e066dabecd400d831259d1bb2c0e17c9c14736b1ed8c32c6c46ef2f39f974cf5

General

Target

e629edf7ddeea4d35859255dfc10e170N.exe
Size

1.1MB
MD5

e629edf7ddeea4d35859255dfc10e170
SHA1

33c14a89a83e15b091fccfee0287cd0b25b53476
SHA256

e066dabecd400d831259d1bb2c0e17c9c14736b1ed8c32c6c46ef2f39f974cf5
SHA512

5c4fe84cbca1168f29e35379353e1a0f0b9858ecfc238cf0b68fdfe0b35db2f7ecac54fb26bc9d690b7c85e07c3d048cee5cf5047bf1a0e0bf4df7c4f68c28e8
SSDEEP

24576:h0W8HM9IgSFeG4VP47LtOnjhgWHeRHcoZlG4g5wDQL2DB/:h6i0cnlHeRrlG4g5ec29

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	e629edf7ddeea4d35859255dfc10e170N.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk	e629edf7ddeea4d35859255dfc10e170N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe"	e629edf7ddeea4d35859255dfc10e170N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e629edf7ddeea4d35859255dfc10e170N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	e629edf7ddeea4d35859255dfc10e170N.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
736	e629edf7ddeea4d35859255dfc10e170N.exe
736	e629edf7ddeea4d35859255dfc10e170N.exe
736	e629edf7ddeea4d35859255dfc10e170N.exe
736	e629edf7ddeea4d35859255dfc10e170N.exe
736	e629edf7ddeea4d35859255dfc10e170N.exe
736	e629edf7ddeea4d35859255dfc10e170N.exe
736	e629edf7ddeea4d35859255dfc10e170N.exe
736	e629edf7ddeea4d35859255dfc10e170N.exe
736	e629edf7ddeea4d35859255dfc10e170N.exe
736	e629edf7ddeea4d35859255dfc10e170N.exe
736	e629edf7ddeea4d35859255dfc10e170N.exe
736	e629edf7ddeea4d35859255dfc10e170N.exe
736	e629edf7ddeea4d35859255dfc10e170N.exe
736	e629edf7ddeea4d35859255dfc10e170N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
736	e629edf7ddeea4d35859255dfc10e170N.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
736	e629edf7ddeea4d35859255dfc10e170N.exe
736	e629edf7ddeea4d35859255dfc10e170N.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 432	736	e629edf7ddeea4d35859255dfc10e170N.exe	86
PID 736 wrote to memory of 432	736	e629edf7ddeea4d35859255dfc10e170N.exe	86
PID 736 wrote to memory of 432	736	e629edf7ddeea4d35859255dfc10e170N.exe	86
PID 736 wrote to memory of 3808	736	e629edf7ddeea4d35859255dfc10e170N.exe	85
PID 736 wrote to memory of 3808	736	e629edf7ddeea4d35859255dfc10e170N.exe	85
PID 736 wrote to memory of 3808	736	e629edf7ddeea4d35859255dfc10e170N.exe	85

C:\Users\Admin\AppData\Local\Temp\e629edf7ddeea4d35859255dfc10e170N.exe
"C:\Users\Admin\AppData\Local\Temp\e629edf7ddeea4d35859255dfc10e170N.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:736
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3808
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
78663c4dffc71ab347eaeb23f26fbe03

SHA1
f505e1941c9c521da0e867b59e9e226ce6b09fbc

SHA256
015f8d58416a188cf25ceb5ed1af29c9573afddcb84534b8b23e7bb03c0e550a

SHA512
776d1b22e0bf232c16976bb678e9656eff446de91557afb9deaedb5b2f3f97fc33e356bc069d6e9c6a9e9e1bbdcda86de1014eac9ee5c4d246994dd5973cbad4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
722B

MD5
182672c7dfa996280a59fbfb665f5248

SHA1
e81e74b79d03473618287f6245b6784155e868ab

SHA256
66bed4ff6747c87b4d681ba11544280f040a29c8a4984484f9fc8e3a0572add0

SHA512
691db18f6b8b698cb61aee83f815ef52aad5550c2fda53f534fdbe780d4b14be0aef8a24883fadbccd3fdf95297837522bef635d45cdafe58bdb56faf8ef86ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
67bfe442efd38a5c90d9a89c18eaf646

SHA1
bf70eccc83f24be313656b1fcd4f534f636c7410

SHA256
cbe59fbd7a1dc36a2e3b8cb096af4519a8f40b6ec98f203e9c2f18a36ba957ec

SHA512
c1b31c0a7fb24c8fbbdb0ae7f712fd102247446d0e0d4ba08215622e2bd976d4b84d15157e68490efe7f522569786fffd446f9f3a62b52f8d66c7f2ad6de3a3f

Download Submit
memory/736-0-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/736-16-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/736-19-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/736-22-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/736-26-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/736-29-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/736-32-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads