1000-memory.dmp

Filesize
4KB

Download
memory/3076-10-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/3076-11-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

Filesize
4KB

Download
memory/3076-12-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/3076-13-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/3076-15-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/3076-14-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/3076-16-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/3076-17-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/3076-2-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3076-0-0x0000000001000000-0x0000000001092000-memory.dmp

Filesize
584KB

Download
memory/3076-21-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/3076-22-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/3076-20-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/3076-23-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/3076-26-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/3076-27-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/3076-28-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/3076-29-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/3076-30-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/3076-32-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/3076-34-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/3076-3-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/3076-43-0x00000000008D0000-0x0000000000920000-memory.dmp

Filesize
320KB

Download
memory/3076-1-0x00000000008D0000-0x0000000000920000-memory.dmp

Filesize
320KB

Download
memory/3076-42-0x0000000001000000-0x0000000001092000-memory.dmp

Filesize
584KB

Download
memory/4776-40-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4776-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads