a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e

General

Target

a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.exe
Size

5.4MB
MD5

f5447a6dfc5fdcf7de9d0e46b6aa6ca2
SHA1

9d68a4c28a93d577d1017db27749273c41de3d8a
SHA256

a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e
SHA512

15fed8df5f23c029e184e1c35c2043282ec27b624d1ad4cb8e3d62147616d9cd1863fab1dc29fa1c2c3f303da9c8cf1fafce3cf5af2c275884012ea9a23dcaf6
SSDEEP

98304:QiTy7MbNyTOgXDGXbCewi5bflQnJcOTLG+CpxJmrXVOd4sLWdJt7R95wqdqS9I1k:QBI8DGX1bd+aOvG3pmrXGMt7RndqS92k

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.tmp

Executes dropped EXE 5 IoCs

pid	Process
4236	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.tmp
2096	install_tool.exe
1344	install_tool.exe
3232	install_tool.exe
1632	card_code_check.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3232	install_tool.exe
3232	install_tool.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 4236	1652	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.exe	84
PID 1652 wrote to memory of 4236	1652	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.exe	84
PID 1652 wrote to memory of 4236	1652	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.exe	84
PID 4236 wrote to memory of 2096	4236	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.tmp	85
PID 4236 wrote to memory of 2096	4236	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.tmp	85
PID 4236 wrote to memory of 1344	4236	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.tmp	88
PID 4236 wrote to memory of 1344	4236	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.tmp	88
PID 1344 wrote to memory of 3976	1344	install_tool.exe	90
PID 1344 wrote to memory of 3976	1344	install_tool.exe	90
PID 3976 wrote to memory of 1268	3976	cmd.exe	91
PID 3976 wrote to memory of 1268	3976	cmd.exe	91
PID 1268 wrote to memory of 4228	1268	net.exe	92
PID 1268 wrote to memory of 4228	1268	net.exe	92
PID 4236 wrote to memory of 3232	4236	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.tmp	93
PID 4236 wrote to memory of 3232	4236	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.tmp	93
PID 4236 wrote to memory of 1632	4236	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.tmp	95
PID 4236 wrote to memory of 1632	4236	a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.tmp	95

C:\Users\Admin\AppData\Local\Temp\a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.exe
"C:\Users\Admin\AppData\Local\Temp\a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Users\Admin\AppData\Local\Temp\is-HJV2O.tmp\a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-HJV2O.tmp\a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.tmp" /SL5="$9011A,4824881,797696,C:\Users\Admin\AppData\Local\Temp\a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4236
- - C:\Users\Admin\AppData\Local\Temp\is-VOO3Q.tmp\install_tool.exe
    "C:\Users\Admin\AppData\Local\Temp\is-VOO3Q.tmp\install_tool.exe" 2 Steam\Steam.lnk C:\Users\Admin\AppData\Local\Temp\is-VOO3Q.tmp\findpath.txt
    3⤵
    - Executes dropped EXE
    PID:2096
- - C:\Users\Admin\AppData\Local\Temp\is-VOO3Q.tmp\install_tool.exe
    "C:\Users\Admin\AppData\Local\Temp\is-VOO3Q.tmp\install_tool.exe" 4 steam_host
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1344
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop steam_host
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3976
    - - C:\Windows\system32\net.exe
        
        net stop steam_host
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1268
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop steam_host
        6⤵
        
        PID:4228
- - C:\Users\Admin\AppData\Local\Temp\is-VOO3Q.tmp\install_tool.exe
    "C:\Users\Admin\AppData\Local\Temp\is-VOO3Q.tmp\install_tool.exe" 3 WindowsUpdateBlocker.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3232
- - C:\Users\Admin\AppData\Local\Temp\is-VOO3Q.tmp\card_code_check.exe
    "C:\Users\Admin\AppData\Local\Temp\is-VOO3Q.tmp\card_code_check.exe" 0 0 0 3000 ZXCVQGGJJZUWHKDQ
    3⤵
    - Executes dropped EXE
    PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-HJV2O.tmp\a2a4e93cf2f41454cc3505e003c7d0bbf4f60ad2b62e6bc40152ea7d6ff83d8e.tmp

Filesize
3.0MB

MD5
45dc976bf2b5db845f3a6c12f8aecd9d

SHA1
de467a57299197e07a07bf4c3921be3021bc0f35

SHA256
95901ea941b1e3ea67f371ccf39f9fbdf6268886babb63717a77a528f846d4b1

SHA512
03a233a14f434ce340b92347e8ebe6628dcb9ab495076f6879253fa1cb15bbf64aed3cab73457ad5238c7e22d87649dddbeeb748051fab4c09760d52b49fcf6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VOO3Q.tmp\card_code_check.exe

Filesize
103KB

MD5
e599549b26145a23da8288b5dcb15723

SHA1
919858d333c51d4b3fc74c21457b0598793ed4db

SHA256
d2189ed466e0f6bd4c612694b7c56f19323f0a48c931ac5321335006c9dd5780

SHA512
dfb46c256c91443416a4436d04adbf89966ee7556345e85afbd41d69270dfa0cf6d7c6f79867e1847da977b68844060664293bf655b8c1d744f14067df802fce

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VOO3Q.tmp\install_tool.exe

Filesize
138KB

MD5
009e852552e1d71fd3547afd2d34ceb0

SHA1
db252b1eac7e356972689c555ea51416be10b4ff

SHA256
7ab988c5636873d60ba082bbcbabcdd10a4399578f7328e16f4966a658f193ac

SHA512
aa509d6fd12a01a44e98aaa9fd77608b4c720bd9347104b4a19d0ee9e04da42da3b6994b84332f18798735dc0ccd48d5a350caf05fe5be4e5af0a06590059b7a

Download Submit
memory/1652-1-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1652-2-0x0000000000401000-0x00000000004A8000-memory.dmp

Filesize
668KB

Download
memory/1652-30-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4236-6-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/4236-28-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing