5efa9dd4d2524577e2aa086115a5397f08c2a7bdcb1988442f2f5af5902ccdb8

General

Target

5efa9dd4d2524577e2aa086115a5397f08c2a7bdcb1988442f2f5af5902ccdb8.exe
Size

7.7MB
MD5

e6522a4a845431ecfd54fc4454c970a9
SHA1

988bb11abace004f5e507d849e42f661b7e34372
SHA256

5efa9dd4d2524577e2aa086115a5397f08c2a7bdcb1988442f2f5af5902ccdb8
SHA512

ca721a8581b4868e834e16a50bf6160210637db4e2a85cb0b803c40e2de024ae23c618d45bb70c5d4dedaa74ecf72a5d78f7f2fa1ae9f3dd1c1576d1027114db
SSDEEP

196608:HF4zBpf4O1kNQ/btsHsohHiCBRbmFJimSgK2o387:l4zB1X1PJJohHia+Jildj387

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	5efa9dd4d2524577e2aa086115a5397f08c2a7bdcb1988442f2f5af5902ccdb8.tmp

Executes dropped EXE 3 IoCs

pid	Process
3864	5efa9dd4d2524577e2aa086115a5397f08c2a7bdcb1988442f2f5af5902ccdb8.tmp
548	unzip.exe
2484	unzip.exe

Loads dropped DLL 3 IoCs

pid	Process
3864	5efa9dd4d2524577e2aa086115a5397f08c2a7bdcb1988442f2f5af5902ccdb8.tmp
3864	5efa9dd4d2524577e2aa086115a5397f08c2a7bdcb1988442f2f5af5902ccdb8.tmp
3864	5efa9dd4d2524577e2aa086115a5397f08c2a7bdcb1988442f2f5af5902ccdb8.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5efa9dd4d2524577e2aa086115a5397f08c2a7bdcb1988442f2f5af5902ccdb8.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	5efa9dd4d2524577e2aa086115a5397f08c2a7bdcb1988442f2f5af5902ccdb8.tmp

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\IESettingSync	5efa9dd4d2524577e2aa086115a5397f08c2a7bdcb1988442f2f5af5902ccdb8.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	5efa9dd4d2524577e2aa086115a5397f08c2a7bdcb1988442f2f5af5902ccdb8.tmp
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	5efa9dd4d2524577e2aa086115a5397f08c2a7bdcb1988442f2f5af5902ccdb8.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	5efa9dd4d2524577e2aa086115a5397f08c2a7bdcb1988442f2f5af5902ccdb8.tmp

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	8	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3864	5efa9dd4d2524577e2aa086115a5397f08c2a7bdcb1988442f2f5af5902ccdb8.tmp
3864	5efa9dd4d2524577e2aa086115a5397f08c2a7bdcb1988442f2f5af5902ccdb8.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 3864	4500	5efa9dd4d2524577e2aa086115a5397f08c2a7bdcb1988442f2f5af5902ccdb8.exe	90
PID 4500 wrote to memory of 3864	4500	5efa9dd4d2524577e2aa086115a5397f08c2a7bdcb1988442f2f5af5902ccdb8.exe	90
PID 4500 wrote to memory of 3864	4500	5efa9dd4d2524577e2aa086115a5397f08c2a7bdcb1988442f2f5af5902ccdb8.exe	90
PID 3864 wrote to memory of 548	3864	5efa9dd4d2524577e2aa086115a5397f08c2a7bdcb1988442f2f5af5902ccdb8.tmp	94
PID 3864 wrote to memory of 548	3864	5efa9dd4d2524577e2aa086115a5397f08c2a7bdcb1988442f2f5af5902ccdb8.tmp	94
PID 3864 wrote to memory of 548	3864	5efa9dd4d2524577e2aa086115a5397f08c2a7bdcb1988442f2f5af5902ccdb8.tmp	94
PID 3864 wrote to memory of 2484	3864	5efa9dd4d2524577e2aa086115a5397f08c2a7bdcb1988442f2f5af5902ccdb8.tmp	96
PID 3864 wrote to memory of 2484	3864	5efa9dd4d2524577e2aa086115a5397f08c2a7bdcb1988442f2f5af5902ccdb8.tmp	96
PID 3864 wrote to memory of 2484	3864	5efa9dd4d2524577e2aa086115a5397f08c2a7bdcb1988442f2f5af5902ccdb8.tmp	96

C:\Users\Admin\AppData\Local\Temp\5efa9dd4d2524577e2aa086115a5397f08c2a7bdcb1988442f2f5af5902ccdb8.exe
"C:\Users\Admin\AppData\Local\Temp\5efa9dd4d2524577e2aa086115a5397f08c2a7bdcb1988442f2f5af5902ccdb8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Users\Admin\AppData\Local\Temp\is-QCLA5.tmp\5efa9dd4d2524577e2aa086115a5397f08c2a7bdcb1988442f2f5af5902ccdb8.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-QCLA5.tmp\5efa9dd4d2524577e2aa086115a5397f08c2a7bdcb1988442f2f5af5902ccdb8.tmp" /SL5="$C004E,7144407,1148416,C:\Users\Admin\AppData\Local\Temp\5efa9dd4d2524577e2aa086115a5397f08c2a7bdcb1988442f2f5af5902ccdb8.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3864
- - C:\Users\Admin\AppData\Local\Temp\is-DU1LP.tmp\unzip.exe
    "C:\Users\Admin\AppData\Local\Temp\is-DU1LP.tmp\unzip.exe" -P qwerty0987 -d C:\Users\Admin\AppData\Local\Temp\is-DU1LP.tmp\3D42F7F5-E8D3-6A28-8FE6-3F012D48BA5F C:\Users\Admin\AppData\Local\Temp\is-DU1LP.tmp\I76RIP1JE.zip
    3⤵
    - Executes dropped EXE
    PID:548
- - C:\Users\Admin\AppData\Local\Temp\is-DU1LP.tmp\unzip.exe
    "C:\Users\Admin\AppData\Local\Temp\is-DU1LP.tmp\unzip.exe" -P qwerty0987 -d C:\Users\Admin\AppData\Local\Temp\is-DU1LP.tmp\3D42F7F5-E8D3-6A28-8FE6-3F012D48BA5F C:\Users\Admin\AppData\Local\Temp\is-DU1LP.tmp\BAWOF530Z.zip
    3⤵
    - Executes dropped EXE
    PID:2484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3108,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4368 /prefetch:8
1⤵
PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-DU1LP.tmp\3D42F7F5-E8D3-6A28-8FE6-3F012D48BA5F\Install\info.xml

Filesize
3KB

MD5
ef08c4343178bf1090177f3abf9eb4b1

SHA1
fc6c76c62c9aa78d9d519c4209866ce70ab678f4

SHA256
11ad70358343ec241c832e505e7b75d7e0f054b65f997c8a6537225a6e20e536

SHA512
1ab8f1956a10db871ae41b04e7615328f2eca4e188d83974fc2d1212852d46021d4a6a181646f10a8b8e249ad2f58c66395b587b8187ce9764c081ffab0597c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DU1LP.tmp\3D42F7F5-E8D3-6A28-8FE6-3F012D48BA5F\install\0\offer0.html

Filesize
16KB

MD5
5a0c3786e2b05408d094d36f95340f5c

SHA1
a78587c6a89094e7cb52f8f5062a4d7050981697

SHA256
efb6ab18f3f3b32a7d067c0eba920c5c0b6fbd03ada781009a99b8110a96187d

SHA512
950a943980def959a40a431b541f1dbf9f66dac076716d5af942d583ee7795b115b6fae385d646423f1ae17f31181b96f866179fdb453541964ddc7a767b5256

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DU1LP.tmp\BAWOF530Z.zip

Filesize
4.2MB

MD5
1993a1c14dabc552573e9dcd7bd349f2

SHA1
1f6fe3706737694353bcab5ffabaee12180aa964

SHA256
7f857e63973f5e04a5ef486e5e952615d50748afcfa148663733713526db9891

SHA512
89db62cd29e91f35d8a0d4860a11fbc2ea33d93c735d392e2f26087e9787ab5100c81e59ba74f0ce90ad0036f6631a6ac7e63b2c764f002b6f91e1d22f5a1a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DU1LP.tmp\I76RIP1JE.zip

Filesize
500KB

MD5
3d69670bcb4b995d3d6571255ddb8dca

SHA1
d69625f1d6d60d0ac07a03a8946a081bcaff3064

SHA256
dd49f178917b4764f4dab1a6ca89f7757a8070dfc5c0b19b63edf3e67fa8883d

SHA512
0e75e152a1f0d17e006fd26839dbf3b8a49ac7d160063dccfccd98da96734e27ce11506f080562a358c33df646aaa7137b074eff0192fe9441c076d65bef16a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DU1LP.tmp\innocallback.dll

Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DU1LP.tmp\unzip.exe

Filesize
164KB

MD5
75375c22c72f1beb76bea39c22a1ed68

SHA1
e1652b058195db3f5f754b7ab430652ae04a50b8

SHA256
8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

SHA512
1b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DU1LP.tmp\webview.dll

Filesize
2.2MB

MD5
4e74a1f1180cabeaa22e1bfa83d2b950

SHA1
b3a1f737c922020cfdee489bcd0651c2224e5840

SHA256
e192284a0aa19616a793061ec79769ce79394a6d1b8515e794211560526cef25

SHA512
2d145cbb9e9de29f600e499a4f3cd91126899d45b9d55b628a3e38c5dd9f4e88629b3fe8e7de727cb995e8888e7687e9b3ae34e419e6fa1a18a9618dfaf4f53d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QCLA5.tmp\5efa9dd4d2524577e2aa086115a5397f08c2a7bdcb1988442f2f5af5902ccdb8.tmp

Filesize
3.2MB

MD5
8a308d945d6589ca4b4f89b46349a126

SHA1
62ef3fc1a814f342370b9670ecca6dcd0bec974f

SHA256
60db93ec196feba47b93f2e669227c87433f18bbda187e55d8bfbfbe87cd4297

SHA512
4916efbbd94495634733c9ec15b9af7f75d0ec4bb676dd512a97c9e82fe1278b60291378d58d06c6d86330a3ffbf53f9c8ca53ce998d06f2af3e5b35ee5ace6d

Download Submit
memory/3864-12-0x0000000003680000-0x0000000003695000-memory.dmp

Filesize
84KB

Download
memory/3864-6-0x0000000000400000-0x0000000000748000-memory.dmp

Filesize
3.3MB

Download
memory/3864-63-0x0000000003680000-0x0000000003695000-memory.dmp

Filesize
84KB

Download
memory/3864-62-0x0000000000400000-0x0000000000748000-memory.dmp

Filesize
3.3MB

Download
memory/3864-102-0x0000000003680000-0x0000000003695000-memory.dmp

Filesize
84KB

Download
memory/4500-1-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/4500-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/4500-61-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads