b4672b2216779a3b35febd3824fcb017d0a39ea9c488272fe80b50ea369e61d7

General

Target

3791b65b31a3b12f458e042509119c60c2b3abd4f40f4da81f7404b6fb7db268.exe
Size

735KB
MD5

7733da960ee126b39752a737301c0f86
SHA1

414d654545da349c21e58f0ae28021fe48a6f02b
SHA256

3791b65b31a3b12f458e042509119c60c2b3abd4f40f4da81f7404b6fb7db268
SHA512

9b9f4c0e926e76950a781713667cd4dfa34002a3340b99877730e7db67ea2a0dc7245518a1a943c388abc5dcd489737a1a88873c12deb028f788c8a3cd94d9d6
SSDEEP

12288:NcrNS33L10QdrXjKDnuFeDnnHgnS61NNyz3Pbpv08kMZYS:wNA3R5drXGDuFmASO7y10gZYS

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3791b65b31a3b12f458e042509119c60c2b3abd4f40f4da81f7404b6fb7db268.exeinjnxgi.sfx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	3791b65b31a3b12f458e042509119c60c2b3abd4f40f4da81f7404b6fb7db268.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	injnxgi.sfx.exe

Executes dropped EXE 3 IoCs

Processes:

injnxgi.sfx.exeinjnxgi.exeinjnxgi.exe

pid process

2108 injnxgi.sfx.exe
4768 injnxgi.exe
4236 injnxgi.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

injnxgi.exe

description pid process target process

PID 4768 set thread context of 4236 4768 injnxgi.exe injnxgi.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3224 4236 WerFault.exe injnxgi.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

injnxgi.exe

description pid process

Token: SeDebugPrivilege 4768 injnxgi.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

injnxgi.exe

pid process

4236 injnxgi.exe

pid	process
2108	injnxgi.sfx.exe
4768	injnxgi.exe
4236	injnxgi.exe

description	pid	process	target process
PID 4768 set thread context of 4236	4768	injnxgi.exe	injnxgi.exe

pid	pid_target	process	target process
3224	4236	WerFault.exe	injnxgi.exe

description	pid	process
Token: SeDebugPrivilege	4768	injnxgi.exe

pid	process
4236	injnxgi.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

3791b65b31a3b12f458e042509119c60c2b3abd4f40f4da81f7404b6fb7db268.execmd.exeinjnxgi.sfx.exeinjnxgi.exe

description	pid	process	target process
PID 5064 wrote to memory of 4356	5064	3791b65b31a3b12f458e042509119c60c2b3abd4f40f4da81f7404b6fb7db268.exe	cmd.exe
PID 5064 wrote to memory of 4356	5064	3791b65b31a3b12f458e042509119c60c2b3abd4f40f4da81f7404b6fb7db268.exe	cmd.exe
PID 5064 wrote to memory of 4356	5064	3791b65b31a3b12f458e042509119c60c2b3abd4f40f4da81f7404b6fb7db268.exe	cmd.exe
PID 4356 wrote to memory of 2108	4356	cmd.exe	injnxgi.sfx.exe
PID 4356 wrote to memory of 2108	4356	cmd.exe	injnxgi.sfx.exe
PID 4356 wrote to memory of 2108	4356	cmd.exe	injnxgi.sfx.exe
PID 2108 wrote to memory of 4768	2108	injnxgi.sfx.exe	injnxgi.exe
PID 2108 wrote to memory of 4768	2108	injnxgi.sfx.exe	injnxgi.exe
PID 2108 wrote to memory of 4768	2108	injnxgi.sfx.exe	injnxgi.exe
PID 4768 wrote to memory of 4236	4768	injnxgi.exe	injnxgi.exe
PID 4768 wrote to memory of 4236	4768	injnxgi.exe	injnxgi.exe
PID 4768 wrote to memory of 4236	4768	injnxgi.exe	injnxgi.exe
PID 4768 wrote to memory of 4236	4768	injnxgi.exe	injnxgi.exe
PID 4768 wrote to memory of 4236	4768	injnxgi.exe	injnxgi.exe
PID 4768 wrote to memory of 4236	4768	injnxgi.exe	injnxgi.exe
PID 4768 wrote to memory of 4236	4768	injnxgi.exe	injnxgi.exe
PID 4768 wrote to memory of 4236	4768	injnxgi.exe	injnxgi.exe
PID 4768 wrote to memory of 4236	4768	injnxgi.exe	injnxgi.exe

C:\Users\Admin\AppData\Local\Temp\3791b65b31a3b12f458e042509119c60c2b3abd4f40f4da81f7404b6fb7db268.exe
"C:\Users\Admin\AppData\Local\Temp\3791b65b31a3b12f458e042509119c60c2b3abd4f40f4da81f7404b6fb7db268.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\injnxgi.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4356

C:\Users\Admin\AppData\Local\Temp\injnxgi.sfx.exe
injnxgi.sfx.exe -pdfdyehngfsztyuiofxvflfadgthnfreoploafugyRhvqxsdfHbgnmeT -dC:\Users\Admin\AppData\Local\Temp
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108

C:\Users\Admin\AppData\Local\Temp\injnxgi.exe
"C:\Users\Admin\AppData\Local\Temp\injnxgi.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768

C:\Users\Admin\AppData\Local\Temp\injnxgi.exe
C:\Users\Admin\AppData\Local\Temp\injnxgi.exe
5⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 12
6⤵
- Program crash
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4236 -ip 4236
1⤵
PID:5004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4292 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:4896

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\injnxgi.bat
Filesize
18KB

MD5
ae0c1d6531043ff7d0784cbf0a586c46

SHA1
e058c48cf2a96f72f7bebf7fd38e955b7426e65a

SHA256
3ffb8dc6d8c1cfc5c8e79693c05dcfbaaf4c20cb86a89789b2a214eff4abd71a

SHA512
745809145d376ad48ef41ade7498aeec28ff993d0ffdd8656e97bfdeb936ddcfaf9365895b4a1f5ebaafaed008f3ff9c7492679cb5992eac2915867ae2ae5728

Download Submit
C:\Users\Admin\AppData\Local\Temp\injnxgi.exe
Filesize
355KB

MD5
36c72fff0e1aeda3d5a51cc47e565c28

SHA1
8718ab8e86afb7790f7a2c7fdf6397ef94ab6547

SHA256
439e9e3acdde7ef95ae0d7ce8bb9d5677ce5e69b2b3cd9e78b641fe1ab26fe5a

SHA512
31fc53188d58ef9ff2c0f838107527a4c2703b2708bca968314b2f39bfd815bbb21a8da51987b764d910416325f6ec3c715fbaa9c19f194e4d75e9cf0091bc25

Download Submit
C:\Users\Admin\AppData\Local\Temp\injnxgi.sfx.exe
Filesize
581KB

MD5
eba62d389d0ec93b24c68eff9567900a

SHA1
ff276bdebe63d2b6d40098f28cc7aed0d1212f38

SHA256
ae71d905bf604b8ca75f2c0786a5d2306b594ca33131b61ca11abacc2588308a

SHA512
9f718ecc6974189f0d7d707fd75e2fdc1d35c35b7b464f195fd90cd141f55edc007eb53d919daad73a6fca0000f4e04d7ba09b5c4bb9e60da5ee04caf8f5cc43

Download Submit
memory/4236-35-0x0000000000400000-0x0000000000400000-memory.dmp

Download
memory/4768-25-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/4768-24-0x0000000005440000-0x0000000005446000-memory.dmp

Filesize
24KB

Download
memory/4768-23-0x0000000000AB0000-0x0000000000B12000-memory.dmp

Filesize
392KB

Download
memory/4768-26-0x000000000E060000-0x000000000E0C4000-memory.dmp

Filesize
400KB

Download
memory/4768-27-0x000000000E160000-0x000000000E1FC000-memory.dmp

Filesize
624KB

Download
memory/4768-28-0x000000000E7B0000-0x000000000ED54000-memory.dmp

Filesize
5.6MB

Download
memory/4768-29-0x000000000E2A0000-0x000000000E332000-memory.dmp

Filesize
584KB

Download
memory/4768-30-0x0000000002E20000-0x0000000002E26000-memory.dmp

Filesize
24KB

Download
memory/4768-34-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/4768-22-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing