668f4d750f26504348477e32cb73aff0cd68d8a0997619f2d1402338d3011f03

General

Target

fotos/foto2.lnk
Size

1KB
MD5

dd3735c04fd4134d97f38b34b5544e3b
SHA1

d250a2a1b545e51c3b3dffaa90b5cb0b2f30f090
SHA256

23ee733b758eb9c05061cd93fe7856e7ae9cea68702b6d833ee3778419ba6b02
SHA512

b574e4347ac9272ed2b9a0b0f373085acc58a08500b81713385d0fe85907fbf62eb0e5741246cb9fb9c0ac5301d953f6b5e8e189faf5d85f7ea6e49545380add

Score

7^/10

execution upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	ud.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
4924	ud.exe
1400	services.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral6/files/0x0007000000023448-24.dat	upx
behavioral6/memory/1400-26-0x0000000000390000-0x000000000047B000-memory.dmp	upx
behavioral6/memory/1400-27-0x0000000000390000-0x000000000047B000-memory.dmp	upx
behavioral6/memory/1400-29-0x0000000000390000-0x000000000047B000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1400 set thread context of 876	1400	services.exe	107

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2184	876	WerFault.exe	107

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	Thumbs.db
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	ud.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 2880	4920	cmd.exe	84
PID 4920 wrote to memory of 2880	4920	cmd.exe	84
PID 2880 wrote to memory of 392	2880	cmd.exe	85
PID 2880 wrote to memory of 392	2880	cmd.exe	85
PID 2880 wrote to memory of 392	2880	cmd.exe	85
PID 392 wrote to memory of 4324	392	Thumbs.db	86
PID 392 wrote to memory of 4324	392	Thumbs.db	86
PID 392 wrote to memory of 4324	392	Thumbs.db	86
PID 4324 wrote to memory of 4924	4324	WScript.exe	87
PID 4324 wrote to memory of 4924	4324	WScript.exe	87
PID 4324 wrote to memory of 4924	4324	WScript.exe	87
PID 4924 wrote to memory of 5088	4924	ud.exe	88
PID 4924 wrote to memory of 5088	4924	ud.exe	88
PID 4924 wrote to memory of 5088	4924	ud.exe	88
PID 5088 wrote to memory of 1400	5088	WScript.exe	90
PID 5088 wrote to memory of 1400	5088	WScript.exe	90
PID 5088 wrote to memory of 1400	5088	WScript.exe	90
PID 1400 wrote to memory of 876	1400	services.exe	107
PID 1400 wrote to memory of 876	1400	services.exe	107
PID 1400 wrote to memory of 876	1400	services.exe	107
PID 1400 wrote to memory of 876	1400	services.exe	107

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\fotos\foto2.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4920
- C:\WINDOWS\system32\cmd.exe
  "C:\WINDOWS\system32\cmd.exe" /c Thumbs.db
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Users\Admin\AppData\Local\Temp\fotos\Thumbs.db
    Thumbs.db
    3⤵
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:392
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\o.js"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4324
    - - C:\Users\Admin\AppData\Local\Temp\ud.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ud.exe" -pkj4h1k74y4 -dC:\Users\Admin\AppData\Local\Temp
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\i.js"
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        "C:\Users\Admin\AppData\Local\Temp\services.exe" -dC:\Users\Admin\AppData\Local\Temp
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\svchost.exe
        
        "C:\Windows\SysWOW64\svchost.exe"
        8⤵
        
        PID:876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 76
        9⤵
        Program crash
        
        PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 876 -ip 876
1⤵
PID:3304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\i.js

Filesize
892B

MD5
c44e0be468ad3e4d016ee148f59ea1d0

SHA1
275ccc3741e19e102d2fa365199710c35cf61362

SHA256
0cf22b742dfec691fdb0531e59bc46c031d594d8a75409fff0d0fbc306c1def3

SHA512
71b08215ff1349628f398aa6acebb0d05913c2fe0938dfcbab99db7a49790a0e14c98cbfdbd1b4d81a02cda035cb958943fca945f112b2a8521bc08ff704fc15

Download Submit
C:\Users\Admin\AppData\Local\Temp\o.js

Filesize
415B

MD5
f95deb6d1fe48a2e7447501a893b5b91

SHA1
9ad7889903b88f9c8f19d44ed01aef1936c36ba9

SHA256
2a04df2cb236aebee59e85db8bead72e536e0c9b6eb585d31f921b3e662abd8a

SHA512
99891bdcc8a3253c08490e3438e0782edc012e0b52b998afb7b53b04eb7cb9015157f2bb6b97f26e2781c55e5010830fb511738b89c51277caa8576678c209fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\services.exe

Filesize
2.3MB

MD5
90025f125534097e89bd0e0de9e56f56

SHA1
adf4aa493119d5c99d12ccfeebd772ae3c017d68

SHA256
f61084a3869bfe6fe753112b1747bbd2b1b65ef35efd88834fd071efd8991012

SHA512
af41f6a3b0cf8a3ab3ed452b41b93cc27a3b24fe61d919941fba0917eb25c6a50c81c0be5708e6bfeeb73eafc3a0f3f5ab1fcde09d64327619c49718b241dfc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ud.exe

Filesize
1.4MB

MD5
5b8cdcf8a540ef238744f176d177f3dd

SHA1
2265427bf216afe7db649ed15379a935414e7984

SHA256
9c9e1c62faef3a8aaa8ded65ec4e09c5baabe15dad96722924b4d330e101e9ef

SHA512
03507a9ba187b4f57fe935ad9f94eafe4874aafa15b7d9b38124bdc0b96d88644718da9b133e4d1fa1b0c7db8dedf1460af54459792012a03ed06157cf090dd5

Download Submit
memory/1400-26-0x0000000000390000-0x000000000047B000-memory.dmp

Filesize
940KB

Download
memory/1400-27-0x0000000000390000-0x000000000047B000-memory.dmp

Filesize
940KB

Download
memory/1400-29-0x0000000000390000-0x000000000047B000-memory.dmp

Filesize
940KB

Download

Analysis

Sharing