b144efb54f7c3ac431083d4d8fdc527e4b8a5715ba7f49ccba6740a76740d350

General

Target

$_3_.exe
Size

1.7MB
MD5

d4c16982f8a834bc0f8028b45c3ae543
SHA1

9d9cec9af8f23a23521e20d48d9af1024663a4a7
SHA256

932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b
SHA512

c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c
SSDEEP

49152:n7mrmYPoEHVGTWFkO4ITVpSuEqM/vrM3rA3SuN5:km2Z12WFYFVf

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	$_3_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$_3_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4860	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4860	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1544	$_3_.exe
1544	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1544	$_3_.exe
1544	$_3_.exe
1544	$_3_.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 2792	1544	$_3_.exe	92
PID 1544 wrote to memory of 2792	1544	$_3_.exe	92
PID 1544 wrote to memory of 2792	1544	$_3_.exe	92
PID 2792 wrote to memory of 4860	2792	cmd.exe	94
PID 2792 wrote to memory of 4860	2792	cmd.exe	94
PID 2792 wrote to memory of 4860	2792	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\28056.bat" "C:\Users\Admin\AppData\Local\Temp\33F91EDDF45149F2B0B1A9A69296E170\""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\$I0BHCFR

Filesize
98B

MD5
8c14b704b86c7258f30ed124511b32fe

SHA1
2b5ae3ed54501913b4eaf70fd7e3646a621b6fc5

SHA256
4be8b1d8eca4977cb82bdf4ec54ac4d1e441c8acc5d86ed5d946a4c198a2400c

SHA512
cc4aa860f86f3d3595094fc5686834e2b2396acde2e1f38f8aedbbc2b70443e3e6011956d82ca2622e967d563e65db542c91fffd557d1c7058f76a76dca12b20

Download Submit
C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\$IFCT8GW

Filesize
98B

MD5
ecde0a531264e55568911dedb0cafad9

SHA1
7633c5b9f9b0eee0304f4a0ad3c49b2a6f9b0ea1

SHA256
7b3bd90f9fd895bd9610b8f7791974f051f7ace582ecd1be4897742470152570

SHA512
ea0129e5b7ec19a87933a7a7dab6acd416486487dc2a37b61a456175639466b2cc71d0c33340d0d21db91c2e52784da13b6bd9d2b8c8eacaddd7ebf4ea7bad8f

Download Submit
C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\$IMDXOU2

Filesize
98B

MD5
e0551c783c13c769a487f1e92ce041a8

SHA1
6ef0a0b35aa001a3ceaae9af184ce8edc161bd7a

SHA256
a6cd540b5c28d7c994680476bdcf6785d01051f442b23e404f85c73c3db203e5

SHA512
af4ef43f8a59be16a1babb2919b338dea2e7b3fbf11c5e32787ae733f077f2c5cc9a2d351f91a5e31c6eb21ebaf21efe97ff18b6828f682fb0b140fbff3745ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\28056.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\33F91EDDF45149F2B0B1A9A69296E170\33F91EDDF45149F2B0B1A9A69296E170_LogFile.txt

Filesize
2KB

MD5
66ac916717e7d63f2ae123d543631305

SHA1
ecacdb8161ee06f7ce240661bd9a16ff1e1a7648

SHA256
f2c8a19ff76cd17ee508a7c599ea51ed3cbca286776b3373915783c9662b44ea

SHA512
44ca84b634ea6f9bf0d3e8160fa9822a26b874dce47c84c33ae8485e826aa4a01be39fe68764c6770d830c33fc6ee0a9724f012907e00228d5d604e4ee26f178

Download Submit
C:\Users\Admin\AppData\Local\Temp\33F91EDDF45149F2B0B1A9A69296E170\33F91EDDF45149F2B0B1A9A69296E170_LogFile.txt

Filesize
4KB

MD5
f43b8235c6f01c6d0c5df116ee4dd58c

SHA1
58eebe8c0b0463eef01adb375da4aa66ed2fd375

SHA256
336d4184e8801fc878bfe5921433f715fb6b1e4e720ff41a807ae4c2d9f52714

SHA512
cb6b5034aee508710a77a7bd2976bb9edd1084a07beca6859189d9700129a91be4ce82ab65f5b9c8fe1788fa544719c23142ce011088939a5436b5a3a4add634

Download Submit
C:\Users\Admin\AppData\Local\Temp\33F91EDDF45149F2B0B1A9A69296E170\33F91EDDF45149F2B0B1A9A69296E170_LogFile.txt

Filesize
4KB

MD5
34941ee7f5faf02db2d88248a788e502

SHA1
88b0a9afbd920c562e2ba8cf8c9a79c3769cd80f

SHA256
75ae61043e83744be12d8898b86aad700b8a4969fe90a28fca969fb19c473389

SHA512
f2ebd6e617f075dfe56aa74893c49bc1296ee8494b39a62758313cdf258b3b0924470c067acebf489a33f77cd759914eba8d66297975c4dcca01640bf8e791aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\33F91EDDF45149F2B0B1A9A69296E170\33F91E~1.TXT

Filesize
29KB

MD5
b099da348c0ba2a443589a77309b0145

SHA1
c71e90a19c2351e9b83ad9a6f1590bb24466a4d1

SHA256
ba2daf69c5edfbd1079ffa4bcb8b9a4cb5e5af1f3314baced47ac9dfab09bda8

SHA512
45966a2b99e765ebb0f989c226b6ce1a0c338f1cb7edd56ae6cf90d48fc702a202fe6f0faad984e2cbb68a7d380ac1c3f37fa2e674492985c406bf9b34f6a75f

Download Submit
memory/1544-63-0x0000000003820000-0x0000000003821000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads