7673de9d8c302ed416a4a779cb7a6aedcc298fbc5dcf05550bd39a1b61f41e44

General

Target

aa836358c35432f7d6eaccfe50c93c78.exe
Size

1.1MB
MD5

aa836358c35432f7d6eaccfe50c93c78
SHA1

f8ead8ea850d2d7f41640071ba5a58f91e7756ef
SHA256

7673de9d8c302ed416a4a779cb7a6aedcc298fbc5dcf05550bd39a1b61f41e44
SHA512

2f663bdf1290ff7f54117188f8c46eda70d81f5b7519e98b311e01d016f5ecf7bad807de4c17f27673fc57328cd8427a49c23df6c719b629d95d55c6391bf891
SSDEEP

24576:t8Q9v39St5n1PP3HsdMBh5X6oKuMrlKl4zS:r9PMPP3H6Aiz

Score

7^/10

persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	aa836358c35432f7d6eaccfe50c93c78.exe

Executes dropped EXE 1 IoCs

pid	Process
1852	35408525.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/60-1-0x0000000000400000-0x00000000005DC000-memory.dmp	upx
behavioral2/files/0x0008000000023221-12.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\35408525 = "C:\\ProgramData\\35408525\\35408525.exe"	aa836358c35432f7d6eaccfe50c93c78.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\35408525 = "C:\\PROGRA~3\\35408525\\35408525.exe"	35408525.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
3488	taskkill.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1852	35408525.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3488	taskkill.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
1852	35408525.exe
1852	35408525.exe
1852	35408525.exe
1852	35408525.exe
1852	35408525.exe
1852	35408525.exe
1852	35408525.exe
1852	35408525.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
1852	35408525.exe
1852	35408525.exe
1852	35408525.exe
1852	35408525.exe
1852	35408525.exe
1852	35408525.exe
1852	35408525.exe
1852	35408525.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 60 wrote to memory of 888	60	aa836358c35432f7d6eaccfe50c93c78.exe	90
PID 60 wrote to memory of 888	60	aa836358c35432f7d6eaccfe50c93c78.exe	90
PID 60 wrote to memory of 888	60	aa836358c35432f7d6eaccfe50c93c78.exe	90
PID 888 wrote to memory of 3488	888	cmd.exe	92
PID 888 wrote to memory of 3488	888	cmd.exe	92
PID 888 wrote to memory of 3488	888	cmd.exe	92
PID 888 wrote to memory of 2944	888	cmd.exe	95
PID 888 wrote to memory of 2944	888	cmd.exe	95
PID 888 wrote to memory of 2944	888	cmd.exe	95
PID 2944 wrote to memory of 1852	2944	cmd.exe	96
PID 2944 wrote to memory of 1852	2944	cmd.exe	96
PID 2944 wrote to memory of 1852	2944	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\aa836358c35432f7d6eaccfe50c93c78.exe
"C:\Users\Admin\AppData\Local\Temp\aa836358c35432f7d6eaccfe50c93c78.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:60
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\35408525\35408525.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im aa836358c35432f7d6eaccfe50c93c78.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3488
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start C:\PROGRA~3\35408525\35408525.exe /install
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\PROGRA~3\35408525\35408525.exe
      C:\PROGRA~3\35408525\35408525.exe /install
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\35408525\35408525.bat

Filesize
290B

MD5
9d40304101e69386ff8e098ce2c305d1

SHA1
10d6f743bb9384beec81050b9921eff1b2b0483f

SHA256
de84153b373688cc3a145f24e920623455dfb8338b26ae26cc53e2d4d0617a92

SHA512
d3b56cca54ab99c7e5a47d794dc0df10b6c04ece4168c44a715609221b6fa4f89d55e6cd86b3b232f9e0947bb374d1c2638f241ae7a6fa108be3292f09f8a876

Download Submit
C:\ProgramData\35408525\35408525.exe

Filesize
1.1MB

MD5
aa836358c35432f7d6eaccfe50c93c78

SHA1
f8ead8ea850d2d7f41640071ba5a58f91e7756ef

SHA256
7673de9d8c302ed416a4a779cb7a6aedcc298fbc5dcf05550bd39a1b61f41e44

SHA512
2f663bdf1290ff7f54117188f8c46eda70d81f5b7519e98b311e01d016f5ecf7bad807de4c17f27673fc57328cd8427a49c23df6c719b629d95d55c6391bf891

Download Submit
memory/60-1-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/60-2-0x0000000000910000-0x0000000000A10000-memory.dmp

Filesize
1024KB

Download
memory/60-3-0x0000000000730000-0x0000000000732000-memory.dmp

Filesize
8KB

Download
memory/60-4-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/60-9-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/1852-18-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/1852-24-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/1852-15-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/1852-16-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1852-21-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/1852-22-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/1852-23-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1852-17-0x0000000000620000-0x0000000000622000-memory.dmp

Filesize
8KB

Download
memory/1852-25-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/1852-26-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/1852-27-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/1852-28-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/1852-30-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/1852-31-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/1852-32-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/1852-33-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads