aad7efba3f59c9eb0e93e35fd34fd02163afbf3964696856da14c533282f77d8

General

Target

aad7efba3f59c9eb0e93e35fd34fd02163afbf3964696856da14c533282f77d8.exe
Size

1.6MB
MD5

b4157eebff704afd97d75743d984aef6
SHA1

346cc281e746733968b74f623941c29be3290286
SHA256

aad7efba3f59c9eb0e93e35fd34fd02163afbf3964696856da14c533282f77d8
SHA512

ea3db10a6afc34a655dae686790bc2f28065d4d7a51473f062e74390c9cf14c3bd10fcfb544ebcdd22ea56f04664a0c5f04e02ea0dc772754172e77414efc121
SSDEEP

24576:gPTSFvPz6LOpNNYVe16EEqk3a+WFEtsrJfx4u0+t7Teed24b6IQ+:gazfdr+WdrJ54uztG8tV

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	aad7efba3f59c9eb0e93e35fd34fd02163afbf3964696856da14c533282f77d8.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/876-16-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/876-18-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/876-19-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/876-22-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/876-20-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/876-21-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/876-24-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/876-26-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/876-29-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/876-31-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/876-33-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/876-36-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/876-38-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/876-40-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/876-43-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/876-45-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/876-48-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/876-50-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/876-52-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/876-56-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/876-54-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/876-58-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/876-60-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/876-63-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/876-67-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/876-65-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/876-90-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2296	2100	WerFault.exe	89
2428	876	WerFault.exe	93

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
876	aad7efba3f59c9eb0e93e35fd34fd02163afbf3964696856da14c533282f77d8.exe
876	aad7efba3f59c9eb0e93e35fd34fd02163afbf3964696856da14c533282f77d8.exe
876	aad7efba3f59c9eb0e93e35fd34fd02163afbf3964696856da14c533282f77d8.exe
876	aad7efba3f59c9eb0e93e35fd34fd02163afbf3964696856da14c533282f77d8.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2100	aad7efba3f59c9eb0e93e35fd34fd02163afbf3964696856da14c533282f77d8.exe
Token: SeDebugPrivilege	876	aad7efba3f59c9eb0e93e35fd34fd02163afbf3964696856da14c533282f77d8.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2100	aad7efba3f59c9eb0e93e35fd34fd02163afbf3964696856da14c533282f77d8.exe
2100	aad7efba3f59c9eb0e93e35fd34fd02163afbf3964696856da14c533282f77d8.exe
2100	aad7efba3f59c9eb0e93e35fd34fd02163afbf3964696856da14c533282f77d8.exe
2100	aad7efba3f59c9eb0e93e35fd34fd02163afbf3964696856da14c533282f77d8.exe
876	aad7efba3f59c9eb0e93e35fd34fd02163afbf3964696856da14c533282f77d8.exe
876	aad7efba3f59c9eb0e93e35fd34fd02163afbf3964696856da14c533282f77d8.exe
876	aad7efba3f59c9eb0e93e35fd34fd02163afbf3964696856da14c533282f77d8.exe
876	aad7efba3f59c9eb0e93e35fd34fd02163afbf3964696856da14c533282f77d8.exe
876	aad7efba3f59c9eb0e93e35fd34fd02163afbf3964696856da14c533282f77d8.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 876	2100	aad7efba3f59c9eb0e93e35fd34fd02163afbf3964696856da14c533282f77d8.exe	93
PID 2100 wrote to memory of 876	2100	aad7efba3f59c9eb0e93e35fd34fd02163afbf3964696856da14c533282f77d8.exe	93
PID 2100 wrote to memory of 876	2100	aad7efba3f59c9eb0e93e35fd34fd02163afbf3964696856da14c533282f77d8.exe	93

C:\Users\Admin\AppData\Local\Temp\aad7efba3f59c9eb0e93e35fd34fd02163afbf3964696856da14c533282f77d8.exe
"C:\Users\Admin\AppData\Local\Temp\aad7efba3f59c9eb0e93e35fd34fd02163afbf3964696856da14c533282f77d8.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\aad7efba3f59c9eb0e93e35fd34fd02163afbf3964696856da14c533282f77d8.exe
  "C:\Users\Admin\AppData\Local\Temp\aad7efba3f59c9eb0e93e35fd34fd02163afbf3964696856da14c533282f77d8.exe" 1453198
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:876
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 1292
    3⤵
    - Program crash
    PID:2428
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1896
  2⤵
  - Program crash
  PID:2296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2100 -ip 2100
1⤵
PID:700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 876 -ip 876
1⤵
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\887FF46494EDD4FB912E8178EF15D278

Filesize
503B

MD5
6d85f30a4d7d441e7f843330528152c2

SHA1
fb49ae7dc2b71185ce3c99ea01088f9e73c5ee8e

SHA256
2ebce79a7f746e1c393200d80e98507edbc9b1b973c7268344a44d93a2caa832

SHA512
49df6a47a7aadc8ff840d007c114b12ae492abb2edb30dcc730ed0fc0f7d3961545ee1f1aeb2fc30a5b91f8e747338f80a544504797167a1ce9e848f379cf431

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
247f2face6e298e693c976d969934d39

SHA1
e47f2f7458d1ddcd359c29034327db7cca47821c

SHA256
15e40b49849d338d5a7fad6ab08af6a218e85a0ea9ffdf575aa3ea7da799de7f

SHA512
59bc047fab9688a08df9594cdfcfc0fef9e2f2de650a4624543ad49a0cd6d08a9b15b9ba05ce7703803bece685c364d4bc1d1798238ff4e232e484b01628b3e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\887FF46494EDD4FB912E8178EF15D278

Filesize
552B

MD5
b31128ace3169c6179f00ce92c310ac4

SHA1
b8b395435f0577d8c73ca8ce2191c4cb7e61deff

SHA256
87988bc6c725b7f81fd5b5d68cca6fd09706ded6e8b7831dba89413ec33ed877

SHA512
541bfb0b2185ccc9a8cc37881777eff2d5b34e5038a327df56cd232eb8a83674f402154896c044e8eb993d354cae995039a87de729aa1858e09a30b47fc186f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\US5JL1P3.htm

Filesize
162B

MD5
4f8e702cc244ec5d4de32740c0ecbd97

SHA1
3adb1f02d5b6054de0046e367c1d687b6cdf7aff

SHA256
9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a

SHA512
21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f

Download Submit
memory/876-33-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/876-38-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/876-18-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/876-19-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/876-22-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/876-20-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/876-21-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/876-24-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/876-26-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/876-29-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/876-31-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/876-90-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/876-36-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/876-16-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/876-40-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/876-43-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/876-45-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/876-48-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/876-50-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/876-52-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/876-56-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/876-54-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/876-58-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/876-60-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/876-63-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/876-67-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/876-65-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2100-0-0x0000000077724000-0x0000000077725000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing