a74f9cf6e8d54b8fe585946d9179b86d0caf9e382253ebc655d38c7c5579d995

General

Target

a74f9cf6e8d54b8fe585946d9179b86d0caf9e382253ebc655d38c7c5579d995.exe
Size

47KB
MD5

3606f787c7b05ec372ef77fe6eb2568c
SHA1

b4ee63d094424800d4c6be4c1baf1a4d0efd2ff8
SHA256

a74f9cf6e8d54b8fe585946d9179b86d0caf9e382253ebc655d38c7c5579d995
SHA512

07ebfa73d16b8e0dfc7c8d480c986baff7ac7655aae53f8f91479773815b560a3e5cfdd72047379d0d1e89d190cb3c02e10f437dd1d9cfdc44ef614a4c6684d8
SSDEEP

768:keLI9Sqhu9+8tuGKXGRRkwbRlgcXQVQWjSs1tZ8pdNmLUrcrsANsdM5T233UNM:NLI4qg9+Q/KMJqSsGpdNmLUIsWsdM5TI

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	a74f9cf6e8d54b8fe585946d9179b86d0caf9e382253ebc655d38c7c5579d995.exe

Executes dropped EXE 1 IoCs

pid	Process
1972	lckhost.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5012-0-0x0000000010000000-0x000000001000E000-memory.dmp	upx
behavioral2/memory/5012-3-0x0000000010000000-0x000000001000E000-memory.dmp	upx
behavioral2/memory/5012-6-0x0000000010000000-0x000000001000E000-memory.dmp	upx
behavioral2/memory/1972-12-0x0000000010000000-0x000000001000E000-memory.dmp	upx
behavioral2/memory/1972-13-0x0000000010000000-0x000000001000E000-memory.dmp	upx
behavioral2/memory/1972-15-0x0000000010000000-0x000000001000E000-memory.dmp	upx
behavioral2/memory/1972-17-0x0000000010000000-0x000000001000E000-memory.dmp	upx
behavioral2/memory/1972-18-0x0000000010000000-0x000000001000E000-memory.dmp	upx
behavioral2/memory/1972-20-0x0000000010000000-0x000000001000E000-memory.dmp	upx
behavioral2/memory/1972-22-0x0000000010000000-0x000000001000E000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Debug\lckhost.exe	a74f9cf6e8d54b8fe585946d9179b86d0caf9e382253ebc655d38c7c5579d995.exe
File opened for modification	C:\Windows\Debug\lckhost.exe	a74f9cf6e8d54b8fe585946d9179b86d0caf9e382253ebc655d38c7c5579d995.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	lckhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	lckhost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5012	a74f9cf6e8d54b8fe585946d9179b86d0caf9e382253ebc655d38c7c5579d995.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 3940	5012	a74f9cf6e8d54b8fe585946d9179b86d0caf9e382253ebc655d38c7c5579d995.exe	93
PID 5012 wrote to memory of 3940	5012	a74f9cf6e8d54b8fe585946d9179b86d0caf9e382253ebc655d38c7c5579d995.exe	93
PID 5012 wrote to memory of 3940	5012	a74f9cf6e8d54b8fe585946d9179b86d0caf9e382253ebc655d38c7c5579d995.exe	93

C:\Users\Admin\AppData\Local\Temp\a74f9cf6e8d54b8fe585946d9179b86d0caf9e382253ebc655d38c7c5579d995.exe
"C:\Users\Admin\AppData\Local\Temp\a74f9cf6e8d54b8fe585946d9179b86d0caf9e382253ebc655d38c7c5579d995.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\A74F9C~1.EXE > nul
  2⤵
  PID:3940

C:\Windows\Debug\lckhost.exe
C:\Windows\Debug\lckhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2900,i,17325488789339133686,9539570259395798500,262144 --variations-seed-version --mojo-platform-channel-handle=2792 /prefetch:8
1⤵
PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\debug\lckhost.exe

Filesize
47KB

MD5
daf5524efa28efd93a964331d4656da3

SHA1
05a00bc80ed45e9105ac36ebddc0601ab6cd85ad

SHA256
4c507f765a72535d6cd131d2e21744b4cb2af269c74ab0690268b3b03f3760fb

SHA512
19dccc2ecae3c09c5765cf8d31428e6e8aaafa3bf23f9d01d36bdce46213a4380c7db7209f489bdf3c6adb758f87fa4aa60595fc91a246812d98ef295999ac70

Download Submit
memory/1972-12-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/1972-13-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/1972-15-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/1972-17-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/1972-18-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/1972-20-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/1972-22-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/5012-0-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/5012-3-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/5012-6-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads