40e47a3ac1aedd13b13b02421cc6583d5544f88a3394d9d998fe9abebff29004

General

Target

b526d51bbe38d595f87a63d1d48efb51.exe
Size

178KB
MD5

b526d51bbe38d595f87a63d1d48efb51
SHA1

de9e489e6c9c15b9ea7d939f9906ef85e8466cb0
SHA256

40e47a3ac1aedd13b13b02421cc6583d5544f88a3394d9d998fe9abebff29004
SHA512

e1329df6ccf89c079ecd2b77e07e7e9e8720b5d5e6c08fc067355d60f0107455baa903ef438b33ebd745b39473bcadd1b8a42fb6e12110745ce8fe24f26003dc
SSDEEP

3072:wHIedu9fC8sk5Aymo9QTiZcnffoqsHrmGX7vfzNdK6o9:168skeviZcnffoTlX92

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	b526d51bbe38d595f87a63d1d48efb51.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	8h7HgihHuUHUhh8hbiij8.exe

Deletes itself 1 IoCs

pid	Process
4996	8h7HgihHuUHUhh8hbiij8.exe

Executes dropped EXE 2 IoCs

pid	Process
4996	8h7HgihHuUHUhh8hbiij8.exe
2416	Bypass.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
26	raw.githubusercontent.com
27	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4996	8h7HgihHuUHUhh8hbiij8.exe
4996	8h7HgihHuUHUhh8hbiij8.exe
4996	8h7HgihHuUHUhh8hbiij8.exe
4996	8h7HgihHuUHUhh8hbiij8.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4996	8h7HgihHuUHUhh8hbiij8.exe
Token: SeDebugPrivilege	2416	Bypass.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3944 wrote to memory of 4996	3944	b526d51bbe38d595f87a63d1d48efb51.exe	98
PID 3944 wrote to memory of 4996	3944	b526d51bbe38d595f87a63d1d48efb51.exe	98
PID 4996 wrote to memory of 2416	4996	8h7HgihHuUHUhh8hbiij8.exe	100
PID 4996 wrote to memory of 2416	4996	8h7HgihHuUHUhh8hbiij8.exe	100
PID 4996 wrote to memory of 2416	4996	8h7HgihHuUHUhh8hbiij8.exe	100

C:\Users\Admin\AppData\Local\Temp\b526d51bbe38d595f87a63d1d48efb51.exe
"C:\Users\Admin\AppData\Local\Temp\b526d51bbe38d595f87a63d1d48efb51.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Users\Admin\AppData\Local\Temp\8h7HgihHuUHUhh8hbiij8.exe
  "C:\Users\Admin\AppData\Local\Temp\8h7HgihHuUHUhh8hbiij8.exe" -parent 3944 b526d51bbe38d595f87a63d1d48efb51.exe
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Users\Admin\AppData\Local\Temp\Bypass.exe
    "C:\Users\Admin\AppData\Local\Temp\Bypass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4396 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8h7HgihHuUHUhh8hbiij8.exe

Filesize
178KB

MD5
b526d51bbe38d595f87a63d1d48efb51

SHA1
de9e489e6c9c15b9ea7d939f9906ef85e8466cb0

SHA256
40e47a3ac1aedd13b13b02421cc6583d5544f88a3394d9d998fe9abebff29004

SHA512
e1329df6ccf89c079ecd2b77e07e7e9e8720b5d5e6c08fc067355d60f0107455baa903ef438b33ebd745b39473bcadd1b8a42fb6e12110745ce8fe24f26003dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bypass.exe

Filesize
14KB

MD5
7197a31368cee20c5d7f44013bf6d2cb

SHA1
15ef58f4806ea0f627a87d6e8bacd1d0a89cdf50

SHA256
df269afb4e2f437350497ad5c5ed46911a29bed4cc366f6b0455f5db4c26220d

SHA512
49709f9fcd0d77b3a9105be2f175f1bb57838db988e19f6dca748a2a8dcfbaf1294fedfad440041766f6940c4831a1523e81024ad0d5f65b6f5ae06e504f6f04

Download Submit
memory/2416-28-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download
memory/2416-38-0x0000000005970000-0x0000000005980000-memory.dmp

Filesize
64KB

Download
memory/2416-35-0x0000000005970000-0x0000000005980000-memory.dmp

Filesize
64KB

Download
memory/2416-32-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download
memory/2416-29-0x00000000006D0000-0x00000000006D8000-memory.dmp

Filesize
32KB

Download
memory/3944-13-0x00007FFD3F150000-0x00007FFD3FC11000-memory.dmp

Filesize
10.8MB

Download
memory/3944-0-0x00000261DA1B0000-0x00000261DA1E2000-memory.dmp

Filesize
200KB

Download
memory/3944-9-0x00007FFD3F150000-0x00007FFD3FC11000-memory.dmp

Filesize
10.8MB

Download
memory/4996-16-0x000001995FAD0000-0x000001995FAE0000-memory.dmp

Filesize
64KB

Download
memory/4996-30-0x00007FFD3F150000-0x00007FFD3FC11000-memory.dmp

Filesize
10.8MB

Download
memory/4996-31-0x000001995FAD0000-0x000001995FAE0000-memory.dmp

Filesize
64KB

Download
memory/4996-15-0x00007FFD3F150000-0x00007FFD3FC11000-memory.dmp

Filesize
10.8MB

Download
memory/4996-37-0x00007FFD3F150000-0x00007FFD3FC11000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing