38013984ecec19ab2889f68c3404c10c434b44ad68d9e3978cb853c18742dabc

General

Target

38013984ecec19ab2889f68c3404c10c434b44ad68d9e3978cb853c18742dabc.exe
Size

330KB
MD5

ee1b0e6423386f2c53869725a16c24ae
SHA1

c3a06587bb81b375b1f1b606e279afb41150a26d
SHA256

38013984ecec19ab2889f68c3404c10c434b44ad68d9e3978cb853c18742dabc
SHA512

61bf4006cca47161050b335b42db5e0943b892848920a24e4c3334f76d93ad18951647f1d92c942c7c64b170027da5775b7ea3e2cdb04412a31a02f1fcc9136d
SSDEEP

6144:fxYrRwGrWwNDCBC2iDFOIh10+7vdX6Ba/AOIPb+PqR/J7y12:fxWrNtDFf1BrRHhiR/J7B

Score

7^/10

discovery execution

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	38013984ecec19ab2889f68c3404c10c434b44ad68d9e3978cb853c18742dabc.exe

Executes dropped EXE 1 IoCs

pid	Process
2664	SIAMIT~1.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	38013984ecec19ab2889f68c3404c10c434b44ad68d9e3978cb853c18742dabc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2704	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	38013984ecec19ab2889f68c3404c10c434b44ad68d9e3978cb853c18742dabc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SIAMIT~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2704	powershell.exe
2704	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3064	38013984ecec19ab2889f68c3404c10c434b44ad68d9e3978cb853c18742dabc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2664	3064	38013984ecec19ab2889f68c3404c10c434b44ad68d9e3978cb853c18742dabc.exe	85
PID 3064 wrote to memory of 2664	3064	38013984ecec19ab2889f68c3404c10c434b44ad68d9e3978cb853c18742dabc.exe	85
PID 3064 wrote to memory of 2664	3064	38013984ecec19ab2889f68c3404c10c434b44ad68d9e3978cb853c18742dabc.exe	85
PID 2664 wrote to memory of 2704	2664	SIAMIT~1.EXE	87
PID 2664 wrote to memory of 2704	2664	SIAMIT~1.EXE	87
PID 2664 wrote to memory of 2704	2664	SIAMIT~1.EXE	87

C:\Users\Admin\AppData\Local\Temp\38013984ecec19ab2889f68c3404c10c434b44ad68d9e3978cb853c18742dabc.exe
"C:\Users\Admin\AppData\Local\Temp\38013984ecec19ab2889f68c3404c10c434b44ad68d9e3978cb853c18742dabc.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\AppData\Local\Temp\SIAMIT~1.EXE
  "C:\Users\Admin\AppData\Local\Temp\SIAMIT~1.EXE" -hwnd 196988 -uninstall
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -command "Get-WinUserLanguageList | ConvertTo-Json -Compress"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\English.lang

Filesize
5KB

MD5
c5e027ed9553b7c0e197da9b232213de

SHA1
06f84573662df0cd76ce1c1ee3c5f8a54a56f3e3

SHA256
b20b85422d00b6cc739c1109587cd31042e2711a5b8147e2b1b2a42db47f82b7

SHA512
abf28d69722cc699e46d80997e46ff10fce771305de0108d9c7ba454f3ae736f557c451edcd1380b8ae6fe4e122929b4d106d376e04d55548092eea8bf03e25f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIAMIT~1.EXE

Filesize
117KB

MD5
5d77bda9abaf2d713df2fb3b7db4860f

SHA1
64a3f12df35235d18d4af16f709bf2c03cb88032

SHA256
865e73bc9f80c58fd2795709b549dc8fe8e09f86af6fc11a039cb134d4657419

SHA512
0930ccf6ff6fa3cf0ebae60e69e226270f2ada40df5a8b42f5ad797d79a23618e6d632ca90ded9eacfc3905f6bee2d6db42f20b04017cfbe674fa112e49bd8b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.job

Filesize
14KB

MD5
8b6e9fdeba7279871f71526306ed22dd

SHA1
1098341a3fab76fc52d15fcd2b39d321be7a0655

SHA256
35a39de3c9ccc0cd567a895ce9c503150f3e994bc5c9f552e7d1e69ee0081706

SHA512
d377b2ed79e28299ff9cb50d818e987b7d6ea4f9f60ad313cf2b129d2f56414982229a846a504a71160e82c205f532df5f9fd7b2019eb8f7f20b2aa3312cf54f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_32hj20hn.mjf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\img881C.tmp

Filesize
26KB

MD5
0ee5c85d988e567c0fb740eb231e5e81

SHA1
713547ca83b1c416603b8cc4786290af9e983712

SHA256
e5ed3d2e0ba8e5e0a17b8e8e45b42e1a5d293e977c79c1856a6314bddcfc4389

SHA512
8cdef4628ef05803eb38ce30546ee0099611f7fa1458148924cccd7e024a1c6fd8930909b42f8fa500b4dc3d2b3a8b7ad60a51ab72b6a439c1e080ae9864e9ca

Download Submit
memory/2664-84-0x0000000072A90000-0x0000000073240000-memory.dmp

Filesize
7.7MB

Download
memory/2664-32-0x0000000005980000-0x0000000005A12000-memory.dmp

Filesize
584KB

Download
memory/2664-83-0x0000000072A9E000-0x0000000072A9F000-memory.dmp

Filesize
4KB

Download
memory/2664-31-0x0000000005E30000-0x00000000063D4000-memory.dmp

Filesize
5.6MB

Download
memory/2664-80-0x0000000006620000-0x000000000662A000-memory.dmp

Filesize
40KB

Download
memory/2664-30-0x0000000000F10000-0x0000000000F30000-memory.dmp

Filesize
128KB

Download
memory/2664-78-0x0000000072A90000-0x0000000073240000-memory.dmp

Filesize
7.7MB

Download
memory/2664-29-0x0000000072A9E000-0x0000000072A9F000-memory.dmp

Filesize
4KB

Download
memory/2704-53-0x00000000071D0000-0x0000000007202000-memory.dmp

Filesize
200KB

Download
memory/2704-68-0x00000000075F0000-0x00000000075FA000-memory.dmp

Filesize
40KB

Download
memory/2704-50-0x0000000005DD0000-0x0000000006124000-memory.dmp

Filesize
3.3MB

Download
memory/2704-51-0x0000000006270000-0x000000000628E000-memory.dmp

Filesize
120KB

Download
memory/2704-52-0x0000000006380000-0x00000000063CC000-memory.dmp

Filesize
304KB

Download
memory/2704-39-0x0000000005B80000-0x0000000005BE6000-memory.dmp

Filesize
408KB

Download
memory/2704-54-0x000000006F300000-0x000000006F34C000-memory.dmp

Filesize
304KB

Download
memory/2704-64-0x0000000007210000-0x000000000722E000-memory.dmp

Filesize
120KB

Download
memory/2704-65-0x0000000007240000-0x00000000072E3000-memory.dmp

Filesize
652KB

Download
memory/2704-66-0x0000000007BC0000-0x000000000823A000-memory.dmp

Filesize
6.5MB

Download
memory/2704-67-0x0000000007580000-0x000000000759A000-memory.dmp

Filesize
104KB

Download
memory/2704-40-0x0000000005C60000-0x0000000005CC6000-memory.dmp

Filesize
408KB

Download
memory/2704-69-0x0000000007800000-0x0000000007896000-memory.dmp

Filesize
600KB

Download
memory/2704-70-0x0000000007790000-0x000000000779C000-memory.dmp

Filesize
48KB

Download
memory/2704-71-0x0000000008240000-0x0000000008402000-memory.dmp

Filesize
1.8MB

Download
memory/2704-72-0x0000000008940000-0x0000000008E6C000-memory.dmp

Filesize
5.2MB

Download
memory/2704-75-0x0000000072A90000-0x0000000073240000-memory.dmp

Filesize
7.7MB

Download
memory/2704-38-0x0000000005290000-0x00000000052B2000-memory.dmp

Filesize
136KB

Download
memory/2704-37-0x00000000053A0000-0x00000000059C8000-memory.dmp

Filesize
6.2MB

Download
memory/2704-36-0x0000000072A90000-0x0000000073240000-memory.dmp

Filesize
7.7MB

Download
memory/2704-35-0x0000000072A90000-0x0000000073240000-memory.dmp

Filesize
7.7MB

Download
memory/2704-34-0x0000000002CD0000-0x0000000002D06000-memory.dmp

Filesize
216KB

Download
memory/2704-33-0x0000000072A90000-0x0000000073240000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing