01aa4f2ae47d829d0f2aa30de279c6ff4f8db80f25e382c4155b2594dc734fe4

General

Target

c86fc119bac0f770ccbc16a084834473.exe
Size

308KB
MD5

c86fc119bac0f770ccbc16a084834473
SHA1

2085ee03c7a019660b31a6eb0cabe820b586da4e
SHA256

01aa4f2ae47d829d0f2aa30de279c6ff4f8db80f25e382c4155b2594dc734fe4
SHA512

def54269961bf7c3c562632fb730784f477ac2395a14031381cf928ef23fed56994aba521330e57ee41d6c23b998a7eda2ddf2b96245c956704b91628f712a61
SSDEEP

6144:yfD6q+3voIF2b3P5j+xaw4IjP1FPoE58oqfHDX7TgFE9yQ7hb:rp3vEkxzv71wX7TwE9b

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	c86fc119bac0f770ccbc16a084834473.exe

Executes dropped EXE 1 IoCs

pid	Process
2856	Gay-Lesbian-Photo.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2012-0-0x0000000000400000-0x00000000004D3000-memory.dmp	upx
behavioral2/files/0x00090000000224f7-6.dat	upx
behavioral2/memory/2012-10-0x0000000000400000-0x00000000004D3000-memory.dmp	upx
behavioral2/memory/2856-13-0x0000000000400000-0x00000000004D3000-memory.dmp	upx
behavioral2/memory/2856-14-0x0000000000400000-0x00000000004D3000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pviever = "\"C:\\Program Files\\Gay-Lesbian-Photo\\Gay-Lesbian-Photo.exe\" hide"	c86fc119bac0f770ccbc16a084834473.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Gay-Lesbian-Photo\Gay-Lesbian-Photo.exe	c86fc119bac0f770ccbc16a084834473.exe
File created	C:\Program Files\Gay-Lesbian-Photo\uin.txt	Gay-Lesbian-Photo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Gay-Lesbian-Photo.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Gay-Lesbian-Photo.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Gay-Lesbian-Photo.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	Gay-Lesbian-Photo.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Gay-Lesbian-Photo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Gay-Lesbian-Photo.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Gay-Lesbian-Photo.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Gay-Lesbian-Photo.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	Gay-Lesbian-Photo.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Gay-Lesbian-Photo.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Gay-Lesbian-Photo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	Gay-Lesbian-Photo.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Gay-Lesbian-Photo.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Gay-Lesbian-Photo.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Gay-Lesbian-Photo.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Gay-Lesbian-Photo.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Gay-Lesbian-Photo.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Gay-Lesbian-Photo.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2856	Gay-Lesbian-Photo.exe
2856	Gay-Lesbian-Photo.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2856	2012	c86fc119bac0f770ccbc16a084834473.exe	91
PID 2012 wrote to memory of 2856	2012	c86fc119bac0f770ccbc16a084834473.exe	91
PID 2012 wrote to memory of 2856	2012	c86fc119bac0f770ccbc16a084834473.exe	91

C:\Users\Admin\AppData\Local\Temp\c86fc119bac0f770ccbc16a084834473.exe
"C:\Users\Admin\AppData\Local\Temp\c86fc119bac0f770ccbc16a084834473.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Program Files\Gay-Lesbian-Photo\Gay-Lesbian-Photo.exe
  "C:\Program Files\Gay-Lesbian-Photo\Gay-Lesbian-Photo.exe" hide 10000
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Gay-Lesbian-Photo\Gay-Lesbian-Photo.exe

Filesize
308KB

MD5
c86fc119bac0f770ccbc16a084834473

SHA1
2085ee03c7a019660b31a6eb0cabe820b586da4e

SHA256
01aa4f2ae47d829d0f2aa30de279c6ff4f8db80f25e382c4155b2594dc734fe4

SHA512
def54269961bf7c3c562632fb730784f477ac2395a14031381cf928ef23fed56994aba521330e57ee41d6c23b998a7eda2ddf2b96245c956704b91628f712a61

Download Submit
memory/2012-0-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2012-1-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/2012-10-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2856-11-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/2856-13-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2856-14-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2856-15-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads