f6df63c031b23c4fc8f3d235284539fa4745086388e10e2d226564dea47ab54a

General

Target

55f813b368e7834f7f692c2e2451b8f2.exe
Size

37KB
MD5

55f813b368e7834f7f692c2e2451b8f2
SHA1

3ff5aee5e0acd936ddabe4ec6113744988d526d3
SHA256

f6df63c031b23c4fc8f3d235284539fa4745086388e10e2d226564dea47ab54a
SHA512

941663b113c4fb35ccae4428bf37717c78e96ea832c9700de92741f39c1cef65bd2adbf1ae4138ba5d3d97e9f8381b50425a6f7d760ca1f49e33a6305ae9074b
SSDEEP

384:d4so92aul8VctMCqTX3xAkSVE6B95rfRqzhBaSUR4WVJl/vrseE7+Db9/:d4s6ulPg6XO66WRqGB

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Executes dropped EXE 1 IoCs

pid	Process
2168	RuntimeBrokers.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
35	pastebin.com
36	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1900 set thread context of 2108	1900	55f813b368e7834f7f692c2e2451b8f2.exe	101

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBrokers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55f813b368e7834f7f692c2e2451b8f2.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1900	55f813b368e7834f7f692c2e2451b8f2.exe
1900	55f813b368e7834f7f692c2e2451b8f2.exe
1900	55f813b368e7834f7f692c2e2451b8f2.exe
1900	55f813b368e7834f7f692c2e2451b8f2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1900	55f813b368e7834f7f692c2e2451b8f2.exe
Token: SeDebugPrivilege	2108	RegAsm.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2828	1900	55f813b368e7834f7f692c2e2451b8f2.exe	96
PID 1900 wrote to memory of 2828	1900	55f813b368e7834f7f692c2e2451b8f2.exe	96
PID 1900 wrote to memory of 2828	1900	55f813b368e7834f7f692c2e2451b8f2.exe	96
PID 2828 wrote to memory of 2888	2828	csc.exe	98
PID 2828 wrote to memory of 2888	2828	csc.exe	98
PID 2828 wrote to memory of 2888	2828	csc.exe	98
PID 1900 wrote to memory of 3420	1900	55f813b368e7834f7f692c2e2451b8f2.exe	99
PID 1900 wrote to memory of 3420	1900	55f813b368e7834f7f692c2e2451b8f2.exe	99
PID 1900 wrote to memory of 3420	1900	55f813b368e7834f7f692c2e2451b8f2.exe	99
PID 1900 wrote to memory of 4104	1900	55f813b368e7834f7f692c2e2451b8f2.exe	100
PID 1900 wrote to memory of 4104	1900	55f813b368e7834f7f692c2e2451b8f2.exe	100
PID 1900 wrote to memory of 4104	1900	55f813b368e7834f7f692c2e2451b8f2.exe	100
PID 1900 wrote to memory of 2108	1900	55f813b368e7834f7f692c2e2451b8f2.exe	101
PID 1900 wrote to memory of 2108	1900	55f813b368e7834f7f692c2e2451b8f2.exe	101
PID 1900 wrote to memory of 2108	1900	55f813b368e7834f7f692c2e2451b8f2.exe	101
PID 1900 wrote to memory of 2108	1900	55f813b368e7834f7f692c2e2451b8f2.exe	101
PID 1900 wrote to memory of 2108	1900	55f813b368e7834f7f692c2e2451b8f2.exe	101
PID 1900 wrote to memory of 2108	1900	55f813b368e7834f7f692c2e2451b8f2.exe	101
PID 1900 wrote to memory of 2108	1900	55f813b368e7834f7f692c2e2451b8f2.exe	101
PID 1900 wrote to memory of 2108	1900	55f813b368e7834f7f692c2e2451b8f2.exe	101
PID 2108 wrote to memory of 2168	2108	RegAsm.exe	106
PID 2108 wrote to memory of 2168	2108	RegAsm.exe	106
PID 2108 wrote to memory of 2168	2108	RegAsm.exe	106

C:\Users\Admin\AppData\Local\Temp\55f813b368e7834f7f692c2e2451b8f2.exe
"C:\Users\Admin\AppData\Local\Temp\55f813b368e7834f7f692c2e2451b8f2.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jyszzskx\jyszzskx.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB88D.tmp" "c:\Users\Admin\AppData\Local\Temp\jyszzskx\CSCFD8C70DE1B754EBF93AB6626A5F25BFC.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
  2⤵
  PID:3420
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
  2⤵
  PID:4104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\ProgramData\Visual_Studio\RuntimeBrokers.exe
    "C:\ProgramData\Visual_Studio\RuntimeBrokers.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3924,i,3861745594156495651,17595114179815238301,262144 --variations-seed-version --mojo-platform-channel-handle=4620 /prefetch:8
1⤵
PID:836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB88D.tmp

Filesize
1KB

MD5
4ef21fdad6759f7750184c3a17bd3bb6

SHA1
e0ec27832796b9c28905463640c495290473f627

SHA256
7a5d8b7db202141112813f592804fc40958858703aa3b8ee6830456366c1ec3a

SHA512
0297144d80b1c30810ddb2d7eb1a789a6a3646b8fe8e20e8662cea0daa444aebfff6fcb7e16d2fc48d11d23ab8563a54e0382e076f2b592382fae509daea0001

Download Submit
C:\Users\Admin\AppData\Local\Temp\jyszzskx\jyszzskx.dll

Filesize
9KB

MD5
ee9799bf2a8ed42eb61485aed9ca7fc3

SHA1
c89db3073849aca643bb0390403db4af65065ba2

SHA256
bf466c4ad7064717c475d0176ec6453a9391ae2ed7b7cb8adbae8668e8ddcfba

SHA512
f66b35c41dbfdeb2f031cfbcb8bbd54e26ad732ba22aa42061a43ddb1ec15cdcd192a44cab3f7a69fb4a79e9ecc2aa9549b03bb232f3eb50f6893aa941881df3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jyszzskx\CSCFD8C70DE1B754EBF93AB6626A5F25BFC.TMP

Filesize
652B

MD5
2ad5f903836447ff25882742280d6f64

SHA1
92284ab88d6ed62390c64bb29903894dcad015ac

SHA256
317fb19fb0c95fed34377509b8bd1fcc50cf2dd68a501d35b3ce84b8d1031388

SHA512
74eee80c001e0009b27cd2349f4e9549dbbfa60cb267a706c71ffbe6c6464c3c3fc62180ca81b8e5e9ccb629e208d6b39773c18e2b849af32b4bf8e64f9a2f5f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jyszzskx\jyszzskx.0.cs

Filesize
10KB

MD5
1b6ac34c4169b5a34200e793d21182e6

SHA1
7a195f13804f6d4f38774b2a94962faa2f6c03e6

SHA256
38eca887cb1764ceccab157b44915f0a41760c843c530a72d66ee414a9a61296

SHA512
454f50f81b31594855c7bf2b6168c7a4ead6e83e4c60cf7f49c54a4a6378ba7946b00b9336b3ffa9c390fc85ea4305577093411448a68cb0d8280b115ea0dd58

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jyszzskx\jyszzskx.cmdline

Filesize
204B

MD5
9e43bee3ce19febb644044736fbb08e9

SHA1
ee95171eeea2ff489e30d73cd056de0579bba52e

SHA256
c461c84448fa7d970e367ecb470d69afb7c40ed924ef75071f02625ada963b0d

SHA512
65cfa590507600c05e9d5264a8251db98b9445717cffd80afe0964446355282d2b0f92062bc9afe64b19a9f7bb69c63de48b23f4b5b2e502b0a7fe3dab4ccc9c

Download Submit
memory/1900-17-0x0000000005760000-0x0000000005768000-memory.dmp

Filesize
32KB

Download
memory/1900-22-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/1900-3-0x0000000074B7E000-0x0000000074B7F000-memory.dmp

Filesize
4KB

Download
memory/1900-2-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/1900-1-0x0000000000CF0000-0x0000000000D00000-memory.dmp

Filesize
64KB

Download
memory/1900-0-0x0000000074B7E000-0x0000000074B7F000-memory.dmp

Filesize
4KB

Download
memory/1900-4-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/2108-19-0x0000000000400000-0x0000000000968000-memory.dmp

Filesize
5.4MB

Download
memory/2108-21-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/2108-23-0x0000000005C10000-0x00000000061B4000-memory.dmp

Filesize
5.6MB

Download
memory/2108-24-0x00000000054B0000-0x0000000005542000-memory.dmp

Filesize
584KB

Download
memory/2108-25-0x0000000005660000-0x00000000056C6000-memory.dmp

Filesize
408KB

Download
memory/2108-26-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/2108-27-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/2108-41-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/2168-43-0x0000000000F20000-0x0000000000F32000-memory.dmp

Filesize
72KB

Download

Resubmissions

Analysis

Sharing