ef162e0b023ea1d5131d11d5a33064e3fd0b1ae9698dc23d53bd9210afdda240

General

Target

ef162e0b023ea1d5131d11d5a33064e3fd0b1ae9698dc23d53bd9210afdda240.exe
Size

165KB
MD5

500237da069f05dcedb7fa187c613d98
SHA1

196abe18b19a4b2e0c9728c4e535f94a99c1de81
SHA256

ef162e0b023ea1d5131d11d5a33064e3fd0b1ae9698dc23d53bd9210afdda240
SHA512

5350a4f2900c18d66a8a3c94d0dd7c705671eb78c62f64a68b23fb0b7dab2c8d03f43be2bdaa5074ecee64dc3535579897004f52b3b3960911d8a9872b217aa0
SSDEEP

3072:3r1cWI8i05JurTwXU/ulPgc9qz+9+++++q+zq7:b1RJxur8XMQPgyh+++++q+zq7

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	ef162e0b023ea1d5131d11d5a33064e3fd0b1ae9698dc23d53bd9210afdda240.exe

Executes dropped EXE 2 IoCs

pid	Process
3760	winmgr.exe
3480	winmgr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Manager = "C:\\Windows\\M-50502979739026720652860250\\winmgr.exe"	ef162e0b023ea1d5131d11d5a33064e3fd0b1ae9698dc23d53bd9210afdda240.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Manager = "C:\\Windows\\M-50502979739026720652860250\\winmgr.exe"	ef162e0b023ea1d5131d11d5a33064e3fd0b1ae9698dc23d53bd9210afdda240.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1840 set thread context of 1984	1840	ef162e0b023ea1d5131d11d5a33064e3fd0b1ae9698dc23d53bd9210afdda240.exe	95
PID 3760 set thread context of 3480	3760	winmgr.exe	100

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	winmgr.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	winmgr.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.ZipFile.dll	winmgr.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.ZipFile.dll	winmgr.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	winmgr.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	winmgr.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.ZipFile.dll	winmgr.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.ZipFile.dll	winmgr.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\M-50502979739026720652860250\winmgr.exe	ef162e0b023ea1d5131d11d5a33064e3fd0b1ae9698dc23d53bd9210afdda240.exe
File opened for modification	C:\Windows\M-50502979739026720652860250\winmgr.exe	ef162e0b023ea1d5131d11d5a33064e3fd0b1ae9698dc23d53bd9210afdda240.exe
File opened for modification	C:\Windows\M-50502979739026720652860250	ef162e0b023ea1d5131d11d5a33064e3fd0b1ae9698dc23d53bd9210afdda240.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 1984	1840	ef162e0b023ea1d5131d11d5a33064e3fd0b1ae9698dc23d53bd9210afdda240.exe	95
PID 1840 wrote to memory of 1984	1840	ef162e0b023ea1d5131d11d5a33064e3fd0b1ae9698dc23d53bd9210afdda240.exe	95
PID 1840 wrote to memory of 1984	1840	ef162e0b023ea1d5131d11d5a33064e3fd0b1ae9698dc23d53bd9210afdda240.exe	95
PID 1840 wrote to memory of 1984	1840	ef162e0b023ea1d5131d11d5a33064e3fd0b1ae9698dc23d53bd9210afdda240.exe	95
PID 1840 wrote to memory of 1984	1840	ef162e0b023ea1d5131d11d5a33064e3fd0b1ae9698dc23d53bd9210afdda240.exe	95
PID 1840 wrote to memory of 1984	1840	ef162e0b023ea1d5131d11d5a33064e3fd0b1ae9698dc23d53bd9210afdda240.exe	95
PID 1840 wrote to memory of 1984	1840	ef162e0b023ea1d5131d11d5a33064e3fd0b1ae9698dc23d53bd9210afdda240.exe	95
PID 1840 wrote to memory of 1984	1840	ef162e0b023ea1d5131d11d5a33064e3fd0b1ae9698dc23d53bd9210afdda240.exe	95
PID 1840 wrote to memory of 1984	1840	ef162e0b023ea1d5131d11d5a33064e3fd0b1ae9698dc23d53bd9210afdda240.exe	95
PID 1984 wrote to memory of 2548	1984	ef162e0b023ea1d5131d11d5a33064e3fd0b1ae9698dc23d53bd9210afdda240.exe	96
PID 1984 wrote to memory of 2548	1984	ef162e0b023ea1d5131d11d5a33064e3fd0b1ae9698dc23d53bd9210afdda240.exe	96
PID 1984 wrote to memory of 2548	1984	ef162e0b023ea1d5131d11d5a33064e3fd0b1ae9698dc23d53bd9210afdda240.exe	96
PID 1984 wrote to memory of 3760	1984	ef162e0b023ea1d5131d11d5a33064e3fd0b1ae9698dc23d53bd9210afdda240.exe	97
PID 1984 wrote to memory of 3760	1984	ef162e0b023ea1d5131d11d5a33064e3fd0b1ae9698dc23d53bd9210afdda240.exe	97
PID 1984 wrote to memory of 3760	1984	ef162e0b023ea1d5131d11d5a33064e3fd0b1ae9698dc23d53bd9210afdda240.exe	97
PID 3760 wrote to memory of 3480	3760	winmgr.exe	100
PID 3760 wrote to memory of 3480	3760	winmgr.exe	100
PID 3760 wrote to memory of 3480	3760	winmgr.exe	100
PID 3760 wrote to memory of 3480	3760	winmgr.exe	100
PID 3760 wrote to memory of 3480	3760	winmgr.exe	100
PID 3760 wrote to memory of 3480	3760	winmgr.exe	100
PID 3760 wrote to memory of 3480	3760	winmgr.exe	100
PID 3760 wrote to memory of 3480	3760	winmgr.exe	100
PID 3760 wrote to memory of 3480	3760	winmgr.exe	100

C:\Users\Admin\AppData\Local\Temp\ef162e0b023ea1d5131d11d5a33064e3fd0b1ae9698dc23d53bd9210afdda240.exe
"C:\Users\Admin\AppData\Local\Temp\ef162e0b023ea1d5131d11d5a33064e3fd0b1ae9698dc23d53bd9210afdda240.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Users\Admin\AppData\Local\Temp\ef162e0b023ea1d5131d11d5a33064e3fd0b1ae9698dc23d53bd9210afdda240.exe
  "C:\Users\Admin\AppData\Local\Temp\ef162e0b023ea1d5131d11d5a33064e3fd0b1ae9698dc23d53bd9210afdda240.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bbmlwlvyml.bat" "
    3⤵
    PID:2548
- - C:\Windows\M-50502979739026720652860250\winmgr.exe
    C:\Windows\M-50502979739026720652860250\winmgr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3760
  - - C:\Windows\M-50502979739026720652860250\winmgr.exe
      C:\Windows\M-50502979739026720652860250\winmgr.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:3480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bbmlwlvyml.bat

Filesize
302B

MD5
d36f8a757ede16ec733a4c9f38d3ece2

SHA1
539dc19158f27682422d95b655c313d7c46efe8c

SHA256
b00f0b8b1fbc007e8638067452261da4b6318700a22cd75313f9506d07b6b16f

SHA512
e1848402d072953814425581e6d606f2972c9245a89c0b0f95ea38d2303420de3ad252943fd5493115fad1d745776970a09662d255fa5c58f8b8d171a6a615f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\phqghumeay

Filesize
166KB

MD5
f818647026b0a2b3158436921f4d2be2

SHA1
210bebaf97166f4560ae7b5722e447fc2db91516

SHA256
b2fa4189c9d8720c6e397e52a8d62f7c31b9a3829d5748803f7547e3973cdfe8

SHA512
2d4c352433283ddd9830fac717d8f6c2f585c82ffe755cfbea80a9c6dba5096bc79c542e967a8d0f634598c3be3b648ad90460c786255b704cae95d8ab059c1d

Download Submit
C:\Windows\M-50502979739026720652860250\winmgr.exe

Filesize
165KB

MD5
500237da069f05dcedb7fa187c613d98

SHA1
196abe18b19a4b2e0c9728c4e535f94a99c1de81

SHA256
ef162e0b023ea1d5131d11d5a33064e3fd0b1ae9698dc23d53bd9210afdda240

SHA512
5350a4f2900c18d66a8a3c94d0dd7c705671eb78c62f64a68b23fb0b7dab2c8d03f43be2bdaa5074ecee64dc3535579897004f52b3b3960911d8a9872b217aa0

Download Submit
memory/1840-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1840-2-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/1840-4-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1984-3-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1984-6-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1984-7-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3480-25-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3480-26-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3480-28-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3480-38-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3480-39-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3480-45-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3480-46-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3480-55-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3480-62-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3480-63-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3760-24-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3760-18-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads