13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f

General

Target

13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe
Size

558KB
MD5

652d1c6b3324a9f38301e4dc47d4189e
SHA1

09e4b19b5fa435005d1fc34247902e9ab1f35bff
SHA256

13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f
SHA512

28ab9fcaac62a57cd8e4a06e305a980fb19e9969549720e7b7607800abd25f3cb41bc25cb880464d213159ce36718779127c6d9a49de61fe22cb5102bf765bcd
SSDEEP

12288:21+vKnoA0cdoIl9jmDBJ4Uh2DEq/51r575O65n9VG:e+vg0HU9EP4UheEq/B79u

Score

9^/10

persistence upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4820-0-0x0000000000400000-0x0000000000551000-memory.dmp	UPX
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe	UPX
behavioral2/memory/4820-14-0x0000000000400000-0x0000000000551000-memory.dmp	UPX
behavioral2/memory/4820-17-0x0000000000400000-0x0000000000551000-memory.dmp	UPX
behavioral2/memory/4820-20-0x0000000000400000-0x0000000000551000-memory.dmp	UPX
behavioral2/memory/4820-24-0x0000000000400000-0x0000000000551000-memory.dmp	UPX
behavioral2/memory/4820-27-0x0000000000400000-0x0000000000551000-memory.dmp	UPX
behavioral2/memory/4820-30-0x0000000000400000-0x0000000000551000-memory.dmp	UPX
behavioral2/memory/4820-33-0x0000000000400000-0x0000000000551000-memory.dmp	UPX

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe

Drops startup file 1 IoCs

Processes:

13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4820-0-0x0000000000400000-0x0000000000551000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe	upx
behavioral2/memory/4820-14-0x0000000000400000-0x0000000000551000-memory.dmp	upx
behavioral2/memory/4820-17-0x0000000000400000-0x0000000000551000-memory.dmp	upx
behavioral2/memory/4820-20-0x0000000000400000-0x0000000000551000-memory.dmp	upx
behavioral2/memory/4820-24-0x0000000000400000-0x0000000000551000-memory.dmp	upx
behavioral2/memory/4820-27-0x0000000000400000-0x0000000000551000-memory.dmp	upx
behavioral2/memory/4820-30-0x0000000000400000-0x0000000000551000-memory.dmp	upx
behavioral2/memory/4820-33-0x0000000000400000-0x0000000000551000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe"	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe

pid	process
4820	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe
4820	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe
4820	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe
4820	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe
4820	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe
4820	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe
4820	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe
4820	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe
4820	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe
4820	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe
4820	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe
4820	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe
4820	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe
4820	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe
4820	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe
4820	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe

pid process

4820 13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe

pid	process
4820	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe
4820	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe

description	pid	process	target process
PID 4820 wrote to memory of 4312	4820	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe	WScript.exe
PID 4820 wrote to memory of 4312	4820	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe	WScript.exe
PID 4820 wrote to memory of 4312	4820	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe
"C:\Users\Admin\AppData\Local\Temp\13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:4312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
2004bcee923b0e0222f4cab87c2c2a3d

SHA1
0a3c122b7cfe403403d913ecc1b328480b1bfc2a

SHA256
f92f08df2b65e2f5b5db141c99b098c8b077c0c853a1fd51bfcc6d40dc68ad77

SHA512
cae47a4dfdb942622ebca65d57e9d80c29cb299aa8c217983e34a51655c2e96ed26c7fa2fad978b6279ed4d3c8c0571e417c60152bf66a116f67d0fe38d6a445

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
52acfa4a11fb1089fa1d8f6199d832bc

SHA1
898baa470c2b1212a50bc1c1d320ad0b2eef51f9

SHA256
e592254fb0d6a50ebb183b30d53d84887c6800e5f66acd68992abee63633fd1c

SHA512
471348ef1dd67783045b3e386f5cbeb22d30656d4ff5982a0b80d0f63c166b2fdbc2dc5e38c4c9a56c2f15005f64d9dbcc6fb2878bf985c9fc8497e4e9376750

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
558KB

MD5
8427408717721e9da3b75c237e849a96

SHA1
1b19875a90b0fd9570f7777a0208d315a5400256

SHA256
96bfe6e458648a368814450b02eac9aa3145d0976cd98624eb49d74eb520bb2f

SHA512
9b571dfeefc9ba4eb27b33dc285423955460b0ccfd32f1a30b14c84bac6fc32050d4fdd514090848d930b6727db908d71c6728332501eb782fab56725e41c42a

Download Submit
memory/4820-0-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/4820-14-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/4820-17-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/4820-20-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/4820-24-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/4820-27-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/4820-30-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/4820-33-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads