dd7cd49d92b036b3d334fe7680abe0cf6e13d066ac5e90e2003900214170c42b

General

Target

d4bd92ebb64055e6fd76f2132a6325b0N.exe
Size

2.6MB
MD5

d4bd92ebb64055e6fd76f2132a6325b0
SHA1

c548723eafb2045778bb53d858a4aa41635a07ef
SHA256

dd7cd49d92b036b3d334fe7680abe0cf6e13d066ac5e90e2003900214170c42b
SHA512

1bfbe9ab824f650246f06b468372c17a6128fd074e1bfe752156efbc798c67dc570ec026de6d064d43c882f1a1ef777e0e136f13f7e5bc9dc7bf560edd823312
SSDEEP

49152:oDy796EvMtTx435MtV+On5vMNbcwO6m2zGKYraTh+ZTOdFrxviiBI1rs:f7AEvgVOA5WbcoHzGlr8h+5q4if

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	d4bd92ebb64055e6fd76f2132a6325b0N.tmp

Executes dropped EXE 2 IoCs

pid	Process
4124	d4bd92ebb64055e6fd76f2132a6325b0N.tmp
2112	WMF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4bd92ebb64055e6fd76f2132a6325b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4bd92ebb64055e6fd76f2132a6325b0N.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMF.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2112	WMF.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 4124	2872	d4bd92ebb64055e6fd76f2132a6325b0N.exe	84
PID 2872 wrote to memory of 4124	2872	d4bd92ebb64055e6fd76f2132a6325b0N.exe	84
PID 2872 wrote to memory of 4124	2872	d4bd92ebb64055e6fd76f2132a6325b0N.exe	84
PID 4124 wrote to memory of 2112	4124	d4bd92ebb64055e6fd76f2132a6325b0N.tmp	87
PID 4124 wrote to memory of 2112	4124	d4bd92ebb64055e6fd76f2132a6325b0N.tmp	87
PID 4124 wrote to memory of 2112	4124	d4bd92ebb64055e6fd76f2132a6325b0N.tmp	87

C:\Users\Admin\AppData\Local\Temp\d4bd92ebb64055e6fd76f2132a6325b0N.exe
"C:\Users\Admin\AppData\Local\Temp\d4bd92ebb64055e6fd76f2132a6325b0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Local\Temp\is-I6A1C.tmp\d4bd92ebb64055e6fd76f2132a6325b0N.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-I6A1C.tmp\d4bd92ebb64055e6fd76f2132a6325b0N.tmp" /SL5="$B0062,2357949,153088,C:\Users\Admin\AppData\Local\Temp\d4bd92ebb64055e6fd76f2132a6325b0N.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4124
- - C:\Users\Admin\AppData\Local\Temp\is-68JT2.tmp\WMF.exe
    "C:\Users\Admin\AppData\Local\Temp\is-68JT2.tmp\WMF.exe" /aid=0 /sub=0 /sid=90 /name="the_big_short__inside_the_doomsday_machi_-_michael_lewis.epub" /fid= /stats=n8265wTmoD0l8vPuuzlPINkaNcD/2aLMiYLM2IvKgtbM3K9Dvi6ihJ2RVYfGFE9NIdMqdn490Hvbk3L7vGCfBw== /param=0
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-68JT2.tmp\WMF.exe

Filesize
3.4MB

MD5
4c77196ae965e00a0ab6a1e3b3e4212d

SHA1
70e1a827223c352fabd41f659220a528b33de320

SHA256
394574c33ab45971acc0a4840fa163a8d9884f9ebefe6b252d400544c34d0048

SHA512
7889c1c1272259637f315cb64451b03b4b803d494b557d73ad97f906ef2c4831824e2355cd811d098ab7c35b81de3bf3a938ce80d442dd67b8e50d64571fda36

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-68JT2.tmp\default.xml

Filesize
2KB

MD5
4c219b78a305d3e52c811542154bb224

SHA1
7efe3e383b29c808cfb3ad0fd90d627ea7b2b2bf

SHA256
a0dbdc08f771e32a5ef06f47b436afb270e860578971a974db0c34c0c1366a7c

SHA512
bced9584568b011c0b2013e48d6b9503f77b01c57e2049722326a40363ce42c533e590c4583cf0cf3a5391f3208db8135b5afdc27ae7359af3ded66b11e628b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I6A1C.tmp\d4bd92ebb64055e6fd76f2132a6325b0N.tmp

Filesize
1.1MB

MD5
8811a0652c18dbcf68955f99df537eb8

SHA1
70cff6c43c0f873295dc085018639dff02f33012

SHA256
d69f51e65e3944891ec9c392b3d7410d81f8f93e55b9071584bfd1d384862230

SHA512
ed2ff6cfe272a8ae260233a1bb653adc0eaae13388418a9dea692b9924999d89b8677b8669fa24dcb0c606cfca7045bef779e1c58547f3f17d5096cbbe31d60a

Download Submit
memory/2112-36-0x0000000000400000-0x00000000007FF000-memory.dmp

Filesize
4.0MB

Download
memory/2112-41-0x0000000000400000-0x00000000007FF000-memory.dmp

Filesize
4.0MB

Download
memory/2872-2-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/2872-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2872-38-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4124-7-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/4124-40-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing