ad722314183b7cd89c167ae725db00cfe96e6904ed83b09b7a8c6175b3a18718

General

Target

d0954e44eeb388cc941041f532be31a0N.exe
Size

48KB
MD5

d0954e44eeb388cc941041f532be31a0
SHA1

8f77bc4b9a9f96a6d34690c0cb8d01a2ad0897cb
SHA256

ad722314183b7cd89c167ae725db00cfe96e6904ed83b09b7a8c6175b3a18718
SHA512

8c444803b2df06898249d114b6004055d88724bca44c2b44cccb0646b74cb3635b5f61748bb0c3f5d1bfc4d8d3cd68a3e00ff9b18549d83f8a2a78e1968a204b
SSDEEP

1536:yoMuwospyudrnMjVhDIP4ka3q3oaQOF4nouy8BX:DMcsEknMLDIFEOKoutBX

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	d0954e44eeb388cc941041f532be31a0N.exe

Executes dropped EXE 2 IoCs

pid	Process
1828	services.exe
2796	services.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3304-0-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/files/0x000a0000000233ac-16.dat	upx
behavioral2/memory/1828-28-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/3304-30-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/2796-33-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/1828-37-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/2796-38-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2796-39-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2796-40-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2796-43-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2796-48-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2796-51-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2796-52-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2796-54-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2796-58-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2796-61-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2796-63-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2796-66-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2796-70-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2796-72-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2796-75-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2796-78-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Essentials = "C:\\Users\\Admin\\AppData\\Roaming\\services.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Essentials = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Essentials = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe"	services.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1828 set thread context of 2796	1828	services.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d0954e44eeb388cc941041f532be31a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3304	d0954e44eeb388cc941041f532be31a0N.exe
1828	services.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3304 wrote to memory of 64	3304	d0954e44eeb388cc941041f532be31a0N.exe	86
PID 3304 wrote to memory of 64	3304	d0954e44eeb388cc941041f532be31a0N.exe	86
PID 3304 wrote to memory of 64	3304	d0954e44eeb388cc941041f532be31a0N.exe	86
PID 64 wrote to memory of 3780	64	cmd.exe	89
PID 64 wrote to memory of 3780	64	cmd.exe	89
PID 64 wrote to memory of 3780	64	cmd.exe	89
PID 3304 wrote to memory of 1828	3304	d0954e44eeb388cc941041f532be31a0N.exe	90
PID 3304 wrote to memory of 1828	3304	d0954e44eeb388cc941041f532be31a0N.exe	90
PID 3304 wrote to memory of 1828	3304	d0954e44eeb388cc941041f532be31a0N.exe	90
PID 1828 wrote to memory of 2796	1828	services.exe	91
PID 1828 wrote to memory of 2796	1828	services.exe	91
PID 1828 wrote to memory of 2796	1828	services.exe	91
PID 1828 wrote to memory of 2796	1828	services.exe	91
PID 1828 wrote to memory of 2796	1828	services.exe	91
PID 1828 wrote to memory of 2796	1828	services.exe	91
PID 1828 wrote to memory of 2796	1828	services.exe	91
PID 1828 wrote to memory of 2796	1828	services.exe	91

C:\Users\Admin\AppData\Local\Temp\d0954e44eeb388cc941041f532be31a0N.exe
"C:\Users\Admin\AppData\Local\Temp\d0954e44eeb388cc941041f532be31a0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PJDlG.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:64
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Microsoft Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\services.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:3780
- C:\Users\Admin\AppData\Roaming\services.exe
  "C:\Users\Admin\AppData\Roaming\services.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Users\Admin\AppData\Roaming\services.exe
    C:\Users\Admin\AppData\Roaming\services.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PJDlG.txt

Filesize
150B

MD5
30158d29e765707d6c1f38d4ea60f91b

SHA1
e02d5cc507e7f77c0a7f879e3596bd279ddf1f97

SHA256
c64a62b30b3ef9c2bb43438659cbbe1d57c1c762d4d58ebf9d188d409421e6f9

SHA512
2e72f9529063d74530cc29d04b92837496983d9417c91890ce8a616076889a13f0b1cd7954390b83a3e2e946696e4b7bbb4605b145ad5aa7904f051068ff5ff1

Download Submit
C:\Users\Admin\AppData\Roaming\services.txt

Filesize
48KB

MD5
4c529e0a62c7d10933668539d58c850b

SHA1
500b871f1df7f4402609401ecbcb6d3227a278c0

SHA256
210bf87458ea67fe7799504a1421d6d08a7d5e39ad8e34fb60680f100c2b9339

SHA512
46d971d18a26d0eb9e9651b826305fc081485fe205d0c76d54595b3b9d20226121a20e49a207560f13b4bf56decb4c926ea2e1792614ea8f66de1ebe44ff2202

Download Submit
memory/1828-37-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1828-28-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2796-43-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2796-52-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2796-78-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2796-38-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2796-39-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2796-40-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2796-75-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2796-48-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2796-51-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2796-33-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2796-54-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2796-58-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2796-61-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2796-63-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2796-66-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2796-70-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2796-72-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3304-0-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3304-30-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads