e076e29b2797c152a5822bc07d5b547131ce88cd00c574c83f1b9a016fb2eddc

General

Target

Install windows 10 @KYROK638_ARSLANAILLAITI.exe
Size

8.1MB
MD5

20688ba84b5e8d5e24feaf02731146ea
SHA1

c2ab2d6c3ffda5464aadd5e42a9383b6eb75d30b
SHA256

e076e29b2797c152a5822bc07d5b547131ce88cd00c574c83f1b9a016fb2eddc
SHA512

e31f5e0aba8aa9032fa10a4a0dbfc42251cb771b5c17ae8c5e402a71a886b93d8a693168081df7b3893d992861b491bd7ee14723cccc365ce9d056aa36f3a7fa
SSDEEP

196608:yzA8aAkHlqLQnlYqXcRN6ElSOy4yAm6lXggDQKsCx/F+QeN:pakH/nlY5DTlSCyd6lbwQ+

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Install windows 10 @KYROK638_ARSLANAILLAITI.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4056	takeown.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\system32\logonui.exe	cmd.exe
File opened for modification	C:\Windows\system32\winlogon.exe	cmd.exe
File created	C:\Windows\system32\winlogon.exe	cmd.exe
File opened for modification	C:\Windows\system32\userinit.exe	cmd.exe
File created	C:\Windows\system32\userinit.exe	cmd.exe
File opened for modification	C:\Windows\system32\logonui.exe	cmd.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winlogon.exe	cmd.exe
File opened for modification	C:\Windows\explorer.exe	cmd.exe
File created	C:\Windows\explorer.exe	cmd.exe
File created	C:\Windows\winlogon.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install windows 10 @KYROK638_ARSLANAILLAITI.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4980	timeout.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
2788	taskkill.exe
1512	taskkill.exe
2916	taskkill.exe
4796	taskkill.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2788	taskkill.exe
Token: SeDebugPrivilege	1512	taskkill.exe
Token: SeDebugPrivilege	2916	taskkill.exe
Token: SeDebugPrivilege	4796	taskkill.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 5016	2028	Install windows 10 @KYROK638_ARSLANAILLAITI.exe	87
PID 2028 wrote to memory of 5016	2028	Install windows 10 @KYROK638_ARSLANAILLAITI.exe	87
PID 5016 wrote to memory of 2788	5016	cmd.exe	90
PID 5016 wrote to memory of 2788	5016	cmd.exe	90
PID 5016 wrote to memory of 1512	5016	cmd.exe	92
PID 5016 wrote to memory of 1512	5016	cmd.exe	92
PID 5016 wrote to memory of 2916	5016	cmd.exe	93
PID 5016 wrote to memory of 2916	5016	cmd.exe	93
PID 5016 wrote to memory of 4056	5016	cmd.exe	94
PID 5016 wrote to memory of 4056	5016	cmd.exe	94
PID 5016 wrote to memory of 4796	5016	cmd.exe	95
PID 5016 wrote to memory of 4796	5016	cmd.exe	95
PID 5016 wrote to memory of 3172	5016	cmd.exe	96
PID 5016 wrote to memory of 3172	5016	cmd.exe	96
PID 5016 wrote to memory of 4980	5016	cmd.exe	97
PID 5016 wrote to memory of 4980	5016	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\Install windows 10 @KYROK638_ARSLANAILLAITI.exe
"C:\Users\Admin\AppData\Local\Temp\Install windows 10 @KYROK638_ARSLANAILLAITI.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\85CA.tmp\85CB.tmp\85CC.bat "C:\Users\Admin\AppData\Local\Temp\Install windows 10 @KYROK638_ARSLANAILLAITI.exe""
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2788
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im userinit.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1512
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im logonui.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2916
- - C:\Windows\system32\takeown.exe
    takeown C:\Windows\system32\logonui.exe
    3⤵
    - Modifies file permissions
    PID:4056
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im winlogon.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4796
- - C:\Windows\system32\msg.exe
    msg * Please save all your data and pause your downloads... Windows will be rebooting in 20 seconds.
    3⤵
    PID:3172
- - C:\Windows\system32\timeout.exe
    timeout 20
    3⤵
    - Delays execution with timeout.exe
    PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\85CA.tmp\85CB.tmp\85CC.bat

Filesize
698B

MD5
5260ec6b408c120efe391c44dd1d1fbb

SHA1
792bcb2d6b88fbe2df174d6a18dea6d1a6666efa

SHA256
8f3d4a21d93515e7aee51e2b5977f2c92208a81f9abf307540fff6a07831fedd

SHA512
8d65f5b15f7b560c86752357759c5ba43d9889fe7f64bb8254d07f6fcdcbc15e4d1d7b628e9664e0ee3c2ed831125d11c80099af740679489e94b2077a67037c

Download Submit
C:\Users\Admin\AppData\Local\Temp\windows.exe

Filesize
18.6MB

MD5
aa2ad37bb74c05a49417e3d2f1bd89ce

SHA1
1bf5f814ffe801b4e6f118e829c0d2821d78a60a

SHA256
690c8a63769d444fad47b7ddecee7f24c9333aa735d0bd46587d0df5cf15cde5

SHA512
fab34ccbefbcdcec8f823840c16ae564812d0e063319c4eb4cc1112cf775b8764fea59d0bbafd4774d84b56e08c24056fa96f27425c4060e12eb547c2ae086cc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads