10f71e75a12ebd9c46a7300ade56ef01b78cb9260106db8366981ce8ff51da0a

General

Target

10f71e75a12ebd9c46a7300ade56ef01b78cb9260106db8366981ce8ff51da0a.exe
Size

1.8MB
MD5

8e4a784ad9f02802fa001c32fffc058e
SHA1

5124cbeff4175001b21e5e9db8080cc8b80fb79c
SHA256

10f71e75a12ebd9c46a7300ade56ef01b78cb9260106db8366981ce8ff51da0a
SHA512

28e5f1d2d87c517bd6a74a9da13923d0b0630b8a4868c1db36491322537b4dd3f099ca08fa1441571a17e0d77d310f400ec1921b828e358af8ad665fc8fe5ca4
SSDEEP

49152:CgYAywWe/J8NO18A+ZxiaPQHQQTfdB9wY+rwSbUo:qAz5WOlUAaYHVTfKYAbU

Score

7^/10

defense_evasion

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	10f71e75a12ebd9c46a7300ade56ef01b78cb9260106db8366981ce8ff51da0a.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1564	powershell.exe
1564	powershell.exe
1564	powershell.exe
1564	powershell.exe
1564	powershell.exe
1564	powershell.exe
1564	powershell.exe
2012	powershell.exe
884	powershell.exe
884	powershell.exe
884	powershell.exe
2012	powershell.exe
2012	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	884	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 1564	4320	10f71e75a12ebd9c46a7300ade56ef01b78cb9260106db8366981ce8ff51da0a.exe	86
PID 4320 wrote to memory of 1564	4320	10f71e75a12ebd9c46a7300ade56ef01b78cb9260106db8366981ce8ff51da0a.exe	86
PID 1564 wrote to memory of 2020	1564	powershell.exe	88
PID 1564 wrote to memory of 2020	1564	powershell.exe	88
PID 1564 wrote to memory of 2012	1564	powershell.exe	101
PID 1564 wrote to memory of 2012	1564	powershell.exe	101
PID 1564 wrote to memory of 884	1564	powershell.exe	102
PID 1564 wrote to memory of 884	1564	powershell.exe	102

C:\Users\Admin\AppData\Local\Temp\10f71e75a12ebd9c46a7300ade56ef01b78cb9260106db8366981ce8ff51da0a.exe
"C:\Users\Admin\AppData\Local\Temp\10f71e75a12ebd9c46a7300ade56ef01b78cb9260106db8366981ce8ff51da0a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Windows\system32\windowspowershell\v1.0\powershell.exe
  "C:\Windows\system32\windowspowershell\v1.0\powershell.exe" -sta -noprofile -executionpolicy bypass -encodedcommand JAB4AD0AJwAwADkAYQAwAGQANgA3AGYALQAxADgAZgA4AC0ANAA3ADIANwAtAGIAMgBjAGUALQA5ADIAYQA1AGIAMgBhADkAYwBlAGQAZgAnADsAJAB5AD0AJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADEAMABmADcAMQBlADcANQBhADEAMgBlAGIAZAA5AGMANAA2AGEANwAzADAAMABhAGQAZQA1ADYAZQBmADAAMQBiADcAOABjAGIAOQAyADYAMAAxADAANgBkAGIAOAAzADYANgA5ADgAMQBjAGUAOABmAGYANQAxAGQAYQAwAGEALgBlAHgAZQAnADsAdAByAHkAIAB7AA0ACgAgACAAaQBmACAAKABbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBWAGUAcgBzAGkAbwBuAC4ATQBhAGoAbwByACAALQBnAGUAIAA0ACkADQAKACAAIAB7ACAAJABuAHUAbABsACAAPQAgAFsAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBVAG4AcwBhAGYAZQBMAG8AYQBkAEYAcgBvAG0AKAAkAHkAKQAgAH0AIABlAGwAcwBlACAAewAgACQAbgB1AGwAbAAgAD0AIABbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABGAGkAbABlACgAJAB5ACkAfQANAAoAIAAgAC4AIAAoAFsAXwAzADIALgBfADgAOABdADoAOgBfADcANAAoACQAeAApACkADQAKACAAIABlAHgAaQB0ACAAJABMAEEAUwBUAEUAWABJAFQAQwBPAEQARQANAAoAfQAgAA0ACgBjAGEAdABjAGgAIABbAE4AbwB0AFMAdQBwAHAAbwByAHQAZQBkAEUAeABjAGUAcAB0AGkAbwBuAF0ADQAKAHsADQAKACAAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAJwBBAHAAcABsAGkAYwBhAHQAaQBvAG4AIABsAG8AYwBhAHQAaQBvAG4AIABpAHMAIAB1AG4AdAByAHUAcwB0AGUAZAAuACAAQwBvAHAAeQAgAGYAaQBsAGUAIAB0AG8AIABhACAAbABvAGMAYQBsACAAZAByAGkAdgBlACwAIABhAG4AZAAgAHQAcgB5ACAAYQBnAGEAaQBuAC4AJwAgAC0ARgBvAHIAZQBnAHIAbwB1AG4AZABDAG8AbABvAHIAIABSAGUAZAANAAoAfQANAAoAYwBhAHQAYwBoACAAewANAAoAIAAgAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAoACIARQByAHIAbwByADoAIAAiACAAKwAgACQAXwAuAEUAeABjAGUAcAB0AGkAbwBuAC4ATQBlAHMAcwBhAGcAZQApACAALQBGAG8AcgBlACAAUgBlAGQAIAANAAoAfQA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "abcvpn.exe /quiet /norestart"
    3⤵
    PID:2020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Remove-Item c:\ProgramData\WinApp\abcvpn.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Remove-Item c:\ProgramData\WinApp\abc.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

1

T1070.004

Obfuscated Files or Information

1

T1027

Command Obfuscation

1

T1027.010

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
223bd4ae02766ddc32e6145fd1a29301

SHA1
900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

SHA256
1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

SHA512
648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e5d20abdf35b16f013487e35af64d90b

SHA1
1d38585a53dd94b1eb7d3426e22268c6e219a069

SHA256
9bfb950f10dc01c3710f9cf0e0ccff4f3fb35a4e5ed7f01cc139254dc9a4a4ba

SHA512
ad65ae4ae73c6a32faf6360caab6252afa3263344b5225c5b90feee74f85ba4d0419ac75d6749abd5ee130784b8c8611f714b0bb52c3fa562f53d81fbffa7ea8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
41cc2edb3298e6af3988617d975c1612

SHA1
8de10bd391dc9ff3fbe37e79140e9f367bf68031

SHA256
81a07e2d81a3c0d690a70f181599508c223db5488a521c80a0dcde1662acc4fe

SHA512
6b4eb27fd230ca1f93a7dc0fb0f9b28355031ccf687daee29ef05f1376adfe28e766fa2f8fcdc2cd3bd1848d9039ab10d0702d6d49d5008565b1b613cd71d387

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xhgsjlpc.i3z.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1564-15-0x000001B228120000-0x000001B2282F6000-memory.dmp

Filesize
1.8MB

Download
memory/1564-13-0x00007FF81BF40000-0x00007FF81CA01000-memory.dmp

Filesize
10.8MB

Download
memory/1564-14-0x00007FF81BF40000-0x00007FF81CA01000-memory.dmp

Filesize
10.8MB

Download
memory/1564-16-0x00007FF81BF40000-0x00007FF81CA01000-memory.dmp

Filesize
10.8MB

Download
memory/1564-17-0x00007FF81BF40000-0x00007FF81CA01000-memory.dmp

Filesize
10.8MB

Download
memory/1564-30-0x00007FF81BF40000-0x00007FF81CA01000-memory.dmp

Filesize
10.8MB

Download
memory/1564-12-0x00007FF81BF40000-0x00007FF81CA01000-memory.dmp

Filesize
10.8MB

Download
memory/1564-2-0x000001B227A90000-0x000001B227AB2000-memory.dmp

Filesize
136KB

Download
memory/4320-0-0x00007FF81BF43000-0x00007FF81BF45000-memory.dmp

Filesize
8KB

Download
memory/4320-1-0x00000000007E0000-0x00000000009B6000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing