e1a1fc9a223ba456da15b2abbf997b671bd20847c2ccc889f5044eb93553c785

General

Target

c4d3c80d9a96d61d2625698a8b64385a.exe
Size

431KB
MD5

c4d3c80d9a96d61d2625698a8b64385a
SHA1

90084e59306dcef4aa2dd1dc202b8ccc83c8ef5e
SHA256

e1a1fc9a223ba456da15b2abbf997b671bd20847c2ccc889f5044eb93553c785
SHA512

ac3b87d09c24309096be703ba0743d9b75082c51416b160a7117836b1d93a8d2be73d7cb51e7933ac76cb033ff343a5a13c729a8b8305c67944648499b0a0184
SSDEEP

12288:Q3bllAjNjrRnpwPA1l+f9sRIn+KkoXx7nzA5:Q3DAjNjrhpw410pkG5zA5

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	c4d3c80d9a96d61d2625698a8b64385a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	1EuroP.exe

Executes dropped EXE 7 IoCs

pid	Process
1388	cb.exe
3776	1EuroP.exe
4588	2IC.exe
3356	IR.exe
2928	3E4U - Bucks.exe
1484	6tbp.exe
3972	0uobg.exe

Loads dropped DLL 1 IoCs

pid	Process
3532	rundll32.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2928-82-0x0000000000A70000-0x0000000000AA0000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qmodibikixezi = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\wspmeUs.dll\",Startup"	rundll32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\physicaldrive0	2IC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1360	2928	WerFault.exe	94

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3532	rundll32.exe
3532	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4588	2IC.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1484	6tbp.exe
3356	IR.exe
3532	rundll32.exe
3356	IR.exe
3356	IR.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 1388	2600	c4d3c80d9a96d61d2625698a8b64385a.exe	89
PID 2600 wrote to memory of 1388	2600	c4d3c80d9a96d61d2625698a8b64385a.exe	89
PID 2600 wrote to memory of 1388	2600	c4d3c80d9a96d61d2625698a8b64385a.exe	89
PID 2600 wrote to memory of 3776	2600	c4d3c80d9a96d61d2625698a8b64385a.exe	91
PID 2600 wrote to memory of 3776	2600	c4d3c80d9a96d61d2625698a8b64385a.exe	91
PID 2600 wrote to memory of 3776	2600	c4d3c80d9a96d61d2625698a8b64385a.exe	91
PID 2600 wrote to memory of 4588	2600	c4d3c80d9a96d61d2625698a8b64385a.exe	92
PID 2600 wrote to memory of 4588	2600	c4d3c80d9a96d61d2625698a8b64385a.exe	92
PID 2600 wrote to memory of 4588	2600	c4d3c80d9a96d61d2625698a8b64385a.exe	92
PID 2600 wrote to memory of 3356	2600	c4d3c80d9a96d61d2625698a8b64385a.exe	93
PID 2600 wrote to memory of 3356	2600	c4d3c80d9a96d61d2625698a8b64385a.exe	93
PID 2600 wrote to memory of 3356	2600	c4d3c80d9a96d61d2625698a8b64385a.exe	93
PID 2600 wrote to memory of 2928	2600	c4d3c80d9a96d61d2625698a8b64385a.exe	94
PID 2600 wrote to memory of 2928	2600	c4d3c80d9a96d61d2625698a8b64385a.exe	94
PID 2600 wrote to memory of 2928	2600	c4d3c80d9a96d61d2625698a8b64385a.exe	94
PID 2600 wrote to memory of 1484	2600	c4d3c80d9a96d61d2625698a8b64385a.exe	95
PID 2600 wrote to memory of 1484	2600	c4d3c80d9a96d61d2625698a8b64385a.exe	95
PID 2600 wrote to memory of 1484	2600	c4d3c80d9a96d61d2625698a8b64385a.exe	95
PID 1484 wrote to memory of 3532	1484	6tbp.exe	96
PID 1484 wrote to memory of 3532	1484	6tbp.exe	96
PID 1484 wrote to memory of 3532	1484	6tbp.exe	96
PID 3776 wrote to memory of 2912	3776	1EuroP.exe	101
PID 3776 wrote to memory of 2912	3776	1EuroP.exe	101
PID 3776 wrote to memory of 2912	3776	1EuroP.exe	101

C:\Users\Admin\AppData\Local\Temp\c4d3c80d9a96d61d2625698a8b64385a.exe
"C:\Users\Admin\AppData\Local\Temp\c4d3c80d9a96d61d2625698a8b64385a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Users\Admin\AppData\Local\Temp\nsj6A06.tmp\cb.exe
  "C:\Users\Admin\AppData\Local\Temp\nsj6A06.tmp\cb.exe"
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\Users\Admin\AppData\Local\Temp\nsj6A06.tmp\1EuroP.exe
  "C:\Users\Admin\AppData\Local\Temp\nsj6A06.tmp\1EuroP.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3776
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Fhf..bat" > nul 2> nul
    3⤵
    PID:2912
- C:\Users\Admin\AppData\Local\Temp\nsj6A06.tmp\2IC.exe
  "C:\Users\Admin\AppData\Local\Temp\nsj6A06.tmp\2IC.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of AdjustPrivilegeToken
  PID:4588
- C:\Users\Admin\AppData\Local\Temp\nsj6A06.tmp\IR.exe
  "C:\Users\Admin\AppData\Local\Temp\nsj6A06.tmp\IR.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3356
- - C:\0uobg.exe
    \0uobg.exe
    3⤵
    - Executes dropped EXE
    PID:3972
- - C:\Windows\SysWOW64\Rundll32.exe
    Rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 \mdinstall.inf
    3⤵
    PID:3340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c \phvpisznn.bat
    3⤵
    PID:2736
- C:\Users\Admin\AppData\Local\Temp\nsj6A06.tmp\3E4U - Bucks.exe
  "C:\Users\Admin\AppData\Local\Temp\nsj6A06.tmp\3E4U - Bucks.exe"
  2⤵
  - Executes dropped EXE
  PID:2928
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 516
    3⤵
    - Program crash
    PID:1360
- C:\Users\Admin\AppData\Local\Temp\nsj6A06.tmp\6tbp.exe
  "C:\Users\Admin\AppData\Local\Temp\nsj6A06.tmp\6tbp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\wspmeUs.dll",Startup
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3532
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\wspmeUs.dll",iep
      4⤵
      PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2928 -ip 2928
1⤵
PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Fhf..bat

Filesize
182B

MD5
7d89d9468bbdff4e137f64ed5a615ede

SHA1
d2af9e96ec4dd3ae6cc1b08da975672f2b9bd122

SHA256
82713486d33bb2b0b7b7e41790948939fe0721aff510de79b8f97766001c4ee0

SHA512
fde78ddc93ca150b1a942866838afea51109a29f1663448d9733387ea9e83fa786b903465d0aae2231fa105a456918bf6275124ceb987ebf6597d099584a51eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6A06.tmp\1EuroP.exe

Filesize
93KB

MD5
a10fbae2a5ccf49472c9091024d8f0d4

SHA1
d490ae2de0a36b8fd52d55ea724359805b1b05c4

SHA256
ec0b71833ae659fa83f4138e68a4dbb489a32272c15dd25c27667a1a5a2cb449

SHA512
beefb90558eb219adf9e74cfb110c1fbf734357a619b5a287af86e0734594ebeda251d1c8da5b44f06f706a01ad126d871369c2cad26666e1423b09480d8cac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6A06.tmp\2IC.exe

Filesize
183KB

MD5
c6dbaa16008ffb455b9b3d9f6114f222

SHA1
908cedd4f01ade1a29ce0b175868fae27ed1d32c

SHA256
52b0d86d61a833bd885413450804b18f5fd26f2d6375d8f1da324416099f7eee

SHA512
e6016341e4b5d901dc660f8c04a54187ea810080a84afa3fec81fb7d1fb70564cc997cd739d37d53bdb31430ee6e36127da81bd11903c70d46ed16e0ae626f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6A06.tmp\3E4U - Bucks.exe

Filesize
27KB

MD5
5f6c6b5e491ac60e088adba6dd5791c2

SHA1
292f4b81b3eee53877c672faf540aceeb2fc881f

SHA256
b010d2d5cdee46b1b97b88aa48968ffd34f6e3e382b250c98f2e1a89c950e018

SHA512
59c15d1a3f8d14eb441bb6e187cd91eaa13114afa1d8220aa7d08e259ee28af6bab92258b624d9824944b1776f916b6b551f3c3be982262d28b5330c7ba28252

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6A06.tmp\6tbp.exe

Filesize
124KB

MD5
e986fdf212b0400b063290d4431840ca

SHA1
0543377bb76a3b379cde50230700e8193ac7956f

SHA256
68b09700f001ea8da558fd4a1641f4deb3ed01c5ba9c5f2095b54c7883d23f98

SHA512
6ff70b697f91ea321ac349be9f5784395294b1ac3b11a3833a9c5fbef7430ea7a26f15aac57fb2005be183a235eebe3fabe4f065293a53c90f3f170ae5d6078d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6A06.tmp\IR.exe

Filesize
176KB

MD5
442dab6d92d4c98adef21c0638b42043

SHA1
13a9d9df3e2438b838c52805cc10333b0cac4fb6

SHA256
a64f4ccef49ba060797a22903c79e1787f9f5af6d3631baca4762e0f9b69655a

SHA512
7c11a77ddb01185ab2367d97a573829acee72a27805d155e78967cb4d0ccaca9f6fe5b5db5a0b2f2bab2ca4e33112c60760bbfe24c4cdce8ace1cc5e8e86c06a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6A06.tmp\cb.exe

Filesize
3KB

MD5
46e07fd3a40760fda18cf6b4fc691742

SHA1
53ee1a754bf5e94fa88a6ab8bb6120b4011afcfa

SHA256
bd7ca609d2fb63e14d08acab1091579c23e298b4fa2ac1e8d2daaff94fc107be

SHA512
ce13f6527cbd13002dca00b71ab38ab12e3f3f7138ada0780ad3f40e7c49946c018a00782ec957b1fd123fb439aabc0d9b3660829dabf10ddcebba08d6e2fbbd

Download Submit
C:\Users\Admin\AppData\Local\wspmeUs.dll

Filesize
124KB

MD5
a888a4aa3550230aff517fe0202e79ba

SHA1
a67a76e0fd80a70840d4e4cd77fba8f08d4e9170

SHA256
a3e8650475482f79927e354bf6dabb1cdb52c0c47f6113c4bf8d2476eb2e5110

SHA512
1d80a91a2ed2c183a85e27d05a2ce0d015029208b8332715c6bd4e773bdbe05b73c5b2ef3c9f2e0743b4f39a8d99bfe18bf2294385e4dc6a1ef7205b5b1770e9

Download Submit
memory/1484-92-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/1484-71-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/1484-80-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/1484-79-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/2928-76-0x0000000002BC0000-0x0000000003CC0000-memory.dmp

Filesize
17.0MB

Download
memory/2928-82-0x0000000000A70000-0x0000000000AA0000-memory.dmp

Filesize
192KB

Download
memory/3532-81-0x0000000002C40000-0x0000000002C50000-memory.dmp

Filesize
64KB

Download
memory/3532-111-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/3532-78-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/3532-110-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/3532-93-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/3776-32-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3776-46-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3776-85-0x00000000005D0000-0x00000000005EB000-memory.dmp

Filesize
108KB

Download
memory/3776-86-0x00000000005D0000-0x00000000005EB000-memory.dmp

Filesize
108KB

Download
memory/3776-89-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3776-52-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/3776-94-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4588-83-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4588-88-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4588-84-0x00000000023E0000-0x0000000002424000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads