8588c0c872a004d16455c5f28a4e9c0e8875b10b295f42b93a69a211f5fb9f6f

General

Target

8588c0c872a004d16455c5f28a4e9c0e8875b10b295f42b93a69a211f5fb9f6f.exe
Size

2.5MB
MD5

145fb0a72ca3799c22a451683b0b6d38
SHA1

9ee456116c6da2d416b078ecc70008f1682be605
SHA256

8588c0c872a004d16455c5f28a4e9c0e8875b10b295f42b93a69a211f5fb9f6f
SHA512

566ff9bc201d8fb0552fb9a473a780339b04e7c4d7083f3d18a3fbd705493c4af7a06da7e89e3c4a50e9acb6dd8c5c595511c924a2b1b91b77c3e907be80d68a
SSDEEP

49152:vB+dPmenydp6g4OiZrq1DfP+rsNADtV6v+L8uSwiPSCmDS+5uSlVQ:Cuiyd54OiZrq1DfPHNADtV6v+

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	8588c0c872a004d16455c5f28a4e9c0e8875b10b295f42b93a69a211f5fb9f6f.exe

Executes dropped EXE 1 IoCs

pid	Process
4864	CZRAFSq.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2268-11-0x0000000002D00000-0x0000000002D0B000-memory.dmp	upx
behavioral2/memory/2268-12-0x0000000002D00000-0x0000000002D0B000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CZRAFSq.exe	8588c0c872a004d16455c5f28a4e9c0e8875b10b295f42b93a69a211f5fb9f6f.exe
File opened for modification	C:\Windows\SysWOW64\CZRAFSq.exe	8588c0c872a004d16455c5f28a4e9c0e8875b10b295f42b93a69a211f5fb9f6f.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4864 set thread context of 2268	4864	CZRAFSq.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4252	8588c0c872a004d16455c5f28a4e9c0e8875b10b295f42b93a69a211f5fb9f6f.exe
4252	8588c0c872a004d16455c5f28a4e9c0e8875b10b295f42b93a69a211f5fb9f6f.exe
4252	8588c0c872a004d16455c5f28a4e9c0e8875b10b295f42b93a69a211f5fb9f6f.exe
4252	8588c0c872a004d16455c5f28a4e9c0e8875b10b295f42b93a69a211f5fb9f6f.exe
4252	8588c0c872a004d16455c5f28a4e9c0e8875b10b295f42b93a69a211f5fb9f6f.exe
4252	8588c0c872a004d16455c5f28a4e9c0e8875b10b295f42b93a69a211f5fb9f6f.exe
4864	CZRAFSq.exe
4864	CZRAFSq.exe
4864	CZRAFSq.exe
4864	CZRAFSq.exe
2268	backgroundTaskHost.exe
2268	backgroundTaskHost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4252	8588c0c872a004d16455c5f28a4e9c0e8875b10b295f42b93a69a211f5fb9f6f.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4252	8588c0c872a004d16455c5f28a4e9c0e8875b10b295f42b93a69a211f5fb9f6f.exe
4252	8588c0c872a004d16455c5f28a4e9c0e8875b10b295f42b93a69a211f5fb9f6f.exe
4864	CZRAFSq.exe
4864	CZRAFSq.exe
2268	backgroundTaskHost.exe
2268	backgroundTaskHost.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4252 wrote to memory of 4864	4252	8588c0c872a004d16455c5f28a4e9c0e8875b10b295f42b93a69a211f5fb9f6f.exe	89
PID 4252 wrote to memory of 4864	4252	8588c0c872a004d16455c5f28a4e9c0e8875b10b295f42b93a69a211f5fb9f6f.exe	89
PID 4252 wrote to memory of 4864	4252	8588c0c872a004d16455c5f28a4e9c0e8875b10b295f42b93a69a211f5fb9f6f.exe	89
PID 4864 wrote to memory of 2476	4864	CZRAFSq.exe	90
PID 4864 wrote to memory of 2476	4864	CZRAFSq.exe	90
PID 4864 wrote to memory of 2944	4864	CZRAFSq.exe	91
PID 4864 wrote to memory of 2944	4864	CZRAFSq.exe	91
PID 4864 wrote to memory of 2944	4864	CZRAFSq.exe	91
PID 4864 wrote to memory of 4144	4864	CZRAFSq.exe	92
PID 4864 wrote to memory of 4144	4864	CZRAFSq.exe	92
PID 4252 wrote to memory of 3272	4252	8588c0c872a004d16455c5f28a4e9c0e8875b10b295f42b93a69a211f5fb9f6f.exe	93
PID 4252 wrote to memory of 3272	4252	8588c0c872a004d16455c5f28a4e9c0e8875b10b295f42b93a69a211f5fb9f6f.exe	93
PID 4252 wrote to memory of 3272	4252	8588c0c872a004d16455c5f28a4e9c0e8875b10b295f42b93a69a211f5fb9f6f.exe	93
PID 4864 wrote to memory of 2204	4864	CZRAFSq.exe	94
PID 4864 wrote to memory of 2204	4864	CZRAFSq.exe	94
PID 4864 wrote to memory of 1860	4864	CZRAFSq.exe	96
PID 4864 wrote to memory of 1860	4864	CZRAFSq.exe	96
PID 4864 wrote to memory of 2268	4864	CZRAFSq.exe	97
PID 4864 wrote to memory of 2268	4864	CZRAFSq.exe	97
PID 4864 wrote to memory of 2268	4864	CZRAFSq.exe	97
PID 4864 wrote to memory of 2268	4864	CZRAFSq.exe	97
PID 4864 wrote to memory of 2268	4864	CZRAFSq.exe	97
PID 4864 wrote to memory of 2268	4864	CZRAFSq.exe	97
PID 4864 wrote to memory of 2268	4864	CZRAFSq.exe	97
PID 4864 wrote to memory of 2268	4864	CZRAFSq.exe	97
PID 4864 wrote to memory of 2268	4864	CZRAFSq.exe	97

C:\Users\Admin\AppData\Local\Temp\8588c0c872a004d16455c5f28a4e9c0e8875b10b295f42b93a69a211f5fb9f6f.exe
"C:\Users\Admin\AppData\Local\Temp\8588c0c872a004d16455c5f28a4e9c0e8875b10b295f42b93a69a211f5fb9f6f.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4252
- C:\Windows\SysWOW64\CZRAFSq.exe
  -auto
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Windows\explorer.exe
    \Windows\explorer.exe start
    3⤵
    PID:2476
- - C:\Windows\SysWOW64\dllhost.exe
    \Windows\System32\dllhost.exe start
    3⤵
    PID:2944
- - C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    \Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe start
    3⤵
    PID:4144
- - C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    \Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe start
    3⤵
    PID:2204
- - C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
    \Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe start
    3⤵
    PID:1860
- - C:\Windows\SysWOW64\backgroundTaskHost.exe
    \Windows\System32\backgroundTaskHost.exe start
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2268
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" > nul
  2⤵
  PID:3272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\CZRAFSq.exe

Filesize
2.5MB

MD5
145fb0a72ca3799c22a451683b0b6d38

SHA1
9ee456116c6da2d416b078ecc70008f1682be605

SHA256
8588c0c872a004d16455c5f28a4e9c0e8875b10b295f42b93a69a211f5fb9f6f

SHA512
566ff9bc201d8fb0552fb9a473a780339b04e7c4d7083f3d18a3fbd705493c4af7a06da7e89e3c4a50e9acb6dd8c5c595511c924a2b1b91b77c3e907be80d68a

Download Submit
memory/2268-4-0x0000000000400000-0x000000000068C000-memory.dmp

Filesize
2.5MB

Download
memory/2268-5-0x0000000000400000-0x000000000068C000-memory.dmp

Filesize
2.5MB

Download
memory/2268-6-0x0000000000400000-0x000000000068C000-memory.dmp

Filesize
2.5MB

Download
memory/2268-7-0x0000000000400000-0x000000000068C000-memory.dmp

Filesize
2.5MB

Download
memory/2268-9-0x0000000000400000-0x000000000068C000-memory.dmp

Filesize
2.5MB

Download
memory/2268-11-0x0000000002D00000-0x0000000002D0B000-memory.dmp

Filesize
44KB

Download
memory/2268-12-0x0000000002D00000-0x0000000002D0B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing