b219d1944ed41f33d4cf532ffe7428b2f494b9f693a70aa7a9100b5550e794df

General

Target

52fywg.exe
Size

1.0MB
MD5

805dc8ea0c4c626109037b4c6b3f73d2
SHA1

cc4224ed24bc309413f6f4f85dd3ba1cde65c701
SHA256

8748e9a133c0aabc61b04bfe735f1f276157874874a8c08400d8ef21144170cb
SHA512

23a9e2698bd168ce59a2226885b4c6173ff1415a5a843c4d560753a03b51778ad100f7f6765f429048eb6c47ebd4e7ce19097cbc16bb886d6a2b00930e8bd92f
SSDEEP

24576:B8xnT9uMDSdHH2tF7VYPhbQMkDlyGh1l46:B8xxubAWPhbKyGh1l7

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	ec.sys

Executes dropped EXE 1 IoCs

pid	Process
1692	ec.sys

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/memory/4968-2-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/4968-4-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/4968-7-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/4968-8-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/4968-6-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/4968-10-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/4968-12-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/4968-14-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/4968-17-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/4968-20-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/4968-22-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/4968-25-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/4968-27-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/4968-30-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/4968-32-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/4968-34-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/4968-36-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/4968-38-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/4968-45-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/4968-43-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/4968-41-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/4968-48-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/4968-51-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/4968-53-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/4968-55-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/files/0x0007000000023248-63.dat	upx
behavioral4/memory/1692-64-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral4/memory/1692-69-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral4/memory/4968-88-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/4968-89-0x0000000010000000-0x000000001003D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\eciT9xu.sys	52fywg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4968	52fywg.exe
4968	52fywg.exe
4968	52fywg.exe
4968	52fywg.exe
4968	52fywg.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 1692	4968	52fywg.exe	90
PID 4968 wrote to memory of 1692	4968	52fywg.exe	90
PID 4968 wrote to memory of 1692	4968	52fywg.exe	90
PID 1692 wrote to memory of 1880	1692	ec.sys	91
PID 1692 wrote to memory of 1880	1692	ec.sys	91
PID 1692 wrote to memory of 1880	1692	ec.sys	91

C:\Users\Admin\AppData\Local\Temp\52fywg.exe
"C:\Users\Admin\AppData\Local\Temp\52fywg.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Users\Admin\Documents\ec.sys
  C:\Users\Admin\Documents\/ec.sys
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\k211.bat" "
    3⤵
    PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\k211.bat

Filesize
2KB

MD5
06af7c4c305e8e390a482e04b5f23a12

SHA1
ee0f2820b9c5da1c243315aec03f1aabe54af2e8

SHA256
97093292b0ea16c6f109e1d2a4c83bd0436da2ea19b8f0fa7dc35e78bfb851c4

SHA512
c71e72924e567c3a7ee5eb3691091b545b55b9e453446ac841a65f93d02c85145d147d856dd7846e3f2843032876730c39e81dc75fdd115f9d581b8fe445135d

Download Submit
C:\Users\Admin\Documents\ec.sys

Filesize
42KB

MD5
9522a5bbb8a9c5a7033edd962942f0a5

SHA1
89dc94c849c33d754a85ceae5d3a6ef45d56d315

SHA256
f5c9f0063aea62311673c338a8da321a724dcf8f70b33af34d39b07d29ddd5f6

SHA512
6bbcff34c4a7fa3ca0cff2df08ed8667514a42d2d0f2d2ab020f2412918d742c93fd84e75fda2ae96e9b4ac97a5204daed0d87693c76d1588498833e9a3c5e56

Download Submit
memory/1692-69-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1692-64-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4968-32-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4968-38-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4968-12-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4968-14-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4968-17-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4968-20-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4968-22-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4968-25-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4968-27-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4968-30-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4968-2-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4968-34-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4968-36-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4968-10-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4968-45-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4968-43-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4968-41-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4968-48-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4968-51-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4968-53-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4968-55-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4968-6-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4968-8-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4968-7-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4968-4-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4968-88-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4968-89-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing