cf072d97c33e2ad28618a943aaf43d0240d9002a45d9bb3688a2bcf2b27c26b0

General

Target

ada68de170539dde7dc0a4b24af07f11.exe
Size

1018KB
MD5

ada68de170539dde7dc0a4b24af07f11
SHA1

fc130610603913222dd0cafa661ea20088e6d332
SHA256

cf072d97c33e2ad28618a943aaf43d0240d9002a45d9bb3688a2bcf2b27c26b0
SHA512

72d5db5d1182e91e36706ef044b61695bb14fac98ca287b6f535db8df5bfa1219570314004d0309adc18ee573c496c9f44c3e0e516608375db80850780a24d8e
SSDEEP

24576:e/9L/9fvcJM/52Hhy++LAM3WB6xJeHoKMvpH3w:e/9L/9ncJM/AHX+LmgeHoKGd

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
47	4752	WScript.exe
49	4752	WScript.exe
51	4752	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	Consumato.exe.com

Executes dropped EXE 2 IoCs

pid	Process
4792	Consumato.exe.com
1884	Consumato.exe.com

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ada68de170539dde7dc0a4b24af07f11.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
46	iplogger.org
47	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
30	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Consumato.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Consumato.exe.com

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	Consumato.exe.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3248	PING.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4220 wrote to memory of 5040	4220	ada68de170539dde7dc0a4b24af07f11.exe	89
PID 4220 wrote to memory of 5040	4220	ada68de170539dde7dc0a4b24af07f11.exe	89
PID 4220 wrote to memory of 5040	4220	ada68de170539dde7dc0a4b24af07f11.exe	89
PID 4220 wrote to memory of 2188	4220	ada68de170539dde7dc0a4b24af07f11.exe	91
PID 4220 wrote to memory of 2188	4220	ada68de170539dde7dc0a4b24af07f11.exe	91
PID 4220 wrote to memory of 2188	4220	ada68de170539dde7dc0a4b24af07f11.exe	91
PID 2188 wrote to memory of 1208	2188	cmd.exe	94
PID 2188 wrote to memory of 1208	2188	cmd.exe	94
PID 2188 wrote to memory of 1208	2188	cmd.exe	94
PID 1208 wrote to memory of 768	1208	cmd.exe	95
PID 1208 wrote to memory of 768	1208	cmd.exe	95
PID 1208 wrote to memory of 768	1208	cmd.exe	95
PID 1208 wrote to memory of 4792	1208	cmd.exe	97
PID 1208 wrote to memory of 4792	1208	cmd.exe	97
PID 1208 wrote to memory of 4792	1208	cmd.exe	97
PID 1208 wrote to memory of 3248	1208	cmd.exe	98
PID 1208 wrote to memory of 3248	1208	cmd.exe	98
PID 1208 wrote to memory of 3248	1208	cmd.exe	98
PID 4792 wrote to memory of 1884	4792	Consumato.exe.com	99
PID 4792 wrote to memory of 1884	4792	Consumato.exe.com	99
PID 4792 wrote to memory of 1884	4792	Consumato.exe.com	99
PID 1884 wrote to memory of 4752	1884	Consumato.exe.com	106
PID 1884 wrote to memory of 4752	1884	Consumato.exe.com	106
PID 1884 wrote to memory of 4752	1884	Consumato.exe.com	106

C:\Users\Admin\AppData\Local\Temp\ada68de170539dde7dc0a4b24af07f11.exe
"C:\Users\Admin\AppData\Local\Temp\ada68de170539dde7dc0a4b24af07f11.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c hIDuoykI
  2⤵
  PID:5040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cmd < Mise.adts
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1208
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^qtOjQgNmHjCVwYiUrmbuExhNxKjAZBgFkHhWYSyJRWCSKhgtOmIhJwAGRqRywhAyXWJxKkVlxOgHRxriviMmSq$" Magrezza.adts
      4⤵
      PID:768
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Consumato.exe.com
      Consumato.exe.com U
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4792
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Consumato.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Consumato.exe.com U
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Checks processor information in registry
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1884
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\olfqfdhmoqs.vbs"
        6⤵
        Blocklisted process makes network request
        
        PID:4752
  - - C:\Windows\SysWOW64\PING.EXE
      ping FHOHZANM -n 30
      4⤵
      Runs ping.exe
      PID:3248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D458.tmp

Filesize
313B

MD5
bee55e52500f967c3d9402e05dd57f65

SHA1
d8dc65ec97c6288e1fd10b8c4f8502e5a8a5bbf6

SHA256
b90eae4b05d321efc4519963349c1775dcea8e3b0ae53b50285545380b6539c0

SHA512
b8624a934fb74760f5b231ca97e89074b227ad9fe3bb08b01a81cf35760f06b346f395cf6683df5881dc429ae77af0d0a07cfeb9c9ec127e4e917191bf8c91da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Consumato.exe.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Copia.adts

Filesize
794KB

MD5
b3ca9fa6e338f37cba89894f0dc0ccfb

SHA1
0e3a55ffa3af6b0396bc30a0e88eef61b357015b

SHA256
3186ff707581468e32e4cef8157af27db76a54d26b9aeadd223a5034762fa073

SHA512
7ad2050d56bd2a8068cd18f7ec7317032a95d94aa18c1c56580be15f27ba18b3a0748e420c1f0c1e1a50a385c0f2d07a2ef1e98c95c9463b543e2de1282754a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dov.adts

Filesize
139KB

MD5
ab00680d714b342b90821af2a08cf844

SHA1
8f5b170496221ae5486ca226b562d2038d1732c9

SHA256
2400176604e81c31c856208e96db9c8aba9c8e36aac5c9c52903e771ca8f4304

SHA512
a1c9d600cc26513f6ab018d673e47ef9bb2a875b3bababf7e242d458222e1eab286e6fb61b9cd8d5c380230e62976d37144aab17babe1d81e0cd35cdb6e25369

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Magrezza.adts

Filesize
872KB

MD5
6c74a02033d0fcd0c8cb96e8d7bc9363

SHA1
90ba3d5efd66628ff05db249f7d87c9eeb31633d

SHA256
f2611e38c970b2cd06a81c40d36c3b687542278510b85aa4806820d161fb3242

SHA512
826cd987ed933de45b770632e71b5fa78ec436681188c09cd245d6959fde96687b26fbcb7be4acb020cbc5e2dff8f6e8823e870174697d22429673f207d16073

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mise.adts

Filesize
438B

MD5
40b99134859b20ed28e8114f0cd89bff

SHA1
245e5070ce852d3abdbe0b05b5e1f11b03096c6e

SHA256
d15a60863bf720f676a7551cd6aa1edf190370ff0d94af59b6123ed21d24213a

SHA512
ce26f830f68372f50f218ddc65edd486728a634d9a711443fd788ef55e32700f8f7c495ad43ef9c7bd0db85b54f3de5660ee17ffe7e11346cf8fb5cca253a256

Download Submit
C:\Users\Admin\AppData\Local\Temp\olfqfdhmoqs.vbs

Filesize
145B

MD5
811bd9a89925079e185a94eb153d056a

SHA1
c612cf745a6ed1993f01939bf680a39ce0efa654

SHA256
33ddaea15ec5d65f0f2f454bcdab355762dd40b567d065eb45b2f6a088511eb1

SHA512
c0d6e847b712bc8cab1342ff7fd49d467b72e5dd6dfce81cc6eaab939dce70c9f7741d325f418880a4aafbfb305551628fa6ed6fb497433183ed4d8185b23fce

Download Submit
memory/1884-24-0x0000000000030000-0x0000000000057000-memory.dmp

Filesize
156KB

Download
memory/1884-23-0x0000000000030000-0x0000000000057000-memory.dmp

Filesize
156KB

Download
memory/1884-25-0x0000000000030000-0x0000000000057000-memory.dmp

Filesize
156KB

Download
memory/1884-26-0x0000000000030000-0x0000000000057000-memory.dmp

Filesize
156KB

Download
memory/1884-27-0x0000000000030000-0x0000000000057000-memory.dmp

Filesize
156KB

Download
memory/1884-28-0x0000000000030000-0x0000000000057000-memory.dmp

Filesize
156KB

Download
memory/1884-22-0x0000000000030000-0x0000000000057000-memory.dmp

Filesize
156KB

Download
memory/1884-41-0x0000000000030000-0x0000000000057000-memory.dmp

Filesize
156KB

Download
memory/1884-21-0x0000000003A30000-0x0000000003A31000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads