f6df63c031b23c4fc8f3d235284539fa4745086388e10e2d226564dea47ab54a

General

Target

55f813b368e7834f7f692c2e2451b8f2.exe
Size

37KB
MD5

55f813b368e7834f7f692c2e2451b8f2
SHA1

3ff5aee5e0acd936ddabe4ec6113744988d526d3
SHA256

f6df63c031b23c4fc8f3d235284539fa4745086388e10e2d226564dea47ab54a
SHA512

941663b113c4fb35ccae4428bf37717c78e96ea832c9700de92741f39c1cef65bd2adbf1ae4138ba5d3d97e9f8381b50425a6f7d760ca1f49e33a6305ae9074b
SSDEEP

384:d4so92aul8VctMCqTX3xAkSVE6B95rfRqzhBaSUR4WVJl/vrseE7+Db9/:d4s6ulPg6XO66WRqGB

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Executes dropped EXE 1 IoCs

pid	Process
4060	RuntimeBrokers.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	pastebin.com
23	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4604 set thread context of 1888	4604	55f813b368e7834f7f692c2e2451b8f2.exe	87

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBrokers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55f813b368e7834f7f692c2e2451b8f2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4604	55f813b368e7834f7f692c2e2451b8f2.exe
Token: SeDebugPrivilege	1888	RegAsm.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 1900	4604	55f813b368e7834f7f692c2e2451b8f2.exe	84
PID 4604 wrote to memory of 1900	4604	55f813b368e7834f7f692c2e2451b8f2.exe	84
PID 4604 wrote to memory of 1900	4604	55f813b368e7834f7f692c2e2451b8f2.exe	84
PID 1900 wrote to memory of 2300	1900	csc.exe	86
PID 1900 wrote to memory of 2300	1900	csc.exe	86
PID 1900 wrote to memory of 2300	1900	csc.exe	86
PID 4604 wrote to memory of 1888	4604	55f813b368e7834f7f692c2e2451b8f2.exe	87
PID 4604 wrote to memory of 1888	4604	55f813b368e7834f7f692c2e2451b8f2.exe	87
PID 4604 wrote to memory of 1888	4604	55f813b368e7834f7f692c2e2451b8f2.exe	87
PID 4604 wrote to memory of 1888	4604	55f813b368e7834f7f692c2e2451b8f2.exe	87
PID 4604 wrote to memory of 1888	4604	55f813b368e7834f7f692c2e2451b8f2.exe	87
PID 4604 wrote to memory of 1888	4604	55f813b368e7834f7f692c2e2451b8f2.exe	87
PID 4604 wrote to memory of 1888	4604	55f813b368e7834f7f692c2e2451b8f2.exe	87
PID 4604 wrote to memory of 1888	4604	55f813b368e7834f7f692c2e2451b8f2.exe	87
PID 1888 wrote to memory of 4060	1888	RegAsm.exe	97
PID 1888 wrote to memory of 4060	1888	RegAsm.exe	97
PID 1888 wrote to memory of 4060	1888	RegAsm.exe	97

C:\Users\Admin\AppData\Local\Temp\55f813b368e7834f7f692c2e2451b8f2.exe
"C:\Users\Admin\AppData\Local\Temp\55f813b368e7834f7f692c2e2451b8f2.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hp4pfhws\hp4pfhws.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7232.tmp" "c:\Users\Admin\AppData\Local\Temp\hp4pfhws\CSC780E40B678B04F4F90E8D8E4AEF6CF.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\ProgramData\Visual_Studio\RuntimeBrokers.exe
    "C:\ProgramData\Visual_Studio\RuntimeBrokers.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7232.tmp

Filesize
1KB

MD5
d817d1e194ac5f0a15d927fbfc94197c

SHA1
12032b30e3e5ac0badf940e847bbe4c3f2a59e30

SHA256
8981ca4026b1a3565f6b273edbc137f720199e38ae8cb94eb63180e146a1f8cf

SHA512
7bf127f4711a427fe301c77868c940c2d24183da52035ae37b47c39606af172a50591819faa0d6325ed05be3ee80bf4faf854324b3e4386095969e51b755df1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hp4pfhws\hp4pfhws.dll

Filesize
9KB

MD5
75f008b647f967ec52ad8799234ffc0e

SHA1
3a1a2e3dd4122aa389ab31211e6048a7162ce766

SHA256
b1cdb4e15b44acf4030f4e1c8a784a3e4bf806e0f201f19f482779325209ede2

SHA512
f8b72824dbbf76ecc726239b70fc2af3b82eab40775581ba26db4dabc7c4bc2b575f2d807e1fc998164326cb45a5418fe337a6b6e59ed9a4d0abc9a4d8e295ee

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hp4pfhws\CSC780E40B678B04F4F90E8D8E4AEF6CF.TMP

Filesize
652B

MD5
dd3abb3b9fdd4281416d1108f8725357

SHA1
481ad2dfcae0564e2e921e1259cb0e38448fabb6

SHA256
caabceb9bcb6171c9838be7d0d36bf0365853f3733e6d80b04bdf14e964650e2

SHA512
9e082ef93d2fa7d6e6a654b8745ad3f9c866396fca9413e790db1fbcd82758da30230f0e136e26b9cd5cd80333ad1e8a72a3ce32113eaadee00f0ff2c2e0988a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hp4pfhws\hp4pfhws.0.cs

Filesize
10KB

MD5
1b6ac34c4169b5a34200e793d21182e6

SHA1
7a195f13804f6d4f38774b2a94962faa2f6c03e6

SHA256
38eca887cb1764ceccab157b44915f0a41760c843c530a72d66ee414a9a61296

SHA512
454f50f81b31594855c7bf2b6168c7a4ead6e83e4c60cf7f49c54a4a6378ba7946b00b9336b3ffa9c390fc85ea4305577093411448a68cb0d8280b115ea0dd58

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hp4pfhws\hp4pfhws.cmdline

Filesize
204B

MD5
f4241d7a1aa5ce822a8b2958177c12eb

SHA1
af89700a8bb001862ff494e57e5cbbc54539ee79

SHA256
70b5e56f0a76be8524214b8b5b422a11047ba2e2ff5ad273e3ca53262feb6005

SHA512
4ad4390ae2487f7b844cf7d8e24bcde6987200c75c6d28a492e721d001d2e6b86e14f0d94b1f6bc148284c4d6fa941c54f90defbb73cf6d1e07fa7c710ed7d95

Download Submit
memory/1888-21-0x0000000005AC0000-0x0000000006064000-memory.dmp

Filesize
5.6MB

Download
memory/1888-24-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/1888-39-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/1888-25-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/1888-17-0x0000000000400000-0x0000000000968000-memory.dmp

Filesize
5.4MB

Download
memory/1888-23-0x0000000005690000-0x00000000056F6000-memory.dmp

Filesize
408KB

Download
memory/1888-20-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/1888-22-0x00000000055F0000-0x0000000005682000-memory.dmp

Filesize
584KB

Download
memory/4060-41-0x0000000000750000-0x0000000000762000-memory.dmp

Filesize
72KB

Download
memory/4604-0-0x000000007457E000-0x000000007457F000-memory.dmp

Filesize
4KB

Download
memory/4604-19-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/4604-2-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/4604-15-0x0000000006830000-0x0000000006838000-memory.dmp

Filesize
32KB

Download
memory/4604-1-0x0000000000D90000-0x0000000000DA0000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing