99262ab91de9e9ddcab93e1f3f67cf356cbdb11bff959a05a51abbe1562f2366

General

Target

PID.Key.Checker.zip
Size

9.8MB
MD5

d9ce6a2a781ad9f9a8af3ba4be5b6a97
SHA1

af930244881612133104d8a717242542c739f44a
SHA256

99262ab91de9e9ddcab93e1f3f67cf356cbdb11bff959a05a51abbe1562f2366
SHA512

d24ec5d172528585a56f9f9fc609bd31b0d5552bf671ea6fb28a29c61caa9c4cbd94415a80cc4417672cf11425b86d15de03e038ddc5fca832cc707e6e152608
SSDEEP

196608:ZurEAMcmPIaPhnCxylwa+0YAmH+BI5/kIhEHR+IfMlUBcf0+DgagAos0apc8:Zur9MIqqtH++9ex7fMlUY0+7tS8

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
15	raw.githubusercontent.com
16	raw.githubusercontent.com

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PID Key Checker.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1708	PID Key Checker.exe
Token: SeDebugPrivilege	1920	wyUpdate.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1920	1708	PID Key Checker.exe	84
PID 1708 wrote to memory of 1920	1708	PID Key Checker.exe	84
PID 1708 wrote to memory of 4036	1708	PID Key Checker.exe	85
PID 1708 wrote to memory of 4036	1708	PID Key Checker.exe	85

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\PID.Key.Checker.zip
1⤵
PID:1424

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4528

C:\Users\Admin\Desktop\PID Key Checker\PID Key Checker.exe
"C:\Users\Admin\Desktop\PID Key Checker\PID Key Checker.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\Desktop\PID Key Checker\wyUpdate.exe
  "C:\Users\Admin\Desktop\PID Key Checker\wyUpdate.exe" /autoupdate
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Users\Admin\Desktop\PID Key Checker\wyUpdate.exe
  "C:\Users\Admin\Desktop\PID Key Checker\wyUpdate.exe" /autoupdate
  2⤵
  PID:4036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0

Filesize
398B

MD5
58b38f2b5b8eff639900cbfca3ceb001

SHA1
76b917824de907120127e08e7aab631bc182aba5

SHA256
2f6822bc29628f5583a547b7ba86d0d70dba575ccefdfe9420e8a30e88749a73

SHA512
a7f016418231fa1f01d90215ca3d646412b0c63b11226713f9e45ea37e9fb5064b965e5445c11bedfd95b0e521e1f88279f2c1d808a8fdc8ed4d6ac766dae7ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\wyUpdate.exe.log

Filesize
676B

MD5
19a93ca347765b8cef3fe87a04475803

SHA1
2b9cfda76809742c687f5a17c18ad66e95d80090

SHA256
ecbcd5ba35492c90361d8d5bcbe90666502684227946c0e7692603ca308e73fb

SHA512
373c4f998989a7a6d193651ec432904f93d101914f069590329311a767c18b56312b3459a1f6e8742126d40bba9f54075f54c6847e9c6892ee49b8b66e558972

Download Submit
memory/1708-12-0x0000000005AA0000-0x0000000005ABA000-memory.dmp

Filesize
104KB

Download
memory/1708-14-0x0000000007410000-0x0000000007428000-memory.dmp

Filesize
96KB

Download
memory/1708-5-0x0000000005FF0000-0x0000000005FFA000-memory.dmp

Filesize
40KB

Download
memory/1708-6-0x0000000073200000-0x00000000738EE000-memory.dmp

Filesize
6.9MB

Download
memory/1708-7-0x00000000062B0000-0x0000000006306000-memory.dmp

Filesize
344KB

Download
memory/1708-8-0x0000000006380000-0x00000000063E6000-memory.dmp

Filesize
408KB

Download
memory/1708-9-0x0000000006F20000-0x0000000006F5A000-memory.dmp

Filesize
232KB

Download
memory/1708-10-0x0000000006F60000-0x00000000072EA000-memory.dmp

Filesize
3.5MB

Download
memory/1708-11-0x0000000008460000-0x00000000089BE000-memory.dmp

Filesize
5.4MB

Download
memory/1708-0-0x000000007320E000-0x000000007320F000-memory.dmp

Filesize
4KB

Download
memory/1708-13-0x0000000008B00000-0x0000000008B5A000-memory.dmp

Filesize
360KB

Download
memory/1708-4-0x00000000060F0000-0x0000000006182000-memory.dmp

Filesize
584KB

Download
memory/1708-3-0x00000000065F0000-0x0000000006AEE000-memory.dmp

Filesize
5.0MB

Download
memory/1708-1-0x0000000000CB0000-0x000000000166E000-memory.dmp

Filesize
9.7MB

Download
memory/1708-2-0x0000000006050000-0x00000000060EC000-memory.dmp

Filesize
624KB

Download
memory/1708-54-0x0000000073200000-0x00000000738EE000-memory.dmp

Filesize
6.9MB

Download
memory/1708-53-0x000000007320E000-0x000000007320F000-memory.dmp

Filesize
4KB

Download
memory/1920-44-0x000000001E3E0000-0x000000001E400000-memory.dmp

Filesize
128KB

Download
memory/1920-43-0x000000001B8C0000-0x000000001B8C8000-memory.dmp

Filesize
32KB

Download
memory/1920-42-0x000000001CDD0000-0x000000001CE6C000-memory.dmp

Filesize
624KB

Download
memory/1920-41-0x000000001C900000-0x000000001CDCE000-memory.dmp

Filesize
4.8MB

Download

Analysis

Sharing