502eb20c38aeb460db5590ebb2de4b87efcc585be54662e40631e4da55d750b9

General

Target

502eb20c38aeb460db5590ebb2de4b87efcc585be54662e40631e4da55d750b9.exe
Size

4.7MB
MD5

ff0e34e6de60f85ced4c5b0c03439827
SHA1

a92625e7ef73e246b881cec734f93419d27339e2
SHA256

502eb20c38aeb460db5590ebb2de4b87efcc585be54662e40631e4da55d750b9
SHA512

febe06223e8b666a4fe9e9824a8362396bb208cb1e674fbad4c3e240a56e5901e7025c34a45f0ab07c690d4e0f644044b17f0933d591d33d4e9c8dfb4579c647
SSDEEP

98304:UCAv36FrjVzR9ymXUsRQrQZNSg7p4l+UWs4Xp7sKO+urmddl0T:hAvKd4mXoQZNS2Q1ep7Q+FK

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1000	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	502eb20c38aeb460db5590ebb2de4b87efcc585be54662e40631e4da55d750b9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
4124	C1A.installer.tmp

Loads dropped DLL 2 IoCs

pid	Process
3416	rundll32.exe
3416	rundll32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4124	C1A.installer.tmp

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3416 set thread context of 4124	3416	rundll32.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1000	powershell.exe
4124	C1A.installer.tmp
4124	C1A.installer.tmp
1000	powershell.exe
4124	C1A.installer.tmp
4124	C1A.installer.tmp
4124	C1A.installer.tmp
4124	C1A.installer.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1000	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 3416	4536	502eb20c38aeb460db5590ebb2de4b87efcc585be54662e40631e4da55d750b9.exe	83
PID 4536 wrote to memory of 3416	4536	502eb20c38aeb460db5590ebb2de4b87efcc585be54662e40631e4da55d750b9.exe	83
PID 3416 wrote to memory of 1000	3416	rundll32.exe	86
PID 3416 wrote to memory of 1000	3416	rundll32.exe	86
PID 3416 wrote to memory of 4124	3416	rundll32.exe	88
PID 3416 wrote to memory of 4124	3416	rundll32.exe	88
PID 3416 wrote to memory of 4124	3416	rundll32.exe	88
PID 3416 wrote to memory of 4124	3416	rundll32.exe	88
PID 3416 wrote to memory of 4124	3416	rundll32.exe	88
PID 3416 wrote to memory of 4124	3416	rundll32.exe	88
PID 3416 wrote to memory of 4124	3416	rundll32.exe	88
PID 3416 wrote to memory of 4124	3416	rundll32.exe	88
PID 3416 wrote to memory of 4124	3416	rundll32.exe	88
PID 3416 wrote to memory of 4124	3416	rundll32.exe	88
PID 3416 wrote to memory of 4124	3416	rundll32.exe	88
PID 3416 wrote to memory of 4124	3416	rundll32.exe	88
PID 3416 wrote to memory of 4124	3416	rundll32.exe	88
PID 3416 wrote to memory of 4124	3416	rundll32.exe	88
PID 3416 wrote to memory of 4124	3416	rundll32.exe	88
PID 3416 wrote to memory of 4124	3416	rundll32.exe	88
PID 4536 wrote to memory of 4208	4536	502eb20c38aeb460db5590ebb2de4b87efcc585be54662e40631e4da55d750b9.exe	89
PID 4536 wrote to memory of 4208	4536	502eb20c38aeb460db5590ebb2de4b87efcc585be54662e40631e4da55d750b9.exe	89

C:\Users\Admin\AppData\Local\Temp\502eb20c38aeb460db5590ebb2de4b87efcc585be54662e40631e4da55d750b9.exe
"C:\Users\Admin\AppData\Local\Temp\502eb20c38aeb460db5590ebb2de4b87efcc585be54662e40631e4da55d750b9.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" installer.dll,tmp
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension ".tmp" -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1000
- - \??\c:\Users\Admin\AppData\Local\Temp\C1A.installer.tmp
    "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:4124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
  2⤵
  PID:4208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
300B

MD5
646f83251a5c2b3864d289e231906349

SHA1
a66231936a97769659e00a378b2276e0d6e46bf2

SHA256
985d829096fffca105ba76e27bd89dd3823667d2db85b5201fb217401b309013

SHA512
322aa3c3f57fa72b55a366fb0091e3b0a547826006fa113edfe383086747029412bc6cba33672436ed449f43d9ef203faeb3aa98cbe271f27468f27b9dd291d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.dll

Filesize
23.7MB

MD5
7c5edad99ef4a4ce602e48dcac4c084a

SHA1
99ee62c5819005bdd25f66548c5220b3db6cab44

SHA256
719558c1c3c1322c5d2772168503f33bed5a7b4a0ec86639cf72ea013d82d23d

SHA512
c4d87e960e718763de5872e2d89a4cb63de70e4ddccaccde11d1c4299df1b2a5cf1070757288a49ce88b47037d7122f26889c601335a4351a0df87456c2c17e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\C1A.installer.tmp

Filesize
1KB

MD5
86e26f7658c514baf3453610fafaf5df

SHA1
c3a50912b49eabb6356fbd34166937ca3097751e

SHA256
8a0182e016458b847d5b9504db227b70d79398bba2fc962e6cab117eb151315e

SHA512
c4dce4e127ae0fad24d6105a490db276e1dbf141e5c2ff3c350dddb01a8225f15fb33a9fcc697ccb928c239bfcb638fd004f59266628a194c79af50d6863dc78

Download Submit
C:\Users\Admin\AppData\Local\Temp\FAC.installer.tmp

Filesize
1KB

MD5
8122d448d2322529961de0814fb89c3a

SHA1
dcd169968152764b603181b10974173b770217dc

SHA256
ac8ea3b14aa67cf9392355cd2d4fe1e5ef59d62c295dba617e0fa3c61b07b3da

SHA512
e2282b92e5c93d09190eb79ae4df61cd882bdbb949dd6386dbeb36f70993db56a1f0069b5d6defb6a5a0926400e05084d25fb5355d8d6d9a9b91c2a7aebf95c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_plsmciey.qun.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1000-31-0x0000025DBECA0000-0x0000025DBECC2000-memory.dmp

Filesize
136KB

Download
memory/3416-11-0x0000000140000000-0x0000000141045000-memory.dmp

Filesize
16.3MB

Download
memory/3416-14-0x0000000140000000-0x0000000141045000-memory.dmp

Filesize
16.3MB

Download
memory/3416-8-0x00007FFA91BF0000-0x00007FFA91DE5000-memory.dmp

Filesize
2.0MB

Download
memory/3416-6-0x00007FFA91BF0000-0x00007FFA91DE5000-memory.dmp

Filesize
2.0MB

Download
memory/3416-27-0x00007FFA91BF0000-0x00007FFA91DE5000-memory.dmp

Filesize
2.0MB

Download
memory/3416-7-0x00007FFA91BF0000-0x00007FFA91DE5000-memory.dmp

Filesize
2.0MB

Download
memory/3416-5-0x00007FFA91C8D000-0x00007FFA91C8E000-memory.dmp

Filesize
4KB

Download
memory/3416-4-0x00007FFA73E60000-0x00007FFA7401D000-memory.dmp

Filesize
1.7MB

Download
memory/4124-20-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/4124-28-0x0000000140000000-0x0000000141045000-memory.dmp

Filesize
16.3MB

Download
memory/4124-45-0x0000000140000000-0x0000000141045000-memory.dmp

Filesize
16.3MB

Download

Resubmissions

Analysis

Sharing