c8f3a93567b321f2c1eb3ef0bdd32fd0e2e47687a84519bb710587dec34161bf

General

Target

winzip28-p003.exe
Size

2.8MB
MD5

4dc14456b4b6e43eebbcd5c397f5dc38
SHA1

c138810ed1da1098b901643ebe9b75dd519f1b41
SHA256

c8f3a93567b321f2c1eb3ef0bdd32fd0e2e47687a84519bb710587dec34161bf
SHA512

106bffe84d43d2deb7e7aab59fc3df12ddf0c81dea10fea1a1467b2e238caf17b60262087d62f727b63c8d56b4f89fafc4c463c391a8db316719271ab0ca9579
SSDEEP

49152:c9vgPi4Lp+1+zV9c9S7J5/iR7B/3blLYSNVMaxY3Y9fkHu+bHqEg:CbCpEYV9uSF5/mt/Ll5xY3gkHu+bHjg

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	winzip28-p003.exe

Executes dropped EXE 1 IoCs

pid	Process
1616	winzip28-p003.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5032	1616	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winzip28-p003.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winzip28-p003.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 1616	1388	winzip28-p003.exe	84
PID 1388 wrote to memory of 1616	1388	winzip28-p003.exe	84
PID 1388 wrote to memory of 1616	1388	winzip28-p003.exe	84

C:\Users\Admin\AppData\Local\Temp\winzip28-p003.exe
"C:\Users\Admin\AppData\Local\Temp\winzip28-p003.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\AppData\Local\Temp\e57ab53\winzip28-p003.exe
  run=1 shortcut="C:\Users\Admin\AppData\Local\Temp\winzip28-p003.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1616
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 2036
    3⤵
    - Program crash
    PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1616 -ip 1616
1⤵
PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e57ab53\winzip28-p003.exe

Filesize
2.8MB

MD5
4dc14456b4b6e43eebbcd5c397f5dc38

SHA1
c138810ed1da1098b901643ebe9b75dd519f1b41

SHA256
c8f3a93567b321f2c1eb3ef0bdd32fd0e2e47687a84519bb710587dec34161bf

SHA512
106bffe84d43d2deb7e7aab59fc3df12ddf0c81dea10fea1a1467b2e238caf17b60262087d62f727b63c8d56b4f89fafc4c463c391a8db316719271ab0ca9579

Download Submit
C:\Users\Admin\AppData\Local\Temp\e57acf9\Load.html

Filesize
2KB

MD5
1757c2d0841f85052f85d8d3cd03a827

SHA1
801b085330505bad85e7a5af69e6d15d962a7c3a

SHA256
3cf5674efaaf74beccd16d1b9bcf3ffb35c174d6d93375bc532b46d9b4b4ed35

SHA512
4a12a55aac846f137c18849302e74d34df70ea5aaff78d57fce05b4776bedcde9e1b1032734e29650bcbac3e6932dfef75d97931443446a23e21cf5b3072dd9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e57acf9\common\js\common.js

Filesize
45KB

MD5
87daf84c22986fa441a388490e2ed220

SHA1
4eede8fb28a52e124261d8f3b10e6a40e89e5543

SHA256
787f5c13eac01bd8bbce329cc32d2f03073512e606b158e3fff07de814ea7f23

SHA512
af72a1d3757bd7731fa7dc3f820c0619e42634169643d786da5cce0c9b0d4babd4f7f57b12371180204a42fec6140a2cff0c13b37d183c9d6bbaeb8f5ce25e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\e57acf9\common\js\external.js

Filesize
36B

MD5
140918feded87fe0a5563a4080071258

SHA1
9a45488c130eba3a9279393d27d4a81080d9b96a

SHA256
25df7ab9509d4e8760f1fdc99684e0e72aac6e885cbdd3396febc405ea77e7f6

SHA512
56f5771db6f0f750ae60a1bb04e187a75fbee1210e1381831dcc2d9d0d4669ef4e58858945c1d5935e1f2d2f2e02fe4d2f08dd2ab27a14be10280b2dd4d8a7c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e57acf9\common\js\jquery-1.11.2.min.js

Filesize
93KB

MD5
5790ead7ad3ba27397aedfa3d263b867

SHA1
8130544c215fe5d1ec081d83461bf4a711e74882

SHA256
2ecd295d295bec062cedebe177e54b9d6b19fc0a841dc5c178c654c9ccff09c0

SHA512
781acedc99de4ce8d53d9b43a158c645eab1b23dfdfd6b57b3c442b11acc4a344e0d5b0067d4b78bb173abbded75fb91c410f2b5a58f71d438aa6266d048d98a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e57acf9\config\config.js

Filesize
5KB

MD5
34f8eb4ea7d667d961dccfa7cfd8d194

SHA1
80ca002efed52a92daeed1477f40c437a6541a07

SHA256
30c3d0e8bb3620fe243a75a10f23d83436ff4b15acb65f4f016258314581b73d

SHA512
b773b49c0bbd904f9f87b0b488ed38c23fc64b0bdd51ab78375a444ea656d929b3976808e715a62962503b0d579d791f9a21c45a53038ed7ae8263bd63bc0d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\e57acf9\config\installparams.js

Filesize
579B

MD5
4b6aa4b6b3e1c11b2c0ef1445b1cd44e

SHA1
88dfbf7c9740a9bdfe901051d637a70dc1623b13

SHA256
d6f625b463e68b6f2fc5ce9013a8ce8e4adabf98fcbe7f20f31ca707bc38aee5

SHA512
fbf0efd09ce95c427b260d37dc904d9beee16ae804df6ba19ff16672822099c27ad1ef5e54dc36dafbd950547e840eaf68f28260f845234eddc44624afbbc238

Download Submit
C:\Users\Admin\AppData\Local\Temp\e57acf9\config\stubparams.js

Filesize
37KB

MD5
91f6304d426d676ec9365c3e1ff249d5

SHA1
05a3456160862fbaf5b4a96aeb43c722e0a148da

SHA256
823f4f8dfe55d3ce894308122d6101fed1b8ef1eb8e93101945836655b2aed1b

SHA512
530f4fad6af5a0e600b037fcd094596652d2e3bf2f6d2ce465aae697ea90a361a0ffcc770c118102a0dd9bf12ab830ac6b459e57a268f435c88c049c127491f4

Download Submit

Analysis

Sharing