a0daebbbfb804092216f96b7a8be4055af45da27ab21d8813a37703590566a23

General

Target

$_3_.exe
Size

1.7MB
MD5

d4c16982f8a834bc0f8028b45c3ae543
SHA1

9d9cec9af8f23a23521e20d48d9af1024663a4a7
SHA256

932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b
SHA512

c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c
SSDEEP

49152:n7mrmYPoEHVGTWFkO4ITVpSuEqM/vrM3rA3SuN5:km2Z12WFYFVf

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	$_3_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4544	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2860	$_3_.exe
2860	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2860	$_3_.exe
2860	$_3_.exe
2860	$_3_.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 4876	2860	$_3_.exe	89
PID 2860 wrote to memory of 4876	2860	$_3_.exe	89
PID 2860 wrote to memory of 4876	2860	$_3_.exe	89
PID 4876 wrote to memory of 4544	4876	cmd.exe	91
PID 4876 wrote to memory of 4544	4876	cmd.exe	91
PID 4876 wrote to memory of 4544	4876	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1591.bat" "C:\Users\Admin\AppData\Local\Temp\B68B52FCE1AE47779612FDD55E5A08EA\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-557049126-2506969350-2798870634-1000\$IKLAVGC

Filesize
96B

MD5
d8c34feaf3f0665ab93a3edfb6aa9ca9

SHA1
ffd84bc648511dcf86e1822340970f55ec7e27cc

SHA256
d3792416570102470dc309ff2d7284af291e56708ceebeb7721291ef27e0eeff

SHA512
54bb26b7dac4f625468c912fb04271e700c8f56f109269c3d20a5bfc79d9f29ecfb54b3498655fa6383b22644fa6da525ae8962f35abfe876824c828426401d8

Download Submit
C:\$Recycle.Bin\S-1-5-21-557049126-2506969350-2798870634-1000\$IQ7S8C7

Filesize
96B

MD5
b86d46e2838e96cecdd781ccd78ecbf2

SHA1
5a5cbd59eb6e520913c0dadc2bd6dff209621973

SHA256
92028b055dda5644d2c0841d36759057c013c2be91af65e042c847dada125c79

SHA512
2e896c85b53414a838b60f81c94b9caf144c7c542ef7f91a4aec239213c113658c98ca363b5b39f9f8fb793e4433ec456ff90e898a0519512196f180876c5253

Download Submit
C:\Users\Admin\AppData\Local\Temp\1591.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\B68B52FCE1AE47779612FDD55E5A08EA\B68B52FCE1AE47779612FDD55E5A08EA_LogFile.txt

Filesize
3KB

MD5
9905841fc3538defe28e6b264e172a6e

SHA1
a8ecf450d64936b4e005e241b57f626a779e22df

SHA256
78a808e030eadc6bf5ce5d7561466718783c9a9f5ac996ca21521f509de817e1

SHA512
9b6e8a5ff9c12eb4a90eedc4e9130f52f300c20bc7cb67fd4bf941e6023332c560eee6d8b941f7ae6d0df0d8bd65ef9bbc73f284b344de6e0cd1113be37ad7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\B68B52FCE1AE47779612FDD55E5A08EA\B68B52FCE1AE47779612FDD55E5A08EA_LogFile.txt

Filesize
3KB

MD5
78026b218435865addd504bc25a58528

SHA1
c08e87e5a07fff47664c769f4aef0bea2767739b

SHA256
3fe386d13402a30b853e96ac6bd6c14ee8361470aa1f01cbf3f0905cd411a6fa

SHA512
87e9c7db38cf3cd913e9b7937b15dd50f736588cfdcdf48038e3d83451a2b1aec946630d8d66a35c3d8d45cf92b21f606d5cd789b836d5d60509aaf4704f2553

Download Submit
C:\Users\Admin\AppData\Local\Temp\B68B52FCE1AE47779612FDD55E5A08EA\B68B52FCE1AE47779612FDD55E5A08EA_LogFile.txt

Filesize
2KB

MD5
1dc56e9a28ccc6951ba1a516553fd804

SHA1
1263c0e52b28ef551f4414b90bb7a077f87e5bd4

SHA256
834a2f69978862eed0a5a9a9065ad0bab77db4207bfce4527b95b612e0785719

SHA512
72e53e6768f0f72f8d661028c6446c472a640756b7029080b867a13398b8992d0d86838ad22159e572d2844afa0a00b8fbddc667323be727a93ca227c139aaac

Download Submit
C:\Users\Admin\AppData\Local\Temp\B68B52FCE1AE47779612FDD55E5A08EA\B68B52FCE1AE47779612FDD55E5A08EA_LogFile.txt

Filesize
4KB

MD5
da3de0c1e07b20f1708c440c0af5362f

SHA1
c042ccb8cfe4c4255868dffdcb32144198fadf27

SHA256
95db45ec362cad6c075b5a45a6754c2857099c112270e7e6fede83ddc21bae84

SHA512
6ababf427de36263a3087d8f3b950a1ca86fcce999b77257c4589d3777080b2d97b2ab2c0b233d1f2b9bb4778c51807fb7e1bef6c8d3ed6224e59dce51044dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\B68B52FCE1AE47779612FDD55E5A08EA\B68B52~1.TXT

Filesize
25KB

MD5
b76ccef7f915606793da67c254f887a1

SHA1
b02dc996c868a62f32a1b3d802cbb765a0ccfd50

SHA256
0828765d618030f4374252670cbbca0ee6dd881aa5c57c5ab018bf37ef6461fc

SHA512
7e3f386fe88f1c3bd1ede080634d93accccbf87b8074d5fc250889bf2af34b9bd39d20c7cb8723f6a6af20ddd22f62e568b2e71f4f16d683f5c4e8162bd494a9

Download Submit
memory/2860-63-0x0000000003A90000-0x0000000003A91000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing