405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77

General

Target

405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe
Size

34KB
MD5

ecfa895afaf344e90ea5bc2fe3c37700
SHA1

d9d643073b4089ded6505ac8f6f283fbf4271adb
SHA256

405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77
SHA512

706ae69f69af2d538442cdd01c84ea20e5a02108559c7ba2de9ef5f6a929b5eee3c19399775220b721eef08a288ef3c83a96c0c12382513da83d75197a094449
SSDEEP

768:F22jpAzhjQo8hR/4cxgBLrjyP2/yWBMQo1afeTE5sT9M3jPEa:IYiJLrjyey6eM5sTOTr

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msedge.exe

Executes dropped EXE 9 IoCs

pid	Process
2820	msedge.exe
2776	msedge.exe
1400	msedge.exe
3920	msedge.exe
1036	msedge.exe
4016	msedge.exe
4360	msedge.exe
4660	msedge.exe
2148	msedge.exe

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2912 set thread context of 2244	2912	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe	89
PID 2820 set thread context of 2776	2820	msedge.exe	98

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\3S6UJ4s8.com	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msedge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2244	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe
2244	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2244	2912	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe	89
PID 2912 wrote to memory of 2244	2912	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe	89
PID 2912 wrote to memory of 2244	2912	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe	89
PID 2912 wrote to memory of 2244	2912	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe	89
PID 2912 wrote to memory of 2244	2912	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe	89
PID 2912 wrote to memory of 2244	2912	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe	89
PID 2912 wrote to memory of 2244	2912	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe	89
PID 2912 wrote to memory of 2244	2912	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe	89
PID 2244 wrote to memory of 2820	2244	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe	97
PID 2244 wrote to memory of 2820	2244	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe	97
PID 2244 wrote to memory of 2820	2244	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe	97
PID 2820 wrote to memory of 2776	2820	msedge.exe	98
PID 2820 wrote to memory of 2776	2820	msedge.exe	98
PID 2820 wrote to memory of 2776	2820	msedge.exe	98
PID 2820 wrote to memory of 2776	2820	msedge.exe	98
PID 2820 wrote to memory of 2776	2820	msedge.exe	98
PID 2820 wrote to memory of 2776	2820	msedge.exe	98
PID 2820 wrote to memory of 2776	2820	msedge.exe	98
PID 2820 wrote to memory of 2776	2820	msedge.exe	98
PID 2776 wrote to memory of 2156	2776	msedge.exe	101
PID 2776 wrote to memory of 2156	2776	msedge.exe	101

C:\Users\Admin\AppData\Local\Temp\405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe
"C:\Users\Admin\AppData\Local\Temp\405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe
  "C:\Users\Admin\AppData\Local\Temp\405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" DEL:C:\Users\Admin\AppData\Local\Temp\405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" DEL:C:\Users\Admin\AppData\Local\Temp\405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge .exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge .exe" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" DEL:C:\Users\Admin\AppData\Local\Temp\405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe
        5⤵
        
        PID:2156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4076,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=4300 /prefetch:8
1⤵
- Executes dropped EXE
PID:1400

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5208,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=5244 /prefetch:8
1⤵
- Executes dropped EXE
PID:3920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5192,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=5244 /prefetch:8
1⤵
- Executes dropped EXE
PID:1036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=5284,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=5248 /prefetch:8
1⤵
- Executes dropped EXE
PID:4016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=5668,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=5652 /prefetch:8
1⤵
- Executes dropped EXE
PID:4360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=4716,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=5652 /prefetch:8
1⤵
- Executes dropped EXE
PID:4660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=5380,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=5652 /prefetch:8
1⤵
- Executes dropped EXE
PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Filesize
34KB

MD5
34cdfdcc7faa7f2f4ed6c32960aa1a46

SHA1
c8b7f464afd8c49883ae410183807b9bedf958bd

SHA256
960b83d095ceb719be2dd3e3f662e5faeafa1dfe54c8d5f7de187076cb62708a

SHA512
94abd3fccda9154ded7f80caf875be3a644fd84f8e4722952bcfa4539a8d6caa31b28f67e9cb962d90849fc79a43e6de099d22b84473c410db7135a926496b03

Download Submit
memory/2244-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2244-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2244-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2244-5-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing