4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57

General

Target

4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe
Size

179KB
MD5

98a799292c19a8c66ca9644e10f7446a
SHA1

29387fc643e7e01fa1a5cec718b1e784d8248825
SHA256

4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57
SHA512

73ad05fb47220219dbbf200704015c5d309ead4df5474dab839bc1f7968302c7757553f2cf22b4637ce2e0d2d6ec8995a370530aed79e216d5b79f00ca26891a
SSDEEP

3072:XXTTASJKf2n5AxE2NpxOa2XdU2QF4s5XgIDFyHb8kHofL/09rGB:XvASJKenie2xT2NU2OTFQb8Fb0IB

Score

9^/10

persistence

Malware Config

Signatures

Detects executables packed with aPLib. 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4952-0-0x0000000000670000-0x00000000006A0000-memory.dmp	INDICATOR_EXE_Packed_aPLib
behavioral2/memory/4952-570-0x0000000000670000-0x00000000006A0000-memory.dmp	INDICATOR_EXE_Packed_aPLib

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelPowerAgent5 = "rundll32.exe shell32.dll, ShellExec_RunDLL C:\\PROGRA~3\\802JD2~1.EXE"	svchost.exe

Checks for any installed AV software in registry 1 TTPs 3 IoCs

Security Software Discovery

T1518.001

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avira	svchost.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\AVAST Software\Avast	svchost.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Eset\Nod	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe

description	pid	process	target process
PID 4952 set thread context of 1764	4952	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exe

pid	process
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exesvchost.exe

description	pid	process	target process
PID 4952 wrote to memory of 1764	4952	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe	svchost.exe
PID 4952 wrote to memory of 1764	4952	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe	svchost.exe
PID 4952 wrote to memory of 1764	4952	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe	svchost.exe
PID 4952 wrote to memory of 1764	4952	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe	svchost.exe
PID 4952 wrote to memory of 1764	4952	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe	svchost.exe
PID 4952 wrote to memory of 1764	4952	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe	svchost.exe
PID 4952 wrote to memory of 1764	4952	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe	svchost.exe
PID 4952 wrote to memory of 1764	4952	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe	svchost.exe
PID 4952 wrote to memory of 1764	4952	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe	svchost.exe
PID 4952 wrote to memory of 1764	4952	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe	svchost.exe
PID 4952 wrote to memory of 1764	4952	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe	svchost.exe
PID 4952 wrote to memory of 2836	4952	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe	cmd.exe
PID 4952 wrote to memory of 2836	4952	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe	cmd.exe
PID 4952 wrote to memory of 2836	4952	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe	cmd.exe
PID 1764 wrote to memory of 4952	1764	svchost.exe	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe
PID 1764 wrote to memory of 4952	1764	svchost.exe	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe
PID 1764 wrote to memory of 4952	1764	svchost.exe	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe
PID 1764 wrote to memory of 4952	1764	svchost.exe	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe
PID 1764 wrote to memory of 4952	1764	svchost.exe	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe
PID 1764 wrote to memory of 4952	1764	svchost.exe	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe
PID 1764 wrote to memory of 4952	1764	svchost.exe	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe

C:\Users\Admin\AppData\Local\Temp\4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe
"C:\Users\Admin\AppData\Local\Temp\4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Windows\SysWOW64\svchost.exe
  C:\ProgramData\802jd2dj6.exe
  2⤵
  - Adds Run key to start application
  - Checks for any installed AV software in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\ksn1F6E.tmp.bat" "C:\Users\Admin\AppData\Local\Temp\4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe""
  2⤵
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Software Discovery

1

T1518

Security Software Discovery

1

T1518.001

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ksn1F6E.tmp.bat

Filesize
36B

MD5
6c051ea6b84cd8cdcd49f3ddc0d3b5e0

SHA1
91211ea4e673636b6c81198ea43a770ba11d923c

SHA256
959d34421d5e1294b2e34821ca7ee7bf138cc9bcc7d5de6075022658e75629f5

SHA512
d112a87181aff80a33e4e5f302ea11ae95e8978b9bcb85a6034bf673512bad507f9106eac789dfbe0e7ec3951e71278863dcb7f9e060d5e84544bc9b0794c974

Download Submit
memory/1764-309-0x0000000001300000-0x0000000001376000-memory.dmp

Filesize
472KB

Download
memory/1764-286-0x0000000001000000-0x0000000001200000-memory.dmp

Filesize
2.0MB

Download
memory/1764-308-0x0000000001000000-0x0000000001200000-memory.dmp

Filesize
2.0MB

Download
memory/1764-282-0x0000000001300000-0x0000000001376000-memory.dmp

Filesize
472KB

Download
memory/1764-287-0x0000000001300000-0x0000000001376000-memory.dmp

Filesize
472KB

Download
memory/1764-284-0x0000000001300000-0x0000000001376000-memory.dmp

Filesize
472KB

Download
memory/1764-291-0x0000000001300000-0x0000000001376000-memory.dmp

Filesize
472KB

Download
memory/1764-288-0x0000000001300000-0x0000000001376000-memory.dmp

Filesize
472KB

Download
memory/1764-185-0x0000000001300000-0x0000000001376000-memory.dmp

Filesize
472KB

Download
memory/1764-3-0x0000000001300000-0x0000000001376000-memory.dmp

Filesize
472KB

Download
memory/1764-598-0x0000000001000000-0x0000000001200000-memory.dmp

Filesize
2.0MB

Download
memory/1764-597-0x0000000001000000-0x0000000001200000-memory.dmp

Filesize
2.0MB

Download
memory/1764-589-0x0000000001300000-0x0000000001376000-memory.dmp

Filesize
472KB

Download
memory/1764-2-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/4952-570-0x0000000000670000-0x00000000006A0000-memory.dmp

Filesize
192KB

Download
memory/4952-569-0x0000000003530000-0x00000000035A6000-memory.dmp

Filesize
472KB

Download
memory/4952-0-0x0000000000670000-0x00000000006A0000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads