e1f8b00f05923dce7e47d5de0cff7c928e08dead70c11483b66bb623076c6b39

General

Target

e1f8b00f05923dce7e47d5de0cff7c928e08dead70c11483b66bb623076c6b39.exe
Size

639KB
MD5

5185850a2e9b31d47475969f77da64e5
SHA1

936da4181f4d281038b470048063479a459b21fe
SHA256

e1f8b00f05923dce7e47d5de0cff7c928e08dead70c11483b66bb623076c6b39
SHA512

fe4a3607d64f9d320e1df907280f10eac4da91141d1ab727982d4cab4194b34d2220f63a667b166ae118c0b621b02f47c354f9392ff9ee40a9d991a081bbedbb
SSDEEP

12288:qXbWzxWsXJpE04glCFZs/U+eLhuU9y02ud3Np39jJ5wJE4MsGZ4Q:dXU04Iws/09djJ

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	e1f8b00f05923dce7e47d5de0cff7c928e08dead70c11483b66bb623076c6b39.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	MEGA_UKUPNIK_MINUS_USHI_by_LuckyKazya.exe

Executes dropped EXE 1 IoCs

pid	Process
2156	MEGA_UKUPNIK_MINUS_USHI_by_LuckyKazya.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEGA_UKUPNIK_MINUS_USHI_by_LuckyKazya.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	MEGA_UKUPNIK_MINUS_USHI_by_LuckyKazya.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2392887640-1187051047-2909758433-1000\{6D14FB59-826F-4E09-BA08-46E63CF70754}	WScript.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5116	WScript.exe
Token: SeCreatePagefilePrivilege	5116	WScript.exe
Token: 33	404	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	404	AUDIODG.EXE
Token: SeShutdownPrivilege	5116	WScript.exe
Token: SeCreatePagefilePrivilege	5116	WScript.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3132 wrote to memory of 2156	3132	e1f8b00f05923dce7e47d5de0cff7c928e08dead70c11483b66bb623076c6b39.exe	87
PID 3132 wrote to memory of 2156	3132	e1f8b00f05923dce7e47d5de0cff7c928e08dead70c11483b66bb623076c6b39.exe	87
PID 3132 wrote to memory of 2156	3132	e1f8b00f05923dce7e47d5de0cff7c928e08dead70c11483b66bb623076c6b39.exe	87
PID 2156 wrote to memory of 5116	2156	MEGA_UKUPNIK_MINUS_USHI_by_LuckyKazya.exe	90
PID 2156 wrote to memory of 5116	2156	MEGA_UKUPNIK_MINUS_USHI_by_LuckyKazya.exe	90
PID 2156 wrote to memory of 5116	2156	MEGA_UKUPNIK_MINUS_USHI_by_LuckyKazya.exe	90

C:\Users\Admin\AppData\Local\Temp\e1f8b00f05923dce7e47d5de0cff7c928e08dead70c11483b66bb623076c6b39.exe
"C:\Users\Admin\AppData\Local\Temp\e1f8b00f05923dce7e47d5de0cff7c928e08dead70c11483b66bb623076c6b39.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Users\Admin\AppData\Local\Temp\MEGA_UKUPNIK_MINUS_USHI_by_LuckyKazya.exe
  "C:\Users\Admin\AppData\Local\Temp\MEGA_UKUPNIK_MINUS_USHI_by_LuckyKazya.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\play.vbs"
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:5116

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x464 0x46c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
31bf270dfb65dbde8f22850f36a68d65

SHA1
7540f99fd08eca37058f01189da24841be9ea227

SHA256
18a1de89312eecd5c007738bfc2f278502caf2556547730ab7b0eff503eb8e05

SHA512
d150837e5060f2dd5512d2ac7fbef86e77ad95a76a9867466bf908a72ba51a4788f5b79199c30f136718408ff30382b7d30a2db76be6c14868ff6ef52ad8b007

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEGA_UKUPNIK_MINUS_USHI_by_LuckyKazya.exe

Filesize
751KB

MD5
6d2d42f4cf64f23def041b16c4a591d1

SHA1
06c9da003fcce27caf71ea4cd23f3897a4e8c184

SHA256
9abe739d093133b3aaf5512dd0b6799ee2bc4b108466622b982d5233446aee6d

SHA512
926195935e5b001f60dd26c1b4f36c89723a710ee8e4b6bf5a1c9db5918969b1aabbaa7d359a06e6cec84267afd2c1f315a30bfb46d1944b9986dc42dc099bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SSS.mp3

Filesize
646KB

MD5
cfc09a9a46f1910b13200df435483c6f

SHA1
cdd3cb2b197728d7445d478378e6140185cbaefc

SHA256
4168c7692e7c8c02fe9df4752422d217f1a92247fcd90114ac419a58bbdf784f

SHA512
34dc498968ba7bc43cac96d0e6490a2b2d0766c38824982c1dd04ee299baac969635c2fa4c7b962e5aa85786f40641fdec300c488627c898929341c02fc3a919

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\play.vbs

Filesize
234B

MD5
7cbcceb16259fc7371af338c0e44ed3a

SHA1
b260e12cdc0079b4773ed93de0fe961062ee1549

SHA256
52d886707355893ed4879c4865a3b135e1d9c870478bc0be273eb5259f9d9408

SHA512
d528946ba9ebf5943ba83f62c8221f34bb027a2391f3cc65f4dc9473575a08eb3906e57f9c9769c8ee5586e12f9fee2f9eabb4b69db70bb30c7f832407c96aeb

Download Submit
memory/3132-1-0x0000000000D50000-0x0000000000DF6000-memory.dmp

Filesize
664KB

Download
memory/3132-4-0x00007FFC43DE0000-0x00007FFC448A1000-memory.dmp

Filesize
10.8MB

Download
memory/3132-12-0x00007FFC43DE0000-0x00007FFC448A1000-memory.dmp

Filesize
10.8MB

Download
memory/3132-0-0x00007FFC43DE3000-0x00007FFC43DE5000-memory.dmp

Filesize
8KB

Download
memory/5116-33-0x0000000005F40000-0x0000000005F50000-memory.dmp

Filesize
64KB

Download
memory/5116-35-0x0000000005F40000-0x0000000005F50000-memory.dmp

Filesize
64KB

Download
memory/5116-34-0x0000000005F40000-0x0000000005F50000-memory.dmp

Filesize
64KB

Download
memory/5116-36-0x0000000005F40000-0x0000000005F50000-memory.dmp

Filesize
64KB

Download
memory/5116-37-0x0000000005F40000-0x0000000005F50000-memory.dmp

Filesize
64KB

Download
memory/5116-32-0x0000000005F40000-0x0000000005F50000-memory.dmp

Filesize
64KB

Download
memory/5116-50-0x0000000005F40000-0x0000000005F50000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads