00d38904a533bd1dbeda19feee9684ad84628d45cf51b79d5cbc1d3ae32ba0f8

General

Target

00d38904a533bd1dbeda19feee9684ad84628d45cf51b79d5cbc1d3ae32ba0f8.exe
Size

2.6MB
MD5

91986bf2f3d75f35d6ef9ff5529b495f
SHA1

aad30d0031c3ebd9e9823cdd3869a594ced9bc93
SHA256

00d38904a533bd1dbeda19feee9684ad84628d45cf51b79d5cbc1d3ae32ba0f8
SHA512

c523ddec5e408b0fd85d5c5c69ad734838ac7383ea78c3f41b45c9d4be562476c458340ff797c084ac2f2d2979c3f9f04fc7a997d80615915c388b2d663c2a84
SSDEEP

24576:QAHnh+eWsN3skA4RV1Hom2KXSmHdqf0K44JzixdvW80EXLq31gEfUvWDyBFZpxxt:Hh+ZkldoPKiYdqd6F

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	setspn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	00d38904a533bd1dbeda19feee9684ad84628d45cf51b79d5cbc1d3ae32ba0f8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	setspn.exe

Executes dropped EXE 2 IoCs

pid	Process
636	setspn.exe
1416	setspn.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1820-0-0x0000000000C20000-0x0000000000ECA000-memory.dmp	autoit_exe
behavioral2/files/0x0008000000023265-35.dat	autoit_exe
behavioral2/memory/1416-36-0x0000000000B10000-0x0000000000DBA000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1820 set thread context of 1752	1820	00d38904a533bd1dbeda19feee9684ad84628d45cf51b79d5cbc1d3ae32ba0f8.exe	89
PID 636 set thread context of 4176	636	setspn.exe	96
PID 1416 set thread context of 2304	1416	setspn.exe	106

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1284	schtasks.exe
5088	schtasks.exe
2096	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1820	00d38904a533bd1dbeda19feee9684ad84628d45cf51b79d5cbc1d3ae32ba0f8.exe
1820	00d38904a533bd1dbeda19feee9684ad84628d45cf51b79d5cbc1d3ae32ba0f8.exe
1820	00d38904a533bd1dbeda19feee9684ad84628d45cf51b79d5cbc1d3ae32ba0f8.exe
1820	00d38904a533bd1dbeda19feee9684ad84628d45cf51b79d5cbc1d3ae32ba0f8.exe
636	setspn.exe
636	setspn.exe
636	setspn.exe
636	setspn.exe
1416	setspn.exe
1416	setspn.exe
1416	setspn.exe
1416	setspn.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1752	RegSvcs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1752	RegSvcs.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 1752	1820	00d38904a533bd1dbeda19feee9684ad84628d45cf51b79d5cbc1d3ae32ba0f8.exe	89
PID 1820 wrote to memory of 1752	1820	00d38904a533bd1dbeda19feee9684ad84628d45cf51b79d5cbc1d3ae32ba0f8.exe	89
PID 1820 wrote to memory of 1752	1820	00d38904a533bd1dbeda19feee9684ad84628d45cf51b79d5cbc1d3ae32ba0f8.exe	89
PID 1820 wrote to memory of 1752	1820	00d38904a533bd1dbeda19feee9684ad84628d45cf51b79d5cbc1d3ae32ba0f8.exe	89
PID 1820 wrote to memory of 1752	1820	00d38904a533bd1dbeda19feee9684ad84628d45cf51b79d5cbc1d3ae32ba0f8.exe	89
PID 1820 wrote to memory of 2096	1820	00d38904a533bd1dbeda19feee9684ad84628d45cf51b79d5cbc1d3ae32ba0f8.exe	92
PID 1820 wrote to memory of 2096	1820	00d38904a533bd1dbeda19feee9684ad84628d45cf51b79d5cbc1d3ae32ba0f8.exe	92
PID 1820 wrote to memory of 2096	1820	00d38904a533bd1dbeda19feee9684ad84628d45cf51b79d5cbc1d3ae32ba0f8.exe	92
PID 636 wrote to memory of 4176	636	setspn.exe	96
PID 636 wrote to memory of 4176	636	setspn.exe	96
PID 636 wrote to memory of 4176	636	setspn.exe	96
PID 636 wrote to memory of 4176	636	setspn.exe	96
PID 636 wrote to memory of 4176	636	setspn.exe	96
PID 636 wrote to memory of 1284	636	setspn.exe	97
PID 636 wrote to memory of 1284	636	setspn.exe	97
PID 636 wrote to memory of 1284	636	setspn.exe	97
PID 1416 wrote to memory of 2304	1416	setspn.exe	106
PID 1416 wrote to memory of 2304	1416	setspn.exe	106
PID 1416 wrote to memory of 2304	1416	setspn.exe	106
PID 1416 wrote to memory of 2304	1416	setspn.exe	106
PID 1416 wrote to memory of 2304	1416	setspn.exe	106
PID 1416 wrote to memory of 5088	1416	setspn.exe	107
PID 1416 wrote to memory of 5088	1416	setspn.exe	107
PID 1416 wrote to memory of 5088	1416	setspn.exe	107

C:\Users\Admin\AppData\Local\Temp\00d38904a533bd1dbeda19feee9684ad84628d45cf51b79d5cbc1d3ae32ba0f8.exe
"C:\Users\Admin\AppData\Local\Temp\00d38904a533bd1dbeda19feee9684ad84628d45cf51b79d5cbc1d3ae32ba0f8.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1752
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:2096

C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:4176
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:1284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4172 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:2120

C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:2304
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:5088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

Filesize
1KB

MD5
0672db2ef13237d5cb85075ff4915942

SHA1
ad8b4d3eb5e40791c47d48b22e273486f25f663f

SHA256
0a933408890369b5a178f9c30aa93d2c94f425650815cf8e8310de4e90a3b519

SHA512
84ad10ba5b695567d33a52f786405a5544aa49d8d23631ba9edf3afa877c5dbd81570d15bcf74bce5d9fb1afad2117d0a4ef913b396c0d923afefe615619c84b

Download Submit
C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe

Filesize
448KB

MD5
563dfa4b94b0bf46639207726a9eedeb

SHA1
c6e4d912ca585a7657bf8dbd8c0b2d3d27e207ff

SHA256
8ad9fa815202ab09d6653bac983ae713166feb4cc94c232cfd42fc611a0fcb1e

SHA512
b6644240b411a78597128e121815381e420f1e62d312c955070be098897937e088055cb91901a273c0f142252c5d9c34dfa8a06934028a2a00a66b22bbf1d489

Download Submit
C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe

Filesize
2.6MB

MD5
6a08cbdb1d9d1bad85b64e0f96df8d05

SHA1
be1cb51234a41898ab6466582e23358c2d4193ce

SHA256
cc995add61a105be78354f99760e24d7dfc27a1111adf1824bf3f72aa88c9cfd

SHA512
89a36cfaebdb7d7fd44784d472621d76bb4ecda8c61c6dcd475acc55a2e989a367d167c487319ca5d9a22f7362c2f8fef7bef39edc1d7c2ad0c9a1d097d5b348

Download Submit
memory/636-22-0x0000000000B10000-0x0000000000DBA000-memory.dmp

Filesize
2.7MB

Download
memory/1416-36-0x0000000000B10000-0x0000000000DBA000-memory.dmp

Filesize
2.7MB

Download
memory/1752-20-0x0000000006300000-0x000000000630A000-memory.dmp

Filesize
40KB

Download
memory/1752-8-0x00000000055E0000-0x00000000055F0000-memory.dmp

Filesize
64KB

Download
memory/1752-11-0x0000000005BA0000-0x0000000006144000-memory.dmp

Filesize
5.6MB

Download
memory/1752-12-0x0000000005690000-0x0000000005722000-memory.dmp

Filesize
584KB

Download
memory/1752-16-0x0000000005670000-0x0000000005678000-memory.dmp

Filesize
32KB

Download
memory/1752-17-0x0000000005B70000-0x0000000005B88000-memory.dmp

Filesize
96KB

Download
memory/1752-15-0x00000000055D0000-0x00000000055E2000-memory.dmp

Filesize
72KB

Download
memory/1752-19-0x0000000006480000-0x0000000006642000-memory.dmp

Filesize
1.8MB

Download
memory/1752-18-0x00000000062B0000-0x00000000062C0000-memory.dmp

Filesize
64KB

Download
memory/1752-2-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1752-9-0x0000000002EE0000-0x0000000002EEE000-memory.dmp

Filesize
56KB

Download
memory/1752-10-0x00000000054A0000-0x00000000054FC000-memory.dmp

Filesize
368KB

Download
memory/1752-7-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download
memory/1752-32-0x00000000055E0000-0x00000000055F0000-memory.dmp

Filesize
64KB

Download
memory/1752-30-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download
memory/1820-0-0x0000000000C20000-0x0000000000ECA000-memory.dmp

Filesize
2.7MB

Download
memory/1820-1-0x0000000001840000-0x0000000001841000-memory.dmp

Filesize
4KB

Download
memory/2304-44-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2304-43-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download
memory/2304-45-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download
memory/4176-31-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/4176-29-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download
memory/4176-34-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download
memory/4176-24-0x0000000000600000-0x00000000006EA000-memory.dmp

Filesize
936KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads