418f4beab3913272a5ce86075202e67fe89a273c7840b53d0eccb0229dfea020

General

Target

b1493c9c3de438c1d925f3a4af556f04.exe
Size

2.2MB
MD5

b1493c9c3de438c1d925f3a4af556f04
SHA1

16ba06f5872a5d79ad1dd835669a9d5f55cf10d2
SHA256

418f4beab3913272a5ce86075202e67fe89a273c7840b53d0eccb0229dfea020
SHA512

9556f48f59abd27cdd919fcb892de800d5291b012ebef9c4042804662f58f671fff8f700f3c22e9c6566f7994fcbd7cbadd35625faa1e17e5f72285b4359fad9
SSDEEP

24576:0KtlfLm3/4s8krM4hsJgqGMDA2Q0CDwuJZqrMNCYjef9juun4MoTq0:Hj44VTgfH2r6qfpo2

Score

7^/10

persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b1493c9c3de438c1d925f3a4af556f04.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	b1493c9c3de438c1d925f3a4af556f04.exe

Drops startup file 2 IoCs

Processes:

b1493c9c3de438c1d925f3a4af556f04.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	b1493c9c3de438c1d925f3a4af556f04.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	b1493c9c3de438c1d925f3a4af556f04.exe

Executes dropped EXE 2 IoCs

Processes:

svchost.exeAddInProcess32.exe

pid process

4496 svchost.exe
4040 AddInProcess32.exe

pid	process
4496	svchost.exe
4040	AddInProcess32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4040-30-0x0000000000900000-0x0000000000CE4000-memory.dmp	upx
behavioral2/memory/4040-31-0x0000000000900000-0x0000000000CE4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 4496 set thread context of 4040 4496 svchost.exe AddInProcess32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1532 4040 WerFault.exe AddInProcess32.exe

description	pid	process	target process
PID 4496 set thread context of 4040	4496	svchost.exe	AddInProcess32.exe

pid	pid_target	process	target process
1532	4040	WerFault.exe	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

b1493c9c3de438c1d925f3a4af556f04.exesvchost.exe

pid	process
3244	b1493c9c3de438c1d925f3a4af556f04.exe
3244	b1493c9c3de438c1d925f3a4af556f04.exe
3244	b1493c9c3de438c1d925f3a4af556f04.exe
3244	b1493c9c3de438c1d925f3a4af556f04.exe
3244	b1493c9c3de438c1d925f3a4af556f04.exe
3244	b1493c9c3de438c1d925f3a4af556f04.exe
3244	b1493c9c3de438c1d925f3a4af556f04.exe
3244	b1493c9c3de438c1d925f3a4af556f04.exe
3244	b1493c9c3de438c1d925f3a4af556f04.exe
3244	b1493c9c3de438c1d925f3a4af556f04.exe
3244	b1493c9c3de438c1d925f3a4af556f04.exe
3244	b1493c9c3de438c1d925f3a4af556f04.exe
3244	b1493c9c3de438c1d925f3a4af556f04.exe
3244	b1493c9c3de438c1d925f3a4af556f04.exe
3244	b1493c9c3de438c1d925f3a4af556f04.exe
3244	b1493c9c3de438c1d925f3a4af556f04.exe
3244	b1493c9c3de438c1d925f3a4af556f04.exe
3244	b1493c9c3de438c1d925f3a4af556f04.exe
3244	b1493c9c3de438c1d925f3a4af556f04.exe
3244	b1493c9c3de438c1d925f3a4af556f04.exe
4496	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b1493c9c3de438c1d925f3a4af556f04.exesvchost.exe

description pid process

Token: SeDebugPrivilege 3244 b1493c9c3de438c1d925f3a4af556f04.exe
Token: SeDebugPrivilege 4496 svchost.exe

description	pid	process
Token: SeDebugPrivilege	3244	b1493c9c3de438c1d925f3a4af556f04.exe
Token: SeDebugPrivilege	4496	svchost.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

b1493c9c3de438c1d925f3a4af556f04.execmd.exesvchost.exe

description	pid	process	target process
PID 3244 wrote to memory of 5032	3244	b1493c9c3de438c1d925f3a4af556f04.exe	cmd.exe
PID 3244 wrote to memory of 5032	3244	b1493c9c3de438c1d925f3a4af556f04.exe	cmd.exe
PID 3244 wrote to memory of 5032	3244	b1493c9c3de438c1d925f3a4af556f04.exe	cmd.exe
PID 5032 wrote to memory of 2904	5032	cmd.exe	reg.exe
PID 5032 wrote to memory of 2904	5032	cmd.exe	reg.exe
PID 5032 wrote to memory of 2904	5032	cmd.exe	reg.exe
PID 3244 wrote to memory of 4496	3244	b1493c9c3de438c1d925f3a4af556f04.exe	svchost.exe
PID 3244 wrote to memory of 4496	3244	b1493c9c3de438c1d925f3a4af556f04.exe	svchost.exe
PID 3244 wrote to memory of 4496	3244	b1493c9c3de438c1d925f3a4af556f04.exe	svchost.exe
PID 4496 wrote to memory of 4040	4496	svchost.exe	AddInProcess32.exe
PID 4496 wrote to memory of 4040	4496	svchost.exe	AddInProcess32.exe
PID 4496 wrote to memory of 4040	4496	svchost.exe	AddInProcess32.exe
PID 4496 wrote to memory of 4040	4496	svchost.exe	AddInProcess32.exe
PID 4496 wrote to memory of 4040	4496	svchost.exe	AddInProcess32.exe
PID 4496 wrote to memory of 4040	4496	svchost.exe	AddInProcess32.exe
PID 4496 wrote to memory of 4040	4496	svchost.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\b1493c9c3de438c1d925f3a4af556f04.exe
"C:\Users\Admin\AppData\Local\Temp\b1493c9c3de438c1d925f3a4af556f04.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "svchost" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "svchost" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
    3⤵
    - Adds Run key to start application
    PID:2904
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
    "C:\Users\Admin\AppData\Local\Temp\\AddInProcess32.exe"
    3⤵
    - Executes dropped EXE
    PID:4040
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 188
      4⤵
      Program crash
      PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4040 -ip 4040
1⤵
PID:4084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

Filesize
42KB

MD5
9827ff3cdf4b83f9c86354606736ca9c

SHA1
e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723

SHA256
c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a

SHA512
8261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

Filesize
1.4MB

MD5
217647354f5d8fef9793b87848a5e5c6

SHA1
f6c04b6afb8574833619293651a7c6aeab999644

SHA256
44c0477b08b80765788d30738d24caaad26b217ba11880fd92d8ce5e254b88aa

SHA512
f140e830447dc96cd10db1652b072bb6fb403bca34322783408a5181716a3c568d96abc067821462ff724c1dc70f4755559c7cf788c86f31f0658e24570d9458

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

Filesize
2.2MB

MD5
b1493c9c3de438c1d925f3a4af556f04

SHA1
16ba06f5872a5d79ad1dd835669a9d5f55cf10d2

SHA256
418f4beab3913272a5ce86075202e67fe89a273c7840b53d0eccb0229dfea020

SHA512
9556f48f59abd27cdd919fcb892de800d5291b012ebef9c4042804662f58f671fff8f700f3c22e9c6566f7994fcbd7cbadd35625faa1e17e5f72285b4359fad9

Download Submit
memory/3244-8-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download
memory/3244-3-0x00000000059F0000-0x0000000005A82000-memory.dmp

Filesize
584KB

Download
memory/3244-5-0x00000000059C0000-0x00000000059D0000-memory.dmp

Filesize
64KB

Download
memory/3244-6-0x0000000005A90000-0x0000000005ABC000-memory.dmp

Filesize
176KB

Download
memory/3244-7-0x0000000007420000-0x000000000742A000-memory.dmp

Filesize
40KB

Download
memory/3244-0-0x0000000000DE0000-0x0000000001024000-memory.dmp

Filesize
2.3MB

Download
memory/3244-9-0x00000000059C0000-0x00000000059D0000-memory.dmp

Filesize
64KB

Download
memory/3244-4-0x0000000005B70000-0x0000000005C0C000-memory.dmp

Filesize
624KB

Download
memory/3244-2-0x0000000006080000-0x0000000006624000-memory.dmp

Filesize
5.6MB

Download
memory/3244-24-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download
memory/3244-1-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download
memory/4040-30-0x0000000000900000-0x0000000000CE4000-memory.dmp

Filesize
3.9MB

Download
memory/4040-31-0x0000000000900000-0x0000000000CE4000-memory.dmp

Filesize
3.9MB

Download
memory/4496-25-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download
memory/4496-26-0x0000000006720000-0x0000000006732000-memory.dmp

Filesize
72KB

Download
memory/4496-23-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads