9dc40de55004b14f10d73b7e0144c5afb96fbd378fa23feb61b367547475bfa1

General

Target

9dc40de55004b14f10d73b7e0144c5afb96fbd378fa23feb61b367547475bfa1.exe
Size

1.3MB
MD5

429ec7b22ce32038a4c53b6050919dcb
SHA1

1f6d11db962902a4db78959456d7cb873ebc5ce6
SHA256

9dc40de55004b14f10d73b7e0144c5afb96fbd378fa23feb61b367547475bfa1
SHA512

1aa1b27ba75caf464be404b55eb9541f5ea215d51e289539f341a4899c192f4bc519c184c1d47934645ac45e8a7f02dc438262e8f40b5cb12cfe22bfbcaf995a
SSDEEP

24576:XwmTqcEAKYF+dXVKtV6pKsHO7jh4ZK9X64J0DPbJWhQsQ6C:XwmucEgEKtV6phYjJ7OPFWhDC

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	9dc40de55004b14f10d73b7e0144c5afb96fbd378fa23feb61b367547475bfa1.exe

Executes dropped EXE 1 IoCs

pid	Process
2124	v.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3500-0-0x0000000000400000-0x000000000071A000-memory.dmp	upx
behavioral2/memory/3500-4-0x0000000000400000-0x000000000071A000-memory.dmp	upx
behavioral2/memory/3500-6-0x0000000000400000-0x000000000071A000-memory.dmp	upx
behavioral2/memory/3500-12-0x0000000000400000-0x000000000071A000-memory.dmp	upx
behavioral2/memory/3500-22-0x0000000000400000-0x000000000071A000-memory.dmp	upx
behavioral2/memory/3500-34-0x0000000000400000-0x000000000071A000-memory.dmp	upx
behavioral2/memory/3500-36-0x0000000000400000-0x000000000071A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9dc40de55004b14f10d73b7e0144c5afb96fbd378fa23feb61b367547475bfa1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings	9dc40de55004b14f10d73b7e0144c5afb96fbd378fa23feb61b367547475bfa1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3500	9dc40de55004b14f10d73b7e0144c5afb96fbd378fa23feb61b367547475bfa1.exe
3500	9dc40de55004b14f10d73b7e0144c5afb96fbd378fa23feb61b367547475bfa1.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3500	9dc40de55004b14f10d73b7e0144c5afb96fbd378fa23feb61b367547475bfa1.exe
3500	9dc40de55004b14f10d73b7e0144c5afb96fbd378fa23feb61b367547475bfa1.exe
4152	hh.exe
4152	hh.exe
3448	hh.exe
3448	hh.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3500 wrote to memory of 4920	3500	9dc40de55004b14f10d73b7e0144c5afb96fbd378fa23feb61b367547475bfa1.exe	84
PID 3500 wrote to memory of 4920	3500	9dc40de55004b14f10d73b7e0144c5afb96fbd378fa23feb61b367547475bfa1.exe	84
PID 3500 wrote to memory of 4920	3500	9dc40de55004b14f10d73b7e0144c5afb96fbd378fa23feb61b367547475bfa1.exe	84
PID 4920 wrote to memory of 4484	4920	cmd.exe	86
PID 4920 wrote to memory of 4484	4920	cmd.exe	86
PID 4920 wrote to memory of 4484	4920	cmd.exe	86
PID 3500 wrote to memory of 2124	3500	9dc40de55004b14f10d73b7e0144c5afb96fbd378fa23feb61b367547475bfa1.exe	102
PID 3500 wrote to memory of 2124	3500	9dc40de55004b14f10d73b7e0144c5afb96fbd378fa23feb61b367547475bfa1.exe	102
PID 3500 wrote to memory of 2124	3500	9dc40de55004b14f10d73b7e0144c5afb96fbd378fa23feb61b367547475bfa1.exe	102

C:\Users\Admin\AppData\Local\Temp\9dc40de55004b14f10d73b7e0144c5afb96fbd378fa23feb61b367547475bfa1.exe
"C:\Users\Admin\AppData\Local\Temp\9dc40de55004b14f10d73b7e0144c5afb96fbd378fa23feb61b367547475bfa1.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Public\xiaodaxzqxia\n.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "1201" /d "0" /t REG_DWORD /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4484
- C:\Users\Public\xiaodaxzqxia\v.exe
  "C:\Users\Public\xiaodaxzqxia\v.exe" -o -d C:\Users\Public\xiaodaxzqxia C:\Users\Public\xiaodaxzqxia\111
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2124

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1500

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\8288436849828078\A11.chm
1⤵
- Suspicious use of SetWindowsHookEx
PID:4152

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\8288436849828078\A11.chm
1⤵
- Suspicious use of SetWindowsHookEx
PID:3448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\HTML Help\hh.dat

Filesize
8KB

MD5
736b813edca7d1f729c2ca7aa22222bd

SHA1
f8097b4d0f994083f4c601bb3aa354ae5f9102e0

SHA256
ac13d372fae26f64681af6e3de79a253b24de113225f81e342c4efd6fabab3d2

SHA512
0e9831c33b84d9aaffeef92e0fdab8cc1eba4db77f6daf259971388c94f784de2e77413a09cc7270057a493982b67fc629e65f4d769aff53dd8d3f3010d18be6

Download Submit
C:\Users\Public\cxzvasdfg\8288436849828078\A11.chm

Filesize
11KB

MD5
db7961bf21e69e9cdbbfbc5357b6ae84

SHA1
6b43da6f1a502cc3ede9a46a71536e79335e3169

SHA256
49c7fc9d58e588bdcac23d7d576b699d49d5497de8afcb73be23cab89edf3b0e

SHA512
e0c7f502e60c9a15d407416645266614dd1e29c42c4711f1f3e10bd0de4c2404994fc71d3cb73a5ca56977afdf36f96c4e60b2bccce7459a1988877f197312f8

Download Submit
C:\Users\Public\xiaodaxzqxia\n.bat

Filesize
263B

MD5
c7d8b33e05722104d63de564a5d92b01

SHA1
fd703f1c71ac1dae65dc34f3521854604cec8091

SHA256
538ce88a3eed5a98c6a021a4c541080c5cfb652962f37da620e35b537513317a

SHA512
54a80fc6ad3f08743dc1655c379de79f9496086a9a18f4716fc9a9d6a6fe4fd527dd4ac099c57408090b73903c64fa38d4723783708068878aa6e18c6cc0d08e

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe

Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
memory/2124-21-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3500-0-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/3500-4-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/3500-6-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/3500-12-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/3500-22-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/3500-34-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/3500-36-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing