51f3d6191d2547eb949008017e10ae14d40429ba7db8e71144b0e2e5d7f7f312

General

Target

VirusShare_400eaafaa1acc6469cd2c32c309ab8e6.exe
Size

2.9MB
MD5

400eaafaa1acc6469cd2c32c309ab8e6
SHA1

d9e9ac7bc02ac7d4b5294d35db5489c0e9d45a13
SHA256

51f3d6191d2547eb949008017e10ae14d40429ba7db8e71144b0e2e5d7f7f312
SHA512

3669b83846a5e6a74c224344259238dd80be88fe26db270fcc3163923e514b3d33ecf7d90b3789fe4dc2af5e918e95a59249aa0bb14950bf0e238a792aabe900
SSDEEP

49152:A9BfDauF3rt3g7GNBamkmmCwLtLV3viyKXtLGNWImcuwLbo+V:AfTxzG7CwdV3vidSWHLLS

Score

7^/10

persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	xvs64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	bot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	VirusShare_400eaafaa1acc6469cd2c32c309ab8e6.exe

Executes dropped EXE 5 IoCs

pid	Process
3024	xvs64.exe
3568	bot.exe
660	dfa32.exe
4476	irsetup.exe
4260	dfa32.exe

Loads dropped DLL 1 IoCs

pid	Process
4476	irsetup.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023445-38.dat	upx
behavioral2/memory/4476-48-0x0000000000400000-0x00000000007CB000-memory.dmp	upx
behavioral2/memory/4476-70-0x0000000000400000-0x00000000007CB000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dfa32.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dfa32.exe"	dfa32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 660 set thread context of 4260	660	dfa32.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3568	bot.exe
660	dfa32.exe
4476	irsetup.exe
4476	irsetup.exe
4476	irsetup.exe
4476	irsetup.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 3024	2140	VirusShare_400eaafaa1acc6469cd2c32c309ab8e6.exe	84
PID 2140 wrote to memory of 3024	2140	VirusShare_400eaafaa1acc6469cd2c32c309ab8e6.exe	84
PID 2140 wrote to memory of 3024	2140	VirusShare_400eaafaa1acc6469cd2c32c309ab8e6.exe	84
PID 2140 wrote to memory of 3568	2140	VirusShare_400eaafaa1acc6469cd2c32c309ab8e6.exe	86
PID 2140 wrote to memory of 3568	2140	VirusShare_400eaafaa1acc6469cd2c32c309ab8e6.exe	86
PID 2140 wrote to memory of 3568	2140	VirusShare_400eaafaa1acc6469cd2c32c309ab8e6.exe	86
PID 3024 wrote to memory of 660	3024	xvs64.exe	88
PID 3024 wrote to memory of 660	3024	xvs64.exe	88
PID 3024 wrote to memory of 660	3024	xvs64.exe	88
PID 3568 wrote to memory of 4476	3568	bot.exe	89
PID 3568 wrote to memory of 4476	3568	bot.exe	89
PID 3568 wrote to memory of 4476	3568	bot.exe	89
PID 660 wrote to memory of 4260	660	dfa32.exe	97
PID 660 wrote to memory of 4260	660	dfa32.exe	97
PID 660 wrote to memory of 4260	660	dfa32.exe	97
PID 660 wrote to memory of 4260	660	dfa32.exe	97
PID 660 wrote to memory of 4260	660	dfa32.exe	97
PID 660 wrote to memory of 4260	660	dfa32.exe	97
PID 660 wrote to memory of 4260	660	dfa32.exe	97
PID 660 wrote to memory of 4260	660	dfa32.exe	97
PID 660 wrote to memory of 4260	660	dfa32.exe	97
PID 660 wrote to memory of 4260	660	dfa32.exe	97
PID 660 wrote to memory of 4260	660	dfa32.exe	97
PID 660 wrote to memory of 4260	660	dfa32.exe	97
PID 660 wrote to memory of 4260	660	dfa32.exe	97

C:\Users\Admin\AppData\Local\Temp\VirusShare_400eaafaa1acc6469cd2c32c309ab8e6.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_400eaafaa1acc6469cd2c32c309ab8e6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Local\Temp\xvs64.exe
  "C:\Users\Admin\AppData\Local\Temp\xvs64.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Users\Admin\AppData\Local\Temp\dfa32.exe
    "C:\Users\Admin\AppData\Local\Temp\dfa32.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:660
  - - C:\Users\Admin\AppData\Local\Temp\dfa32.exe
      "C:\Users\Admin\AppData\Local\Temp\dfa32.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:4260
- C:\Users\Admin\AppData\Local\Temp\bot.exe
  "C:\Users\Admin\AppData\Local\Temp\bot.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1749498 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\bot.exe" "__IRCT:3" "__IRTSS:2621767" "__IRSID:S-1-5-21-3906287020-2915474608-1755617787-1000"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
1437d30476f86879af27aa3c4f5cf2ef

SHA1
cea48b9a0103cb60738fe23c2927c02880d7d954

SHA256
9a7bb59efdca3a44db5227ed2a501681e976ec53dce37934990c36b58d51e783

SHA512
41c17395e32949f11214295a4237a3e1f80b29a6299f79f7764b5990bff73434d3c60084461d872361fb275dca943a8a7fb770fd9d8d542b2cd3091e4d533ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
318KB

MD5
b5fc476c1bf08d5161346cc7dd4cb0ba

SHA1
280fac9cf711d93c95f6b80ac97d89cf5853c096

SHA256
12cb9b8f59c00ef40ea8f28bfc59a29f12dc28332bf44b1a5d8d6a8823365650

SHA512
17fa97f399287b941e958d2d42fe6adb62700b01d9dbe0c824604e8e06d903b330f9d7d8ffb109bfb7f6742f46e7e9cedad6981f0d94d629b8402d0a0174f697

Download Submit
C:\Users\Admin\AppData\Local\Temp\bot.exe

Filesize
2.5MB

MD5
2464b4bf0871616c933bfe12f5b2ab71

SHA1
561f70e457cb22fcbe344e4605be3ee9f2ddd606

SHA256
65bf4a5ab8bd9e351c01a2a45eec3062e39717e6dc4694ed7c1f7b54f3d38f75

SHA512
3cdbd672c92c0808e11197577564a53db1560065b45aa57aabe2a4df0c2c2aa93357762359d575a0bafb2750239dda26689d82135656e12ae749e85ccc1e400b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfa32.exe

Filesize
608KB

MD5
1790dec7069c9143438ed98609f92153

SHA1
af7901823025e64bc6e558e450e587ea6e0c9b8f

SHA256
99f99873260a11412f20a1807d555a002885da4e6621fdc2414868ee9037c8a6

SHA512
45322498696b45e0f2ca58322b8395a5a92727283fa1dfbbc5a97e84e5f0a879107dd129ce8bd465f402ae198f52492365aa867e10ebefb7e48dece140d5a9bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tbi61.dll

Filesize
24B

MD5
fc51503ffc90028454c44d27c3dde298

SHA1
460cea109c01f12bcc0ef1fb9a2fa5bd7d0b327b

SHA256
eaa98842aff6893c657906519683b6a63da8232f0013979191b39f56ad1b9f9f

SHA512
db07df5a182401c725e4ed275afbd2d0568d8e933cae1b1be5b63338a7843788eff0ce97881b4f363b1b25e107474821a477e0b2f0f9a951b3a1c65b51dd827e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xvs64.exe

Filesize
555KB

MD5
ec158de96c194ae61d0b409e6b1c396e

SHA1
e74dae683686475f7ab3bbe9467250e9260a3af0

SHA256
d04de16b873f59aed65983e58a7c36004278a4dde9bd0292d99aa4f4aaed404f

SHA512
44d4b3e795b650a1ac2258604a28e924f42fc8e99bdaa973da76bdef79a03bae7d244c78db7d0d3652d31c3c9698b6314e17b818b0f38343288d62883a0fbc94

Download Submit
memory/4260-64-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4260-66-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4260-71-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4476-48-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download
memory/4476-70-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads