acfba2830dcafa32aaec81da8791b21458fa7b0f500981b8f83fff5824724de3

General

Target

acfba2830dcafa32aaec81da8791b21458fa7b0f500981b8f83fff5824724de3.exe
Size

353KB
MD5

4341fb6ccd5196547fba4517475ff015
SHA1

468bed560e4fc936768ba44a2f6adcca0101ddf0
SHA256

acfba2830dcafa32aaec81da8791b21458fa7b0f500981b8f83fff5824724de3
SHA512

9c180136c6411cd3797197c6551c4a67d99f65689f5c7fc2a274db3230364a216da95c82a46075ac961ce2ba9238fbf4a1bf793566cd90a8a177ad430cbc5a6e
SSDEEP

6144:jZuuObR8sVImcyYwmD1hAh/+0NE1kBeXiwPRiNzRGI/3gFZ/dS03WZj4z8Adpujf:oV+mz4oh/n2jR2n3kS1j4z8Zm2/

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	acfba2830dcafa32aaec81da8791b21458fa7b0f500981b8f83fff5824724de3.exe

Executes dropped EXE 2 IoCs

pid	Process
1724	sisisisis.exe
2508	sisisisis.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1724 set thread context of 2508	1724	sisisisis.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acfba2830dcafa32aaec81da8791b21458fa7b0f500981b8f83fff5824724de3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sisisisis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sisisisis.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2508	sisisisis.exe
2508	sisisisis.exe
2508	sisisisis.exe
2508	sisisisis.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1724	sisisisis.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 1724	2904	acfba2830dcafa32aaec81da8791b21458fa7b0f500981b8f83fff5824724de3.exe	91
PID 2904 wrote to memory of 1724	2904	acfba2830dcafa32aaec81da8791b21458fa7b0f500981b8f83fff5824724de3.exe	91
PID 2904 wrote to memory of 1724	2904	acfba2830dcafa32aaec81da8791b21458fa7b0f500981b8f83fff5824724de3.exe	91
PID 1724 wrote to memory of 2508	1724	sisisisis.exe	92
PID 1724 wrote to memory of 2508	1724	sisisisis.exe	92
PID 1724 wrote to memory of 2508	1724	sisisisis.exe	92
PID 1724 wrote to memory of 2508	1724	sisisisis.exe	92
PID 1724 wrote to memory of 2508	1724	sisisisis.exe	92
PID 1724 wrote to memory of 2508	1724	sisisisis.exe	92
PID 2508 wrote to memory of 3436	2508	sisisisis.exe	56
PID 2508 wrote to memory of 3436	2508	sisisisis.exe	56
PID 2508 wrote to memory of 3436	2508	sisisisis.exe	56
PID 2508 wrote to memory of 3436	2508	sisisisis.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3436
- C:\Users\Admin\AppData\Local\Temp\acfba2830dcafa32aaec81da8791b21458fa7b0f500981b8f83fff5824724de3.exe
  "C:\Users\Admin\AppData\Local\Temp\acfba2830dcafa32aaec81da8791b21458fa7b0f500981b8f83fff5824724de3.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Users\Admin\AppData\Local\Temp\sisisisis.exe
    "C:\Users\Admin\AppData\Local\Temp\sisisisis.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Users\Admin\AppData\Local\Temp\sisisisis.exe
      C:\Users\Admin\AppData\Local\Temp\sisisisis.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sisisisis.exe

Filesize
275KB

MD5
9cd07b06963a692db8e14f058d8c3645

SHA1
1f02d202f6fd15ce560d0ebe1313afd03fdd0352

SHA256
4476051a6f42f7252d3428d62b944e66145e3d54eb54a761dc3323b0a2669dad

SHA512
ef27690d4291fc725ed74ab75e01c07429956d349996110a22de0968b81067ff188e278ec0245658450a1c0607ab46398db3b3348b268e792f7074536767227f

Download Submit
memory/1724-31-0x00000000768C0000-0x00000000769B0000-memory.dmp

Filesize
960KB

Download
memory/1724-29-0x00000000768C0000-0x00000000769B0000-memory.dmp

Filesize
960KB

Download
memory/1724-24-0x00000000768E0000-0x00000000768E1000-memory.dmp

Filesize
4KB

Download
memory/1724-25-0x00000000768C0000-0x00000000769B0000-memory.dmp

Filesize
960KB

Download
memory/1724-27-0x00000000768C0000-0x00000000769B0000-memory.dmp

Filesize
960KB

Download
memory/1724-26-0x00000000768C0000-0x00000000769B0000-memory.dmp

Filesize
960KB

Download
memory/1724-28-0x00000000768C0000-0x00000000769B0000-memory.dmp

Filesize
960KB

Download
memory/1724-15-0x0000000000520000-0x0000000000552000-memory.dmp

Filesize
200KB

Download
memory/1724-37-0x00000000768C0000-0x00000000769B0000-memory.dmp

Filesize
960KB

Download
memory/1724-30-0x00000000768C0000-0x00000000769B0000-memory.dmp

Filesize
960KB

Download
memory/2508-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2508-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2508-38-0x00000000768C0000-0x00000000769B0000-memory.dmp

Filesize
960KB

Download
memory/2508-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2508-44-0x00000000768C0000-0x00000000769B0000-memory.dmp

Filesize
960KB

Download
memory/2904-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3436-39-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/3436-40-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing