40b7114aed93879928adec8a4921d9003f0a21cf4d7190b99f85e73871218c6a

General

Target

d45cec72c8b1652cba1552abc7fc9542.exe
Size

2.0MB
MD5

d45cec72c8b1652cba1552abc7fc9542
SHA1

a4ab9197fd4dc9e667464c4c299babe1120639d5
SHA256

40b7114aed93879928adec8a4921d9003f0a21cf4d7190b99f85e73871218c6a
SHA512

a437e5b30e72bf8fc889a5800ba57edad09edf77ba73a8df69f66a8024656db030129465a87498f400764837903a8d0b5fb11e228baaae1800498368f2bc474c
SSDEEP

49152:rlcxRmQwzMl6k1z/Axiztg5egr6c52J0xIlTnkzNEF8U2:rlzQwAdmx5egucX0qNe2

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

h0lafbgw29754rz.exed45cec72c8b1652cba1552abc7fc9542.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	h0lafbgw29754rz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	d45cec72c8b1652cba1552abc7fc9542.exe

Executes dropped EXE 2 IoCs

Processes:

h0lafbgw29754rz.exe91qmh53dm8i296k.exe

pid process

2324 h0lafbgw29754rz.exe
3684 91qmh53dm8i296k.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2324	h0lafbgw29754rz.exe
3684	91qmh53dm8i296k.exe

Modifies registry class 40 IoCs

Processes:

91qmh53dm8i296k.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58AE5D1C-289F-4F6D-E381-9E6010082A01}	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58AE5D1C-289F-4F6D-E381-9E6010082A01}\ = "Oninovob Sefohwof Basex Class"	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58AE5D1C-289F-4F6D-E381-9E6010082A01}\DataFormats\	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58AE5D1C-289F-4F6D-E381-9E6010082A01}\ProgID\	91qmh53dm8i296k.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D1AB7374-C635-3366-545E-33E4A325A40A}	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D1AB7374-C635-3366-545E-33E4A325A40A}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\wiascanprofiles.dll"	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58AE5D1C-289F-4F6D-E381-9E6010082A01}\TypeLib\ = "{D1AB7374-C635-3366-545E-33E4A325A40A}"	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58AE5D1C-289F-4F6D-E381-9E6010082A01}\MiscStatus\	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D1AB7374-C635-3366-545E-33E4A325A40A}\1.0\0\	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D1AB7374-C635-3366-545E-33E4A325A40A}\1.0\0\win64\ = "C:\\Windows\\SysWow64\\wiascanprofiles.dll"	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58AE5D1C-289F-4F6D-E381-9E6010082A01}\TypeLib\	91qmh53dm8i296k.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58AE5D1C-289F-4F6D-E381-9E6010082A01}\Version	91qmh53dm8i296k.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58AE5D1C-289F-4F6D-E381-9E6010082A01}\Programmable	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D1AB7374-C635-3366-545E-33E4A325A40A}\1.0\ = "scanprofiles 1.0 type library"	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D1AB7374-C635-3366-545E-33E4A325A40A}\1.0\0\win32\	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D1AB7374-C635-3366-545E-33E4A325A40A}\1.0\FLAGS\ = "0"	91qmh53dm8i296k.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58AE5D1C-289F-4F6D-E381-9E6010082A01}\TypeLib	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58AE5D1C-289F-4F6D-E381-9E6010082A01}\Version\ = "1.0"	91qmh53dm8i296k.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58AE5D1C-289F-4F6D-E381-9E6010082A01}\DataFormats	91qmh53dm8i296k.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58AE5D1C-289F-4F6D-E381-9E6010082A01}\ProgID	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58AE5D1C-289F-4F6D-E381-9E6010082A01}\ProgID\ = "InkObjCore.HWXInk.E-Ink.1"	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D1AB7374-C635-3366-545E-33E4A325A40A}\1.0\	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58AE5D1C-289F-4F6D-E381-9E6010082A01}\VersionIndependentProgID\ = "InkObjCore.HWXInk.E-Ink"	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58AE5D1C-289F-4F6D-E381-9E6010082A01}\MiscStatus\ = "0"	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58AE5D1C-289F-4F6D-E381-9E6010082A01}\Programmable\	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D1AB7374-C635-3366-545E-33E4A325A40A}\	91qmh53dm8i296k.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D1AB7374-C635-3366-545E-33E4A325A40A}\1.0	91qmh53dm8i296k.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D1AB7374-C635-3366-545E-33E4A325A40A}\1.0\0	91qmh53dm8i296k.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D1AB7374-C635-3366-545E-33E4A325A40A}\1.0\0\win32	91qmh53dm8i296k.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58AE5D1C-289F-4F6D-E381-9E6010082A01}\VersionIndependentProgID	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D1AB7374-C635-3366-545E-33E4A325A40A}\1.0\0\win64\	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D1AB7374-C635-3366-545E-33E4A325A40A}\1.0\FLAGS\	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58AE5D1C-289F-4F6D-E381-9E6010082A01}\Version\	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58AE5D1C-289F-4F6D-E381-9E6010082A01}\VersionIndependentProgID\	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58AE5D1C-289F-4F6D-E381-9E6010082A01}\InprocServer32\	91qmh53dm8i296k.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D1AB7374-C635-3366-545E-33E4A325A40A}\1.0\FLAGS	91qmh53dm8i296k.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58AE5D1C-289F-4F6D-E381-9E6010082A01}\InprocServer32	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58AE5D1C-289F-4F6D-E381-9E6010082A01}\InprocServer32\ = "C:\\Windows\\SysWOW64\\InkObjCore.dll"	91qmh53dm8i296k.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58AE5D1C-289F-4F6D-E381-9E6010082A01}\MiscStatus	91qmh53dm8i296k.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D1AB7374-C635-3366-545E-33E4A325A40A}\1.0\0\win64	91qmh53dm8i296k.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

91qmh53dm8i296k.exe

pid process

3684 91qmh53dm8i296k.exe

pid	process
3684	91qmh53dm8i296k.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

d45cec72c8b1652cba1552abc7fc9542.exeh0lafbgw29754rz.exe

description	pid	process	target process
PID 4912 wrote to memory of 2324	4912	d45cec72c8b1652cba1552abc7fc9542.exe	h0lafbgw29754rz.exe
PID 4912 wrote to memory of 2324	4912	d45cec72c8b1652cba1552abc7fc9542.exe	h0lafbgw29754rz.exe
PID 4912 wrote to memory of 2324	4912	d45cec72c8b1652cba1552abc7fc9542.exe	h0lafbgw29754rz.exe
PID 2324 wrote to memory of 3684	2324	h0lafbgw29754rz.exe	91qmh53dm8i296k.exe
PID 2324 wrote to memory of 3684	2324	h0lafbgw29754rz.exe	91qmh53dm8i296k.exe
PID 2324 wrote to memory of 3684	2324	h0lafbgw29754rz.exe	91qmh53dm8i296k.exe

C:\Users\Admin\AppData\Local\Temp\d45cec72c8b1652cba1552abc7fc9542.exe
"C:\Users\Admin\AppData\Local\Temp\d45cec72c8b1652cba1552abc7fc9542.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4912

C:\Users\Admin\AppData\Local\Temp\RarSFX0\h0lafbgw29754rz.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\h0lafbgw29754rz.exe" -e -p0581865dny14432
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324

C:\Users\Admin\AppData\Local\Temp\RarSFX1\91qmh53dm8i296k.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\91qmh53dm8i296k.exe"
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3684

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\h0lafbgw29754rz.exe
Filesize
1.9MB

MD5
cab1cd40a256cef129b78a4a5b0f5517

SHA1
6a9ec5b7ab7d5d5a22505bf031956bd992d21523

SHA256
87635107a794f8d6c0799e87bec3069ddb05ba479ef3bd6ca34338e4a742c9cd

SHA512
5cba4f74089a23b50136c9cd4088d12df5831c01605ff954aea3fcbf76541cdad1b051dd7639e0212c054c6278cf77a711570d6064b5926e6aa79107cd83a76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\h0lafbgw29754rz.exe
Filesize
960KB

MD5
913458040acb61c0e2e3d187e6b3a6eb

SHA1
cb20f9971b95d0a978fd33bbf902c84154143294

SHA256
dc980bb93b4416bf3689c56c8ecfffe5c40f9fdd24c3c32647cb7a226ff5f0e2

SHA512
da5a1b671874193a201db0364eae044841c6307717f778b18a077a2ee0caa852c568e9eb944c385e0f79884c7aae5f728eb7882c1d058e5500b961ef4c9ed75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\h0lafbgw29754rz.exe
Filesize
768KB

MD5
3410e36a626f228294cd83802dbdf90f

SHA1
8cd9198520e11a363a34b04ae4fa6f4dbe0c8263

SHA256
792740d807bb65d26ad1a8895e66eae1935e4776ecb2558cb090b209e76204a2

SHA512
b999e57c32e864126c347d8e6c6491a4bf088d448a4f9176d995703ff178f1a7fcdc90dff8876663f3449235c05c1f5e3af0f5e821c704211831aa2c031047bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\91qmh53dm8i296k.exe
Filesize
1.9MB

MD5
d26e81f1ea86530b18e1916e30108eee

SHA1
ef2f8518c96094eb56c22dd159f44a328bde73ab

SHA256
c2d0e4a5354d1fc13d188cfc94bd318e0025908226c70310c14d1922c6f45560

SHA512
fb93c9832379d66a04fe0a49bf1c5c94a38aa0b09a6520f034cc9a30e9440ebbb8b36b38824edd0606162d44e46ba32059875bb58583db3b3ce8e72128563d13

Download Submit
memory/3684-21-0x0000000000400000-0x000000000080E000-memory.dmp

Filesize
4.1MB

Download
memory/3684-22-0x00000000025B0000-0x000000000260A000-memory.dmp

Filesize
360KB

Download
memory/3684-23-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/3684-24-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/3684-26-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/3684-27-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/3684-25-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/3684-28-0x0000000003630000-0x0000000003631000-memory.dmp

Filesize
4KB

Download
memory/3684-29-0x0000000003620000-0x0000000003623000-memory.dmp

Filesize
12KB

Download
memory/3684-30-0x0000000003890000-0x0000000003891000-memory.dmp

Filesize
4KB

Download
memory/3684-31-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/3684-32-0x0000000003670000-0x00000000037B0000-memory.dmp

Filesize
1.2MB

Download
memory/3684-33-0x0000000003670000-0x00000000037B0000-memory.dmp

Filesize
1.2MB

Download
memory/3684-35-0x0000000000400000-0x000000000080E000-memory.dmp

Filesize
4.1MB

Download
memory/3684-36-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/3684-34-0x0000000003670000-0x00000000037B0000-memory.dmp

Filesize
1.2MB

Download
memory/3684-38-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/3684-37-0x00000000025B0000-0x000000000260A000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads