f373dd5dc8cdc8987f99109feed4109dd8382cd4533e0206bac7409d3591e95f

General

Target

f373dd5dc8cdc8987f99109feed4109dd8382cd4533e0206bac7409d3591e95f.exe
Size

1.6MB
MD5

97278eae7b1adea390dfe591e4f783e7
SHA1

c191d876dd56aa99bac792b5b9c5cd4be3ca1df2
SHA256

f373dd5dc8cdc8987f99109feed4109dd8382cd4533e0206bac7409d3591e95f
SHA512

84b251803c9f71cb938d0303959e7b8d5d7b41c6a076f478feadd2e957e68710e3b33220aec7cfb51bb7e5c4191dbe041244c8def270bd96fdd09159b120511e
SSDEEP

24576:QPTSFvPz6LOpNNYVe16EEqk3a+WFEtsrJf+4u0+t7Teed24b6IQe:Qazfdr+WdrJW4uztG8t5

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	f373dd5dc8cdc8987f99109feed4109dd8382cd4533e0206bac7409d3591e95f.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1276-1-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1276-3-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1276-4-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1276-5-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1276-6-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1276-8-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1276-10-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1276-15-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1276-13-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1276-17-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1276-19-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1276-21-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1276-23-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1276-25-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1276-28-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1276-31-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1276-33-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1276-35-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1276-37-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1276-39-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1276-41-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1276-44-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1276-46-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1276-48-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1276-50-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1276-51-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
644	4092	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1276	f373dd5dc8cdc8987f99109feed4109dd8382cd4533e0206bac7409d3591e95f.exe
1276	f373dd5dc8cdc8987f99109feed4109dd8382cd4533e0206bac7409d3591e95f.exe
1276	f373dd5dc8cdc8987f99109feed4109dd8382cd4533e0206bac7409d3591e95f.exe
1276	f373dd5dc8cdc8987f99109feed4109dd8382cd4533e0206bac7409d3591e95f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4092	f373dd5dc8cdc8987f99109feed4109dd8382cd4533e0206bac7409d3591e95f.exe
Token: SeDebugPrivilege	1276	f373dd5dc8cdc8987f99109feed4109dd8382cd4533e0206bac7409d3591e95f.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4092	f373dd5dc8cdc8987f99109feed4109dd8382cd4533e0206bac7409d3591e95f.exe
4092	f373dd5dc8cdc8987f99109feed4109dd8382cd4533e0206bac7409d3591e95f.exe
4092	f373dd5dc8cdc8987f99109feed4109dd8382cd4533e0206bac7409d3591e95f.exe
4092	f373dd5dc8cdc8987f99109feed4109dd8382cd4533e0206bac7409d3591e95f.exe
1276	f373dd5dc8cdc8987f99109feed4109dd8382cd4533e0206bac7409d3591e95f.exe
1276	f373dd5dc8cdc8987f99109feed4109dd8382cd4533e0206bac7409d3591e95f.exe
1276	f373dd5dc8cdc8987f99109feed4109dd8382cd4533e0206bac7409d3591e95f.exe
1276	f373dd5dc8cdc8987f99109feed4109dd8382cd4533e0206bac7409d3591e95f.exe
1276	f373dd5dc8cdc8987f99109feed4109dd8382cd4533e0206bac7409d3591e95f.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4092 wrote to memory of 1276	4092	f373dd5dc8cdc8987f99109feed4109dd8382cd4533e0206bac7409d3591e95f.exe	86
PID 4092 wrote to memory of 1276	4092	f373dd5dc8cdc8987f99109feed4109dd8382cd4533e0206bac7409d3591e95f.exe	86
PID 4092 wrote to memory of 1276	4092	f373dd5dc8cdc8987f99109feed4109dd8382cd4533e0206bac7409d3591e95f.exe	86

C:\Users\Admin\AppData\Local\Temp\f373dd5dc8cdc8987f99109feed4109dd8382cd4533e0206bac7409d3591e95f.exe
"C:\Users\Admin\AppData\Local\Temp\f373dd5dc8cdc8987f99109feed4109dd8382cd4533e0206bac7409d3591e95f.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Users\Admin\AppData\Local\Temp\f373dd5dc8cdc8987f99109feed4109dd8382cd4533e0206bac7409d3591e95f.exe
  "C:\Users\Admin\AppData\Local\Temp\f373dd5dc8cdc8987f99109feed4109dd8382cd4533e0206bac7409d3591e95f.exe" 705926
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1276
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 1996
  2⤵
  - Program crash
  PID:644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4092 -ip 4092
1⤵
PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1276-21-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1276-51-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1276-23-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1276-4-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1276-5-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1276-6-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1276-8-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1276-10-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1276-15-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1276-13-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1276-17-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1276-19-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1276-3-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1276-1-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1276-41-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1276-28-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1276-31-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1276-33-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1276-35-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1276-37-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1276-39-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1276-25-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1276-44-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1276-46-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1276-48-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1276-50-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4092-0-0x00000000771E4000-0x00000000771E5000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing