89ed2ff188c84fc98fa5aec6914dc96d5e480bc6a1160050aa89cbbdd822e890

General

Target

3bfb0560881a2192e0e5822998cf9a90N.exe
Size

370KB
MD5

3bfb0560881a2192e0e5822998cf9a90
SHA1

3a06ebd6131a6b7e4005be6621cb3a0abe91e631
SHA256

89ed2ff188c84fc98fa5aec6914dc96d5e480bc6a1160050aa89cbbdd822e890
SHA512

73e9c6f30878277929d2271255b3a808316bd3cac353a402c24eea5be6b9ea023e8faff469dad75b2c44d2ab5116514d5239f97b0d03de916f471caf95e6663d
SSDEEP

6144:CuJkl8DV12C28tLN2/FkCOfHVm0fMaHftvCGCBhDOHjTPmXHk62pi/:CzGL2C2aZ2/F1WHHUaveOHjTe/

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3bfb0560881a2192e0e5822998cf9a90N.exeqoqug.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000\Control Panel\International\Geo\Nation	3bfb0560881a2192e0e5822998cf9a90N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000\Control Panel\International\Geo\Nation	qoqug.exe

Executes dropped EXE 2 IoCs

Processes:

qoqug.exejeodg.exe

pid process

4428 qoqug.exe
2016 jeodg.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4428	qoqug.exe
2016	jeodg.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

3bfb0560881a2192e0e5822998cf9a90N.exeqoqug.execmd.exejeodg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3bfb0560881a2192e0e5822998cf9a90N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qoqug.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jeodg.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

jeodg.exe

pid	process
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe
2016	jeodg.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3bfb0560881a2192e0e5822998cf9a90N.exeqoqug.exe

description	pid	process	target process
PID 5104 wrote to memory of 4428	5104	3bfb0560881a2192e0e5822998cf9a90N.exe	qoqug.exe
PID 5104 wrote to memory of 4428	5104	3bfb0560881a2192e0e5822998cf9a90N.exe	qoqug.exe
PID 5104 wrote to memory of 4428	5104	3bfb0560881a2192e0e5822998cf9a90N.exe	qoqug.exe
PID 5104 wrote to memory of 4888	5104	3bfb0560881a2192e0e5822998cf9a90N.exe	cmd.exe
PID 5104 wrote to memory of 4888	5104	3bfb0560881a2192e0e5822998cf9a90N.exe	cmd.exe
PID 5104 wrote to memory of 4888	5104	3bfb0560881a2192e0e5822998cf9a90N.exe	cmd.exe
PID 4428 wrote to memory of 2016	4428	qoqug.exe	jeodg.exe
PID 4428 wrote to memory of 2016	4428	qoqug.exe	jeodg.exe
PID 4428 wrote to memory of 2016	4428	qoqug.exe	jeodg.exe

C:\Users\Admin\AppData\Local\Temp\3bfb0560881a2192e0e5822998cf9a90N.exe
"C:\Users\Admin\AppData\Local\Temp\3bfb0560881a2192e0e5822998cf9a90N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Users\Admin\AppData\Local\Temp\qoqug.exe
  "C:\Users\Admin\AppData\Local\Temp\qoqug.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4428
- - C:\Users\Admin\AppData\Local\Temp\jeodg.exe
    "C:\Users\Admin\AppData\Local\Temp\jeodg.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
278B

MD5
63dac65e49c3d5c950d92037a21460a1

SHA1
8a344ccefb34634747379346a17af075add97c3f

SHA256
43951d7fb4735c2decbf40ca8656ff7f9917796c771943a0b4d7557157e4f355

SHA512
bc854428d78d962da9c0e11a0be84c4e607f5f5140c9acae30ec8d209e291ae3eedb3a79626d9ab7710223dc0bd1c256e962b09d14b015267467ecfdaa0f8a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0b08283183776ba7cf50ec259a29b001

SHA1
847af9b8bd24a0b437da3f151395d0df42ac0bcf

SHA256
8b3c3f2fe6ef6cc6ce99bc9099be1a1ef6bc2088e6d6198bb8ac9a4485183a44

SHA512
bab66a84315a60797fc25fb285018c349029093ec6b3dfa2cc40d59da0a80aaf1b9238d7b9a8c300c092e6332d9ece0ecf5949e014e1dc6c9bf526d209f79340

Download Submit
C:\Users\Admin\AppData\Local\Temp\jeodg.exe

Filesize
303KB

MD5
56b903e172f97a394c22b8c3f9156b9f

SHA1
96fae3f831b72ce6f857a277c5895dac59910846

SHA256
ad07c912b907722f30858919ec43633b072ba11df6607d367d0c62afad541bf0

SHA512
c16126465e34c1cc27525fc09c28dae07fa2229ef2495437cc519d1da80ca0e4505a936a132029bb22602539d1d8bbddc84232de7c3c33bfdcb6eba398ee0b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoqug.exe

Filesize
370KB

MD5
7467a7b0ade2656b1939fd3941429068

SHA1
7d0c12c5d34f68120e8d60b00c898acd01c51057

SHA256
a2b996c4e7136d40e42fbb11b74909719298b84305d24baace66777040a68eaf

SHA512
7edac92db49eb80bf5a3450fdc664e6b6fd5146b52173ed7024919a306d055342d5d34d107ce045cf0539663646d721cf05a447e38e3fda0cf49bfe2886b6b98

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads