b81efd7719693f02b9cb8163b174d94ccc393603fc51c383d849ef09e1952277

General

Target

$_3_.exe
Size

1.7MB
MD5

d4c16982f8a834bc0f8028b45c3ae543
SHA1

9d9cec9af8f23a23521e20d48d9af1024663a4a7
SHA256

932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b
SHA512

c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c
SSDEEP

49152:n7mrmYPoEHVGTWFkO4ITVpSuEqM/vrM3rA3SuN5:km2Z12WFYFVf

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	$_3_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$_3_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1456	$_3_.exe
1456	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1456	$_3_.exe
1456	$_3_.exe
1456	$_3_.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 1928	1456	$_3_.exe	96
PID 1456 wrote to memory of 1928	1456	$_3_.exe	96
PID 1456 wrote to memory of 1928	1456	$_3_.exe	96

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2651.bat" "C:\Users\Admin\AppData\Local\Temp\5866108BBC694274926F31A54445B0EB\""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\$I2LOLHG

Filesize
98B

MD5
5d1d45dc3a3918d6d451613c81d36879

SHA1
f6a5f091558f235f5d8cf85655b502266f874399

SHA256
1914c91cbc623b2446721b5db3a47bc1de0d20b80ac88fee4133b3c79252d82d

SHA512
8e223970699ab0bc16e18cfffa80a0b76b036c5039c1ef312414c3e493f304209cee12d77bc89b652a3461fa78e00821d38a32c3f1505344943f61a8f09ac1a2

Download Submit
C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\$IU86MZX

Filesize
98B

MD5
82458e0e42628374ac1eaf7b1feec307

SHA1
b8eeacd517b8b9f900878785f60764f746249531

SHA256
5bdfab5e00751c84e603a9af5dde641ede72971e6b0951967a44b432780cff60

SHA512
f83448c5bfb15553b801151b4d97da1c6fbed5aa34f1df41c3990a851467fb1aeaa463e069376419e03c29e3eda4f2c75a94ee9644f0fc4e0bbc6ee5e08b24f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2651.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\5866108BBC694274926F31A54445B0EB\5866108BBC694274926F31A54445B0EB_LogFile.txt

Filesize
2KB

MD5
506baa8f50ef611ff458179f2c8370d7

SHA1
1208584eda79bf310933ec6f6390433c9aa439c9

SHA256
7c0f11f105bbbaa658e3b293b029a12c2a139ed65eb1a4a8ab2bbd0149476ea7

SHA512
8ed119a397d03c9a0692b440b2fe22358fc02fbbbb56fbd77773a05ce17e19b39456d607e765ce59455f363d2dbea024e2fa6ea846b97b50ad185173cd38671b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5866108BBC694274926F31A54445B0EB\5866108BBC694274926F31A54445B0EB_LogFile.txt

Filesize
3KB

MD5
7720d7ed02ba3ceef2c0dbeb011e9664

SHA1
672c80a49c8018b621c196e13b6e23cdeac9a6ee

SHA256
7c60cf9417856a4da40db9ee23bd6afed819b52c10de07f0f296f2a925d683d6

SHA512
eb7a69b6fa258f0667d9baeca012208951903679385ec232a8e6d710d0174d55c357ccfb210068889848200acbfcdc4b5f6768c38f45b8af4944f29dd1d313a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5866108BBC694274926F31A54445B0EB\5866108BBC694274926F31A54445B0EB_LogFile.txt

Filesize
2KB

MD5
3c94c65ed2326f913f26d0264ca906c4

SHA1
0dad183b5950c312f78617cc46ab56ae391e0675

SHA256
2c71e44ea45bee80fdcac63d1f5fd9cf3ebe8d2906c0c393dc1eed90ef357bff

SHA512
0c2f64f6fea3af17fe000562d191bb58f0b9404bcf1f1b0b5c66dd19cfacd9734168c4cdc684afbc016ce0fabceb3d2467471e6a4dde9af09224de19d002dade

Download Submit
C:\Users\Admin\AppData\Local\Temp\5866108BBC694274926F31A54445B0EB\5866108BBC694274926F31A54445B0EB_LogFile.txt

Filesize
4KB

MD5
40f76374ae34f31bc6d0b3e4567265e8

SHA1
470df818f8b0ec81f5ef3e1726eefd535f78b019

SHA256
38ebc8d194225082df4f0037e09fcd9255cd4eb205e6e49ea957e47e652cc1a7

SHA512
7cc62bdd583b2e30622489bbcf6f6c35d3df6ff483c358791cf0432f380d937067050edf3193caf3dac9d51e9085a6eb5d27b3ab7ce11533636d456e43e7d8d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5866108BBC694274926F31A54445B0EB\586610~1.TXT

Filesize
31KB

MD5
4265237b20ef4b94a7faa61a7afa071b

SHA1
841570d8b83d8875cd993c9f4d3b65489fe2eadb

SHA256
b86e2715be3aa9c50335dd66afcef6278670998128418f87176a08b387c19211

SHA512
b361ba30fd125af5240266606c0ba7f65ccc7ba3f35a4c6e5efca1e9d95bb0ca17884664f586bd6ed814d6210eed0da1b5f50b5a026403834ba570537907c972

Download Submit
memory/1456-63-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing