c380b2ac82a41280d6012ed3ac6f9dbfedb368654bceab44908fc2b032b347db

General

Target

totest.exe
Size

413KB
MD5

2a4ce25b9e95d63400032b1b1226c525
SHA1

68c709289b003567cf5df50ab3f36093eb9581d6
SHA256

c380b2ac82a41280d6012ed3ac6f9dbfedb368654bceab44908fc2b032b347db
SHA512

f93b1c9c46f8ae70da3ca9a1b0cb4083ed38cb16d57f08b7099046c080b8c40011cb2946c7fcc6d4520d783e1364f0d05cf9039c1f8ef09431ba4f148bdf5184
SSDEEP

6144:R/cEoPEMzHkY2Qbq8MPEM6qCGdCPEMCGdU:DoPp56ZPVCGsP4GW

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
2832	taskkill.exe
3400	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2832	taskkill.exe
Token: SeDebugPrivilege	3400	taskkill.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 4852	1388	totest.exe	85
PID 1388 wrote to memory of 4852	1388	totest.exe	85
PID 1388 wrote to memory of 4852	1388	totest.exe	85
PID 4852 wrote to memory of 2832	4852	cmd.exe	88
PID 4852 wrote to memory of 2832	4852	cmd.exe	88
PID 4852 wrote to memory of 2832	4852	cmd.exe	88
PID 4852 wrote to memory of 2492	4852	cmd.exe	90
PID 4852 wrote to memory of 2492	4852	cmd.exe	90
PID 4852 wrote to memory of 2492	4852	cmd.exe	90
PID 2492 wrote to memory of 4780	2492	cmd.exe	97
PID 2492 wrote to memory of 4780	2492	cmd.exe	97
PID 2492 wrote to memory of 4780	2492	cmd.exe	97
PID 2492 wrote to memory of 3588	2492	cmd.exe	98
PID 2492 wrote to memory of 3588	2492	cmd.exe	98
PID 2492 wrote to memory of 3588	2492	cmd.exe	98
PID 2492 wrote to memory of 3400	2492	cmd.exe	99
PID 2492 wrote to memory of 3400	2492	cmd.exe	99
PID 2492 wrote to memory of 3400	2492	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\totest.exe
"C:\Users\Admin\AppData\Local\Temp\totest.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\totest_4a60a81b-4529-4e98-a6bf-1362ed4fd041\main.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K 0001.bat
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\totest_4a60a81b-4529-4e98-a6bf-1362ed4fd041\0002_vbs.vbs"
      4⤵
      PID:4780
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\totest_4a60a81b-4529-4e98-a6bf-1362ed4fd041\0001_vbs.vbs"
      4⤵
      PID:3588
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\totest_4a60a81b-4529-4e98-a6bf-1362ed4fd041\0001.bat

Filesize
125B

MD5
5437e077f1855369748c7ca34c0fb72c

SHA1
5229a3bae34d8050a295fcfaae90f548a442ae89

SHA256
090209b96510577480449088b0d3b8186ba523e513f8e59e61e1cdc2db745812

SHA512
f5fa3bdfeda412c9e3e776a24fa186ee973dfaa0465bb906cdf7c4fd0e53c59743200c60e7f18bf512cc1fc198e638196e740e6ae9d9ea53749ba15f4e69d92f

Download Submit
C:\Users\Admin\AppData\Local\Temp\totest_4a60a81b-4529-4e98-a6bf-1362ed4fd041\0001_vbs.vbs

Filesize
42B

MD5
73a3c82d3a28947341a6ec45bbf2f54c

SHA1
f2c34c096a8137f6f8fa0539be362b0b4c725ef4

SHA256
7c11248e28be3fed4d926c293db464be76a63445e4a9687b58527f902cd43ba1

SHA512
c122f9e720bdc9ff2f549f511768309ee35f8398928f52d77d53d61eb85c7887a3eed81a8749b187dc85e9c7ee615a5b9916cf6a6bf161e28c61c8737cf166ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\totest_4a60a81b-4529-4e98-a6bf-1362ed4fd041\0002_vbs.vbs

Filesize
2KB

MD5
b1e8bdcd80d0cd2802e68fda9d0d4782

SHA1
c27ffaf6876faf0c05078adde5209f3d694978a2

SHA256
828e1f187421b9bae5ed566ffaad4ead3508733e429aa237e9433a96b7192917

SHA512
1422a480bfb518d4e3286d9ca1d4e96d2c6ffff1ac930f4ff6425f535f197efe80342a2169aa4a3686fcbed3b3d5b2ad00df6b333b89ebc20245559bb202aa0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\totest_4a60a81b-4529-4e98-a6bf-1362ed4fd041\main.bat

Filesize
389B

MD5
8e11715f069645d6125bba5ccaf78086

SHA1
6ecc2637654a8abf38c269a30e05d0d2a3d81304

SHA256
e03fe87ec7d94955a53185fc25f43450d8ae5139c085c01992bf21c81ef04b4d

SHA512
7565ba48b26818adbc5935cca445398939f5c58ce256761ef918081b7845b06c38c9c30ca37d27b6bad01e7551aa22a1461d85bc92faf43bb7b306d6addf81f7

Download Submit
memory/1388-0-0x000000007501E000-0x000000007501F000-memory.dmp

Filesize
4KB

Download
memory/1388-1-0x0000000000B90000-0x0000000000BDA000-memory.dmp

Filesize
296KB

Download
memory/1388-2-0x00000000030F0000-0x0000000003114000-memory.dmp

Filesize
144KB

Download
memory/1388-3-0x0000000075010000-0x00000000757C0000-memory.dmp

Filesize
7.7MB

Download
memory/1388-4-0x0000000005B40000-0x00000000060E4000-memory.dmp

Filesize
5.6MB

Download
memory/1388-19-0x000000007501E000-0x000000007501F000-memory.dmp

Filesize
4KB

Download
memory/1388-20-0x0000000075010000-0x00000000757C0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing