7bf316e7081d4ac4cc13e7e1ccbe5a097f2ec9b8f0b0a8ed4032e431a362864c

General

Target

c2c42f4b7aacf586fe9b354e753a1167.exe
Size

324KB
MD5

c2c42f4b7aacf586fe9b354e753a1167
SHA1

8c19d1f084eaaeb4e8451f343a7e5515cf76d936
SHA256

7bf316e7081d4ac4cc13e7e1ccbe5a097f2ec9b8f0b0a8ed4032e431a362864c
SHA512

f1eee2db04ee4f4d5c05f67cc393ed3fd7f8450d451c55509dc00b6b31e30e8d3a9aa4aa8ce09cc3215c29be0ea85ea5de6f4a05730fb501a85b5c6e48fca80d
SSDEEP

6144:QhZqNon2LQUunT/VFgzWwAnTC3kVzVTcWJR5aC1eHddzAtFdNRSm:QhZqan2gnR25STcWJLaNHdqNRSm

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	c2c42f4b7aacf586fe9b354e753a1167.exe

Executes dropped EXE 2 IoCs

pid	Process
4508	svchos.exe
512	svcpos.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\svchos.exe	c2c42f4b7aacf586fe9b354e753a1167.exe
File opened for modification	C:\Windows\svchos.exe	c2c42f4b7aacf586fe9b354e753a1167.exe
File created	C:\Windows\svcpos.exe	c2c42f4b7aacf586fe9b354e753a1167.exe
File opened for modification	C:\Windows\svchos.exe	c2c42f4b7aacf586fe9b354e753a1167.exe
File opened for modification	C:\Windows\svcpos.exe	c2c42f4b7aacf586fe9b354e753a1167.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2240	4508	WerFault.exe	92

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
512	svcpos.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3372 wrote to memory of 1276	3372	c2c42f4b7aacf586fe9b354e753a1167.exe	89
PID 3372 wrote to memory of 1276	3372	c2c42f4b7aacf586fe9b354e753a1167.exe	89
PID 3372 wrote to memory of 1276	3372	c2c42f4b7aacf586fe9b354e753a1167.exe	89
PID 1276 wrote to memory of 4508	1276	c2c42f4b7aacf586fe9b354e753a1167.exe	92
PID 1276 wrote to memory of 4508	1276	c2c42f4b7aacf586fe9b354e753a1167.exe	92
PID 1276 wrote to memory of 4508	1276	c2c42f4b7aacf586fe9b354e753a1167.exe	92
PID 1276 wrote to memory of 512	1276	c2c42f4b7aacf586fe9b354e753a1167.exe	94
PID 1276 wrote to memory of 512	1276	c2c42f4b7aacf586fe9b354e753a1167.exe	94
PID 1276 wrote to memory of 512	1276	c2c42f4b7aacf586fe9b354e753a1167.exe	94

C:\Users\Admin\AppData\Local\Temp\c2c42f4b7aacf586fe9b354e753a1167.exe
"C:\Users\Admin\AppData\Local\Temp\c2c42f4b7aacf586fe9b354e753a1167.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3372
- C:\Users\Admin\AppData\Local\Temp\c2c42f4b7aacf586fe9b354e753a1167.exe
  C:\Users\Admin\AppData\Local\Temp\c2c42f4b7aacf586fe9b354e753a1167.exe -S
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Windows\svchos.exe
    "C:\Windows\svchos.exe"
    3⤵
    - Executes dropped EXE
    PID:4508
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 268
      4⤵
      Program crash
      PID:2240
- - C:\Windows\svcpos.exe
    "C:\Windows\svcpos.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4508 -ip 4508
1⤵
PID:4160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\svchos.exe

Filesize
294KB

MD5
51c83409b8ad23a118159d7660b13b19

SHA1
abcf94c602831fb5d54f04922fdd0a17109d764b

SHA256
cac8779ec86e9e2ba5da3458fdd7b1caa663e75d38ab7409dbec17fa46ad5c3a

SHA512
e1fac68be9da4504fe1a109c47c72ff06e45ae4c0365f57be7e42cf0b690bd36a56b973c47c299362da2d7f147b64322288547804b086579355fa792bf3a1150

Download Submit
C:\Windows\svchos.exe

Filesize
294KB

MD5
20a6a3c328bac3d033111a4f7daab543

SHA1
6a469bdefeed3e93a69b7fccf429265d717fb5d9

SHA256
ec7083f4e3f2d133f0a45e5734855d6e7b16cadcdff5545dba978a620cdb2ff5

SHA512
e734ac769e72a9729c641cdf593668deb7fbfefb3b3566a38dda33e70580ff1130ea1ef177908ef0063980fb9282da0aa23110263877579b5c7d7026694d8551

Download Submit
C:\Windows\svcpos.exe

Filesize
80KB

MD5
4a5b948c0b23c0e35003b73c4b74bf47

SHA1
1d84b7998ef4cffab41267d5d65cc4bab2634831

SHA256
cb53feec65224239fc6724285245bcaa74228be543e94eb0485464d4464f9c47

SHA512
09617e75113b57ff2004a142dd9e44393e789002e0f68547b30fc38bf6ed1c874ec76c0e9b8d57ffd1077c23abd3a5056d50298c4f8f1af100fa7ec1409d9e3b

Download Submit
C:\Windows\svcpos.exe

Filesize
80KB

MD5
8a7bf4a150a78883b7cf34dde0ac424d

SHA1
7d80a71c069ea8c36983e9bfd5d4f018c9876a97

SHA256
b33954984a31da378adb56cc07321574337e6a47e1fd2c8f22adab7936de54cb

SHA512
c15e94de3ad372e6e5bf7c7eedb8c1195dca18c05a4603574299bb2c819367f31d844ec12dbb5b399cb4e98703d506ead903441037225f40afe408186f8ee2b0

Download Submit
memory/1276-6-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/1276-4-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1276-28-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/3372-0-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/3372-1-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/3372-5-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/4508-25-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4508-32-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing