183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270

General

Target

183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe
Size

646KB
MD5

58742fa74d16b336b4683d92de86bd90
SHA1

4dc80e230c6f38acae85628d913e792daa12ddab
SHA256

183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270
SHA512

7b0b033f63d7aa635779093fa3a2991d783dab29f4037552981309045cfc251cb2fc71bec8d99852e7762282d492bf4198287c1efc86833ea16270824984fc77
SSDEEP

6144:tWInt4heqUOF96tvcMWGXONceGBIucsLN:t/qUOFst4GXwGBIucsLN

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe

Executes dropped EXE 3 IoCs

pid	Process
4132	rs.exe
3700	orau.exe
5016	wtssvit.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WAPI = "C:\\Windows\\system32\\wtssvit.exe"	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ieuu = "C:\\Users\\Admin\\AppData\\Roaming\\orau.exe"	rs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ieuu = "C:\\Users\\Admin\\AppData\\Roaming\\orau.exe"	orau.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wtssvit.exe	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00090000000233f6-2.dat	upx
behavioral2/memory/4132-3-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral2/memory/4132-6-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral2/memory/4132-19-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral2/memory/3700-49-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral2/memory/3700-50-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral2/memory/3700-78-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral2/memory/3700-79-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral2/memory/3700-80-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral2/memory/3700-82-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral2/memory/3700-83-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral2/memory/3700-84-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral2/memory/3700-85-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral2/memory/3700-86-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral2/memory/3700-87-0x0000000000400000-0x0000000000431000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PurityScan\PuritySCAN.exe	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	orau.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wtssvit.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wtssvit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wtssvit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	wtssvit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wtssvit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1148	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe
1148	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe
1148	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe
1148	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe
1148	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe
1148	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe
5016	wtssvit.exe
5016	wtssvit.exe
5016	wtssvit.exe
5016	wtssvit.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1148	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe
1148	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe
1148	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe
1148	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe
5016	wtssvit.exe
5016	wtssvit.exe
5016	wtssvit.exe
5016	wtssvit.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 4132	1148	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe	82
PID 1148 wrote to memory of 4132	1148	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe	82
PID 1148 wrote to memory of 4132	1148	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe	82
PID 4132 wrote to memory of 3700	4132	rs.exe	83
PID 4132 wrote to memory of 3700	4132	rs.exe	83
PID 4132 wrote to memory of 3700	4132	rs.exe	83
PID 1148 wrote to memory of 5016	1148	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe	85
PID 1148 wrote to memory of 5016	1148	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe	85
PID 1148 wrote to memory of 5016	1148	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe	85

C:\Users\Admin\AppData\Local\Temp\183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe
"C:\Users\Admin\AppData\Local\Temp\183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Users\Admin\AppData\Local\Temp\rs.exe
  C:\Users\Admin\AppData\Local\Temp\rs.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Users\Admin\AppData\Roaming\orau.exe
    C:\Users\Admin\AppData\Roaming\orau.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:3700
- C:\Windows\SysWOW64\wtssvit.exe
  "C:\Windows\system32\wtssvit.exe" /no_ads
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
7cb1d30549e1e9bffb229f42effdd864

SHA1
ca5e206098f88d2d6c453a46a25b6fc142d27dad

SHA256
b8fa1fc7ad5f3c21e017fb569bc6c7724f5fc8e0d5508b012551c2a79de2ecef

SHA512
657d9716f3dd71de70fd958776dc0b8c9dd873483d6a32532d0b1966a35a53f5cffc90f3487ef73e3ba0683b62ee0612e6bf6e865b2a5da1e51eb0ef5970d837

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
1cae5f991b79718364bd3af873e5feca

SHA1
e028d75002a820c0dab6b5ce05f0b2990fab9bdd

SHA256
f6ea5fe6750a3bb97c5cf90c85fec9f9cc564626b72f767801f22f1984d44a10

SHA512
b6c01364c6fd38473984c3eaf3826954061493d69743746002588c3bc496c4784e00e659ac604ad0ecd672cb5de01d4406155fa5f3f2438a1ae37d4dd671c415

Download Submit
C:\Users\Admin\AppData\Local\Temp\rs.exe

Filesize
74KB

MD5
a06938dc128be2c105246e7c5dc5ddfb

SHA1
de1af16987f6556fb42790fb690f78b41f4133c7

SHA256
ce6a8a2accac99a44fa9827dac675a364d7d40019e57ba1d11140668a5121543

SHA512
49f64b01496d6af93e888ee8cc2747253a69de0fa1f5dc5d19705e8271c6bfbd182b806ec4a84d612d6505ff9e897bf9f37d5b8e7e5c4b394047efd365b9db78

Download Submit
C:\Windows\SysWOW64\wtssvit.exe

Filesize
660KB

MD5
df525b239ad7267ff963d6a9ffa18b91

SHA1
2d8bf933a18ef4c0595885a2c3a67a15d693bdd8

SHA256
a79ffa90bfe4592bce7af4af9a3399f355c3ccb7ed8c28f5840e2ac01d3125ef

SHA512
7dce620200f2ca70f6af9fc8afa4136b0fe4714c443677ac187b162568fb1bc10c772bd24681a18099e827b80fe5ed95f468cfbb53f95b038e65017e18428993

Download Submit
memory/3700-50-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3700-84-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3700-87-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3700-49-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3700-86-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3700-78-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3700-79-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3700-80-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3700-82-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3700-83-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3700-85-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4132-19-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4132-3-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4132-6-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads