20c9b1a5a0c769d1af97df9728e0de8fe6b2f5012edebd53841edb5b901b3237

General

Target

b4edb38d0c4b66acc0378f86a05b7f21.exe
Size

56KB
MD5

b4edb38d0c4b66acc0378f86a05b7f21
SHA1

e40e4bf71ca343b1849e151d4d53c8e3dc9804eb
SHA256

20c9b1a5a0c769d1af97df9728e0de8fe6b2f5012edebd53841edb5b901b3237
SHA512

5ad7729b7a6f36101f8148ca420f6fbb3cd84a8076dcf327da7095d445b1fb2179b4925f28131ff9fe82ce98ec169cbfe272272d2293a9759fd525709cf1773a
SSDEEP

768:H075YqqedSJluMkE5aIjg1W0MW+fhA1S:H3lgSl/dGMWQAs

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
3964	rundll32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1744-0-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/1744-10-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\sys.tmp	rundll32.exe
File opened for modification	C:\Windows\sys.tmp	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "regedit.exe /s \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	cmd.exe

Runs .reg file with regedit 1 IoCs

pid	Process
4932	regedit.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 3524	1744	b4edb38d0c4b66acc0378f86a05b7f21.exe	87
PID 1744 wrote to memory of 3524	1744	b4edb38d0c4b66acc0378f86a05b7f21.exe	87
PID 1744 wrote to memory of 3524	1744	b4edb38d0c4b66acc0378f86a05b7f21.exe	87
PID 1744 wrote to memory of 3892	1744	b4edb38d0c4b66acc0378f86a05b7f21.exe	88
PID 1744 wrote to memory of 3892	1744	b4edb38d0c4b66acc0378f86a05b7f21.exe	88
PID 1744 wrote to memory of 3892	1744	b4edb38d0c4b66acc0378f86a05b7f21.exe	88
PID 3524 wrote to memory of 3964	3524	cmd.exe	92
PID 3524 wrote to memory of 3964	3524	cmd.exe	92
PID 3524 wrote to memory of 3964	3524	cmd.exe	92
PID 3964 wrote to memory of 1732	3964	rundll32.exe	93
PID 3964 wrote to memory of 1732	3964	rundll32.exe	93
PID 3964 wrote to memory of 1732	3964	rundll32.exe	93
PID 1732 wrote to memory of 4932	1732	cmd.exe	97
PID 1732 wrote to memory of 4932	1732	cmd.exe	97
PID 1732 wrote to memory of 4932	1732	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\b4edb38d0c4b66acc0378f86a05b7f21.exe
"C:\Users\Admin\AppData\Local\Temp\b4edb38d0c4b66acc0378f86a05b7f21.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\zt2.tmp1 St C:\Users\Admin\AppData\Local\Temp\b4edb38d0c4b66acc0378f86a05b7f21.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\zt2.tmp1 St C:\Users\Admin\AppData\Local\Temp\b4edb38d0c4b66acc0378f86a05b7f21.exe
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3964
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\a.reg
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1732
    - - C:\Windows\SysWOW64\regedit.exe
        
        "regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\a.reg"
        5⤵
        Runs .reg file with regedit
        
        PID:4932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\del.bat
  2⤵
  PID:3892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a.reg

Filesize
152B

MD5
b100f5324ef74ded0b998e64d07a2e19

SHA1
40b0d7f51bf2dd8451f1b723d21355c471a5fa46

SHA256
3db613d24a75ae220891698c055e1c580a42e58564f568a0510db87581cc2042

SHA512
c12391bb37c334074f7d7e1257b6364fd5cbce848e0a8fe15b8326f54fd9568fe3baec58618c4334027a774a06a08ec249cb71db925c1f85feee6a3d3a816c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\del.bat

Filesize
400B

MD5
02b6acc568eb9550f3c08edba4e9c11f

SHA1
dd2969520c1eaf009169b89f12110b4d13360a3f

SHA256
3d8de89e83fae95bd66189d40ba5ac31807f0f909aa3c84fecb19d89ac259ae4

SHA512
1ebb6b084d666b1563165d3962de16f1116358d9c69cb6a266124775e325ce3933f1e18e709731fc25839c21869eb8bdc58b99200a5036d9c0621f4857cdaee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zt2.tmp

Filesize
32KB

MD5
d5d772ae467a9b8f8df1a5594f57307b

SHA1
9eaa13acd1fa8fe7ca87e30e9be242631cbd89ef

SHA256
9bb41985a4c080006ae1dce4c937969948975c5942ea974ee179678f3f2d0700

SHA512
ccf67f7d58a0922bbf8404be2e3e66f79d3663ec4f05e3fca2b5c31b0108571fb1b9def89fc637df42047326501a284cf8005b34b535924f9b8c048335164c87

Download Submit
memory/1744-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1744-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing