2f175dac5c8571e586722f6927b0112af22637a17efb3acfd78e813a804a38f8

General

Target

win32.exe
Size

386KB
MD5

f9bb6ef02f29f52ff126279ff7d044bb
SHA1

5b68f1745d92d32a1e64ef3ace6640c5fbfeb254
SHA256

2f175dac5c8571e586722f6927b0112af22637a17efb3acfd78e813a804a38f8
SHA512

86a6c71dca30b5a6dc54cdc262318bbae1f16ba5f3e701d6d84adf8ddda265d178ddf7b72753e491a46d4fe043c2b7f9919f1be25a6f4fa0bc72ad193b0ca153
SSDEEP

3072:H1sSJApTSnQU/x0ImhuDzHfs4zbYOjujDRfygDgKQINXLLHIaKlay8weCycJ5DfS:H1sSmRIt/xhtsOju1DH5NXnIKAc

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2700	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	win32.exe

Executes dropped EXE 2 IoCs

pid	Process
1580	Svchost.exe
2296	System32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2296	System32.exe
2700	powershell.exe
2700	powershell.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2296	System32.exe
Token: SeIncreaseQuotaPrivilege	2296	System32.exe
Token: SeSecurityPrivilege	2296	System32.exe
Token: SeTakeOwnershipPrivilege	2296	System32.exe
Token: SeLoadDriverPrivilege	2296	System32.exe
Token: SeSystemProfilePrivilege	2296	System32.exe
Token: SeSystemtimePrivilege	2296	System32.exe
Token: SeProfSingleProcessPrivilege	2296	System32.exe
Token: SeIncBasePriorityPrivilege	2296	System32.exe
Token: SeCreatePagefilePrivilege	2296	System32.exe
Token: SeBackupPrivilege	2296	System32.exe
Token: SeRestorePrivilege	2296	System32.exe
Token: SeShutdownPrivilege	2296	System32.exe
Token: SeDebugPrivilege	2296	System32.exe
Token: SeSystemEnvironmentPrivilege	2296	System32.exe
Token: SeRemoteShutdownPrivilege	2296	System32.exe
Token: SeUndockPrivilege	2296	System32.exe
Token: SeManageVolumePrivilege	2296	System32.exe
Token: 33	2296	System32.exe
Token: 34	2296	System32.exe
Token: 35	2296	System32.exe
Token: 36	2296	System32.exe
Token: SeDebugPrivilege	2700	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 1580	4364	win32.exe	83
PID 4364 wrote to memory of 1580	4364	win32.exe	83
PID 4364 wrote to memory of 2296	4364	win32.exe	84
PID 4364 wrote to memory of 2296	4364	win32.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\win32.exe
"C:\Users\Admin\AppData\Local\Temp\win32.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4364
- C:\ProgramData\Svchost.exe
  "C:\ProgramData\Svchost.exe"
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\ProgramData\System32.exe
  "C:\ProgramData\System32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -File C:\Users\Public\updates.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft.Win32.TaskScheduler.dll

Filesize
326KB

MD5
a844ac745a4005fbd3f51d79ff88583c

SHA1
92671774fd4be9781a77d2788a8dddbf8981ead5

SHA256
74fe1a6a1e36be7d893e31bbb4d4bd83bf4b927e715276cd5607982139818ebd

SHA512
5f0734058d9146ffeb552abf443df5097cf134a4737bed499467830e08d97f5d1996c1f1647c5c12289ca4d4209effd480010afebc59d50290d4ca7d45bb41f8

Download Submit
C:\ProgramData\Svchost.exe

Filesize
330KB

MD5
bdd3d30ea4bc94d1240ea75f1aa212eb

SHA1
f994ffb94690263047c5227cc8b65d3ab3345ba7

SHA256
00b7a0f1b18c5dd1f4d469a8c6997198fd7f471e94d6a6ba70d79fd165f44888

SHA512
3a039b360581d7d2204dfff546d08b2a5ec36d78f9572730d9a707fe35925c8451d505fbb19f9c9d9861f3e5aea9ae4b52ae0031e109721d57f55a62b1b691b8

Download Submit
C:\ProgramData\System32.exe

Filesize
51KB

MD5
f52616c47b243f3373248ed2a5f49e1c

SHA1
d601cad06d6ccb0e52dabe8d34ae5f1cfd463000

SHA256
3b24abf5671a93c15eca052fd28555e561dfe625962b2dbe733d7f717467a3a8

SHA512
9435df5be1594667eaa988115b8d712abb0766e0e90330d2fa99ce76cfdc6272cb65a6c922278bb265c8e2127e755f5aadbfa2481ee009f105ff222d12f07cc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1h3sekof.nym.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\updates.ps1

Filesize
43KB

MD5
d9a4b64d20c6860f12b6da0ecd53983a

SHA1
b3e8c9479370807c009bfb8ba46566a3e3e0893d

SHA256
2e5ddfeff91ad3ba0ea2446912cef3b7f2b905cb3eb9f3d3ea51f512a13b53ad

SHA512
10afb3130e4fb0af1a4efb618ed70f017fde98091927dd23a82fb8c228ea78b1ea6b1b644e4c2d733e21d8f152ec89fac11938d1d9ec38558a8319922ee2e6b3

Download Submit
memory/1580-15-0x0000000000610000-0x0000000000668000-memory.dmp

Filesize
352KB

Download
memory/1580-20-0x00007FF8A2690000-0x00007FF8A2959000-memory.dmp

Filesize
2.8MB

Download
memory/1580-19-0x00007FF8A2690000-0x00007FF8A2959000-memory.dmp

Filesize
2.8MB

Download
memory/2296-33-0x00000000029B0000-0x0000000002A08000-memory.dmp

Filesize
352KB

Download
memory/2296-31-0x0000000000750000-0x0000000000764000-memory.dmp

Filesize
80KB

Download
memory/2296-46-0x0000000002A10000-0x0000000002A32000-memory.dmp

Filesize
136KB

Download
memory/4364-0-0x0000000000320000-0x0000000000386000-memory.dmp

Filesize
408KB

Download
memory/4364-50-0x00007FF8A2690000-0x00007FF8A2959000-memory.dmp

Filesize
2.8MB

Download
memory/4364-4-0x00007FF8A2690000-0x00007FF8A2959000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing