b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4

General

Target

b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe
Size

2.5MB
MD5

dea2b172855474242e3607e18f7eb659
SHA1

ce440d756e0bfe5593462d1a4b0c9f818d1f3623
SHA256

b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4
SHA512

42652c9dce689f9e2227651583cedb49dbe67c2c6845703ed35e1e8e502999ff7f1ff959ab7ef6b9ea0a8152a4539ae6b848e8aef4a88e6a9dca0d9c4f3b7e81
SSDEEP

49152:V6i0cnlHeRrlG4g5ec8IBvKvYJC623msvD/DX+y4onCYDj:kPclHeRrlG4g5ea1g62WsvD/D+donCYn

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk	b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe"	b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4976-0-0x0000000000400000-0x0000000000555000-memory.dmp	upx
behavioral2/files/0x0007000000023442-20.dat	upx
behavioral2/memory/4976-25-0x0000000000400000-0x0000000000555000-memory.dmp	upx
behavioral2/memory/4976-28-0x0000000000400000-0x0000000000555000-memory.dmp	upx
behavioral2/memory/4976-31-0x0000000000400000-0x0000000000555000-memory.dmp	upx
behavioral2/memory/4976-35-0x0000000000400000-0x0000000000555000-memory.dmp	upx
behavioral2/memory/4976-38-0x0000000000400000-0x0000000000555000-memory.dmp	upx
behavioral2/memory/4976-41-0x0000000000400000-0x0000000000555000-memory.dmp	upx
behavioral2/memory/4976-44-0x0000000000400000-0x0000000000555000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4976	b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe
4976	b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe
4976	b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe
4976	b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe
4976	b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe
4976	b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe
4976	b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe
4976	b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe
4976	b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe
4976	b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe
4976	b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe
4976	b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe
4976	b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe
4976	b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe
4976	b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe
4976	b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe
4976	b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe
4976	b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4976	b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4976	b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe
4976	b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4976 wrote to memory of 2708	4976	b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe	82
PID 4976 wrote to memory of 2708	4976	b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe	82
PID 4976 wrote to memory of 2708	4976	b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe	82
PID 4976 wrote to memory of 3628	4976	b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe	83
PID 4976 wrote to memory of 3628	4976	b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe	83
PID 4976 wrote to memory of 3628	4976	b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe	83

C:\Users\Admin\AppData\Local\Temp\b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe
"C:\Users\Admin\AppData\Local\Temp\b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2708
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ytmd.exe

Filesize
1.8MB

MD5
1a5f24c3ab345d5ed5f68409f442f205

SHA1
48c1eb761f9a8d66a341d871b4ff0b95b2109bfd

SHA256
5e958c2dbfbc49efa38eca532828b116577a152823439fa6ce064b2263e09a1c

SHA512
3f57ec3b0a3ec71cdf6c416c11ee1d6cd6ea8388030611027a6b02d93106b7f3b0fc478fa4fe5a0d86a58c3a2e8f4c28f039b3345eaf429e98ade9d657ee56bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
16ae5830b2877dac7247f8c4154c9efd

SHA1
fe650b531d9eb8dd0d9d21b8b8c06f1246d397c6

SHA256
a85dd932dfa73597b1281b8ce99b149e1d92577a0daf3e2318b38d1df212e52b

SHA512
84da7c8064c911494893265cc9c4d44fb220711c7bce3f302707a3db3b0c05c2e72580482833221f8f3c5225c6e0ce523a50b883cac6c83b59d80d8388874d85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
ecc55219ef70298445bf9db69d87ad4d

SHA1
698f44c00e2591b996d18e124d35fe9f76492ae2

SHA256
307b4f33efbc06b1f80dfedf6296c53171ee5e4b8e11744623b0bff364bb9049

SHA512
ca519539166b0aab62a1e9d8866af0d696b655fd57cc682d91ebdb7fc0f48f991cc2ddc4cee33d1cc7ea9c5c05b55f196d77cdf9c76724fa480d16a56d0dd590

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
2.5MB

MD5
cbbde9443e09b0eb5e19b2e7f70b0be2

SHA1
c72c58798b8e5d3752c54fa60ae78a1657918100

SHA256
68aad98c19c886dd846829ac3f59b2c460ac5a9f9b4bc0f27c0c5a2091839390

SHA512
992dff3ef5499b93acda7cfcbcb2041908d8002598034ab50b91c39a769f70f59ef3a548802bf6f7635a55eb8e3c9eac764abe389a8e4cd4d2e3a8d55da4a1b0

Download Submit
memory/4976-0-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/4976-25-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/4976-28-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/4976-31-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/4976-35-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/4976-38-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/4976-41-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/4976-44-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads