30b50c9a1de2f21ef1eb78f18695bcb0f3989fff880a4872a3be3458d5f73433

General

Target

Mocha.Telnet.v3.2.XScale.Smartphone200x.Incl.Keygen-SyMPDA/sym-wmsmtelnetsp.exe
Size

301KB
MD5

acef837c9278c96f5f00e1b9e8338788
SHA1

906bcec3f2aeb44127d954992e6ad6cd4ef2d87b
SHA256

cae5105db3f5891d559fd1a9392c27138dd2481ccfd568884838d839b13f4bb6
SHA512

d259f6554ecfbd8fe2afacabaf73e9f64a6b0d612757808adecfd355460c56234c55d25209d0dc91987c62f76b0fc1ca3a7897af8f753f14f7e2afc83b9bd99a
SSDEEP

3072:0Rx4HYBvD+KLgB1batiBFVkiW2C3IZN2YtM9aNHa6kJo0zhDAAdt9XZAHlzxC4qf:sJaiaZTY1DAAGxCAjFkfItY0NfjMj

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	sym-wmsmtelnetsp.exe

Executes dropped EXE 4 IoCs

pid	Process
4020	setup_m.exe
4708	setup.exe
1832	sxe5BFD.tmp
2948	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
4708	setup.exe
4708	setup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\winlogon.exe"	winlogon.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\winlogon.exe	setup_m.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2948	winlogon.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3684 wrote to memory of 4020	3684	sym-wmsmtelnetsp.exe	88
PID 3684 wrote to memory of 4020	3684	sym-wmsmtelnetsp.exe	88
PID 3684 wrote to memory of 4020	3684	sym-wmsmtelnetsp.exe	88
PID 3684 wrote to memory of 4708	3684	sym-wmsmtelnetsp.exe	89
PID 3684 wrote to memory of 4708	3684	sym-wmsmtelnetsp.exe	89
PID 3684 wrote to memory of 4708	3684	sym-wmsmtelnetsp.exe	89
PID 4708 wrote to memory of 1832	4708	setup.exe	90
PID 4708 wrote to memory of 1832	4708	setup.exe	90
PID 4708 wrote to memory of 1832	4708	setup.exe	90
PID 4020 wrote to memory of 2948	4020	setup_m.exe	94
PID 4020 wrote to memory of 2948	4020	setup_m.exe	94
PID 4020 wrote to memory of 2948	4020	setup_m.exe	94

C:\Users\Admin\AppData\Local\Temp\Mocha.Telnet.v3.2.XScale.Smartphone200x.Incl.Keygen-SyMPDA\sym-wmsmtelnetsp.exe
"C:\Users\Admin\AppData\Local\Temp\Mocha.Telnet.v3.2.XScale.Smartphone200x.Incl.Keygen-SyMPDA\sym-wmsmtelnetsp.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Users\Admin\AppData\Local\Temp\setup_m.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_m.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Windows\winlogon.exe
    C:\Windows\winlogon.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    PID:2948
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4708
- - C:\Users\Admin\AppData\Local\Temp\sxe5BFD.tmp
    "C:\Users\Admin\AppData\Local\Temp\sxe5BFD.tmp"
    3⤵
    - Executes dropped EXE
    PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
95KB

MD5
ee7b6f54febcf982fb0e3f71b8621c80

SHA1
87fb71dda848774e88a6819daf2044c854f4cf80

SHA256
dcff271a955a4b04350f4b1e63166fc79497ba5ad561dc82f6d7b881493156d9

SHA512
1fac6fb8e511bfe6543c453454ed7bcaf75174bf83742253edab45e2390503c468b868b3647694fc3f5470dc508da42dcffc08c86c4dd5867abece7dcaa19fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_m.exe

Filesize
200KB

MD5
292a5adf25ddf66b98616243fdd11ed7

SHA1
b8de129bbed53d5de11c84a63f4d5b9602846a15

SHA256
45ae78216e5c0339848bc101dc18ad41f23e6cb673bdf0f26f4558342343901c

SHA512
67983db229d54958362f1d320f08d375911da5d68f1961c55613294f36295f20a2ec523b3d189c88bef198970a79f98fae76b26de37ad26c1190e702f4b97171

Download Submit
C:\Users\Admin\AppData\Local\Temp\sxe5BDB.tmp

Filesize
15KB

MD5
bd815b61f9948f93aface4033fbb4423

SHA1
b5391484009b39053fc8b1bba63d444969bafcfa

SHA256
b018bf9e9f8b6d945e6a2a25984970634884afabc580af2b4e855730520d5d76

SHA512
a363abe97b5a44e5d36af859e8d484daffe1d8e321c87969a75d1bfaa4288a5e6be1922a02c6d72937c84e81a79a1c7f6c9f2a44a995cac3f993ed5608afcd71

Download Submit
C:\Users\Admin\AppData\Local\Temp\sxe5BFD.tmp

Filesize
220KB

MD5
44c2017831e7bcf6ed9b3674d9d9304a

SHA1
51b099c5f4571b505b249d4b755715a2b6e265c3

SHA256
1bc84c24d61e62f7564a3611cc9e25d81cae0abbc9218040cd82287c5d27fa39

SHA512
22a9bebef07b7e4bea1d086f6c53c305be6e2f2ec048f718a17e5923caa009194ca74fa9088a13ba470ce0753ed0ac5d48855e8c85e4c3fef56a79de3be47738

Download Submit
memory/2948-38-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3684-0-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3684-18-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4020-10-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4020-37-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads