eb1048c44e92bd6b5da62643bb93eafb7b9012025c2ecd40fbf4cc42dbfeecf6

General

Target

b14368a184a60a4acb5a06a6b8d8e7c0N.exe
Size

1.3MB
MD5

b14368a184a60a4acb5a06a6b8d8e7c0
SHA1

b01723f549c9958f897daa63787a053ebe063b14
SHA256

eb1048c44e92bd6b5da62643bb93eafb7b9012025c2ecd40fbf4cc42dbfeecf6
SHA512

8b90b3579272767fbace23c7ecdcc7b88dada7a31055b6f482eb63eec50bf8bd251ae289f44c10eb04329ea6672743663f520d33283af4401f732119ed62cf5d
SSDEEP

24576:IArW/8hh0FQAq7c8nA7YMv3+DpBNPRI9ovlG4XozaEhptdF/fCGzeYVxXNVD8pVp:Ie0mfW3YNPRRlG4saIprdNy

Score

7^/10

persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	b14368a184a60a4acb5a06a6b8d8e7c0N.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk	b14368a184a60a4acb5a06a6b8d8e7c0N.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3972-0-0x0000000000400000-0x0000000000554000-memory.dmp	upx
behavioral2/files/0x0009000000023428-11.dat	upx
behavioral2/memory/3972-16-0x0000000000400000-0x0000000000554000-memory.dmp	upx
behavioral2/memory/3972-19-0x0000000000400000-0x0000000000554000-memory.dmp	upx
behavioral2/memory/3972-22-0x0000000000400000-0x0000000000554000-memory.dmp	upx
behavioral2/memory/3972-26-0x0000000000400000-0x0000000000554000-memory.dmp	upx
behavioral2/memory/3972-29-0x0000000000400000-0x0000000000554000-memory.dmp	upx
behavioral2/memory/3972-32-0x0000000000400000-0x0000000000554000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe"	b14368a184a60a4acb5a06a6b8d8e7c0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings	b14368a184a60a4acb5a06a6b8d8e7c0N.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3972	b14368a184a60a4acb5a06a6b8d8e7c0N.exe
3972	b14368a184a60a4acb5a06a6b8d8e7c0N.exe
3972	b14368a184a60a4acb5a06a6b8d8e7c0N.exe
3972	b14368a184a60a4acb5a06a6b8d8e7c0N.exe
3972	b14368a184a60a4acb5a06a6b8d8e7c0N.exe
3972	b14368a184a60a4acb5a06a6b8d8e7c0N.exe
3972	b14368a184a60a4acb5a06a6b8d8e7c0N.exe
3972	b14368a184a60a4acb5a06a6b8d8e7c0N.exe
3972	b14368a184a60a4acb5a06a6b8d8e7c0N.exe
3972	b14368a184a60a4acb5a06a6b8d8e7c0N.exe
3972	b14368a184a60a4acb5a06a6b8d8e7c0N.exe
3972	b14368a184a60a4acb5a06a6b8d8e7c0N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3972	b14368a184a60a4acb5a06a6b8d8e7c0N.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3972	b14368a184a60a4acb5a06a6b8d8e7c0N.exe
3972	b14368a184a60a4acb5a06a6b8d8e7c0N.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3972 wrote to memory of 4852	3972	b14368a184a60a4acb5a06a6b8d8e7c0N.exe	86
PID 3972 wrote to memory of 4852	3972	b14368a184a60a4acb5a06a6b8d8e7c0N.exe	86
PID 3972 wrote to memory of 4852	3972	b14368a184a60a4acb5a06a6b8d8e7c0N.exe	86
PID 3972 wrote to memory of 2300	3972	b14368a184a60a4acb5a06a6b8d8e7c0N.exe	87
PID 3972 wrote to memory of 2300	3972	b14368a184a60a4acb5a06a6b8d8e7c0N.exe	87
PID 3972 wrote to memory of 2300	3972	b14368a184a60a4acb5a06a6b8d8e7c0N.exe	87

C:\Users\Admin\AppData\Local\Temp\b14368a184a60a4acb5a06a6b8d8e7c0N.exe
"C:\Users\Admin\AppData\Local\Temp\b14368a184a60a4acb5a06a6b8d8e7c0N.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:4852
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
2004bcee923b0e0222f4cab87c2c2a3d

SHA1
0a3c122b7cfe403403d913ecc1b328480b1bfc2a

SHA256
f92f08df2b65e2f5b5db141c99b098c8b077c0c853a1fd51bfcc6d40dc68ad77

SHA512
cae47a4dfdb942622ebca65d57e9d80c29cb299aa8c217983e34a51655c2e96ed26c7fa2fad978b6279ed4d3c8c0571e417c60152bf66a116f67d0fe38d6a445

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
722B

MD5
28047a09b5b8502d95e87151dc9cacbc

SHA1
bfcf468485e9bcf9e7add0e601f4d4e5af1ded60

SHA256
19a12ffd2157d1b5261d2b8d18c93c60a2eddb14742827a5db7494c24ab95e6b

SHA512
ade323d4584d64a2f07c14fe27a208039040cb829d6278650b3e77210ea7802eede775b17b134f324f767408c39daf8336faa851557b57bb246140ab5d05c9e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.3MB

MD5
6a9530d39a8a0bfb3d759933b3b6fa57

SHA1
52db8acd2aa434f7dbef28d7d9c4fa6cfd4dd455

SHA256
384cf60783287077a49877b8d64a530f05d4a0b52c6613f031ceb27515012871

SHA512
acf2fbe0ae2d30e8a6af5c4a536748243d36b60115dc5e0ddfc76ab1c21d9be48c262f86f3b36f9ab9880dd604f5a9f5d9ede6d181bdd6a62e3c98867930b19a

Download Submit
memory/3972-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3972-16-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3972-19-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3972-22-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3972-26-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3972-29-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3972-32-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads