13d8121844734f49d93956b30ffab57a220e5fe1345a0bcf89e4df9cd37ab4f4

General

Target

PizDec.exe
Size

237KB
MD5

6520885628fe337b8665099479cc1d4d
SHA1

09741f5c74b3525c31004c5bd19b0ecab835186d
SHA256

13d8121844734f49d93956b30ffab57a220e5fe1345a0bcf89e4df9cd37ab4f4
SHA512

235d7a2cd8751c7f128d6e6014f098f296d49bf1fca6e0c716e3330588f9ab0688a25ab44b02879411b6210f3febdfed35d9beb1ef5a18542578211fbdd9fe9c
SSDEEP

6144:+V28o+H+4OwpuhwDcp7qC4tOesrTPh350OthwqoS:+oAe4O9hwDct74tO7rTV50OgqoS

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	PizDec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4464-0-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral2/memory/4464-20-0x0000000000400000-0x000000000044D000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{3478FBF5-CE19-4D29-8B37-060D6B147434}	WScript.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1112	WScript.exe
Token: SeCreatePagefilePrivilege	1112	WScript.exe
Token: 33	1412	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1412	AUDIODG.EXE
Token: SeShutdownPrivilege	1112	WScript.exe
Token: SeCreatePagefilePrivilege	1112	WScript.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 4744	4464	PizDec.exe	90
PID 4464 wrote to memory of 4744	4464	PizDec.exe	90
PID 4744 wrote to memory of 1112	4744	cmd.exe	93
PID 4744 wrote to memory of 1112	4744	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\PizDec.exe
"C:\Users\Admin\AppData\Local\Temp\PizDec.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DC66.tmp\DC67.tmp\DC68.bat C:\Users\Admin\AppData\Local\Temp\PizDec.exe"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\6.VBS"
    3⤵
    - Enumerates connected drives
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:1112

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x338 0x404
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=3464 /prefetch:8
1⤵
PID:3792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DC66.tmp\DC67.tmp\DC68.bat

Filesize
27B

MD5
c7da66cab92e95daf435dc74fa5ca35a

SHA1
924f2b0ebac4eac12c78b298697400a1b338a4c5

SHA256
4ab885b4b48037707771cc63658513d3d82a80cf97fbcdf4558e35bc3adc2b92

SHA512
28737deed8241b3c577cc6a2942287d5be0f9a45f9a902696ab733c78fe2bcd0d47d29d0efec6cca57de656472346170379c7d1ba60a5508c31f883674786787

Download Submit
C:\Users\Admin\AppData\Roaming\6.VBS

Filesize
115B

MD5
9e242f8f35222db7713bf96248c7434c

SHA1
a66a0c27eca4aa325bc3dc8d907837180bcbd1b3

SHA256
5d173c4f51d33ea28ce3a5aa715bc7140f7bcc82c4b99fad2a2d3474c476c731

SHA512
4c4383df59bbbe7d5d86bc0f78b44afc68327789f5244f7cdf55f81889b6e74d008d0b94e6dfec66ac8394699919bc75a038b6c9c380fbe83161ad702b830b56

Download Submit
C:\Users\Admin\AppData\Roaming\piz.mp3

Filesize
198KB

MD5
71cf668f8ebbceda772022165b460ce3

SHA1
99febb0f4f9f388a4f9aeedd1530b50e0790500c

SHA256
321f25cb7284f1b11bea1dd0286efcce180a2ea15357acca7158d575840c3033

SHA512
bbc77a20f1a0a5355e82a40741ed50cc27fbbe97b4615c9f47644288275710ea288504fb97d14f786192bd6db54ba06ed61a3210a3571d988d026293aeb17a63

Download Submit
memory/4464-0-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4464-20-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads