455193e153b09c0c36a9f14f7c1db75e21231615f992c413281b1135dd5b8334

General

Target

65abbb1b8cb5f121249ad00bf99995aa.exe
Size

27KB
MD5

65abbb1b8cb5f121249ad00bf99995aa
SHA1

e2716aa2af91bfa1e44e029fc86776690d3d2c74
SHA256

455193e153b09c0c36a9f14f7c1db75e21231615f992c413281b1135dd5b8334
SHA512

bef09a4254b4c0087487d2d28172ecfd133e05508f665545cc2c94b7349cd254edd22e3b37eeeb01f9aeac6dfb4caf024bfa9b52abfe67d42ae3923ac3ae295c
SSDEEP

384:CLpHqxzDGoEXHWtyXc0gCQP8thFMRAQk93vmhm7UMKmIEecKdbXTzm9bVhcar6D1:cpKFy4pFRA/vMHTi9bD

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	65abbb1b8cb5f121249ad00bf99995aa.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	65abbb1b8cb5f121249ad00bf99995aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Payload.exe

Executes dropped EXE 1 IoCs

pid	Process
264	Payload.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe"	65abbb1b8cb5f121249ad00bf99995aa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65abbb1b8cb5f121249ad00bf99995aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	264	Payload.exe
Token: 33	264	Payload.exe
Token: SeIncBasePriorityPrivilege	264	Payload.exe
Token: 33	264	Payload.exe
Token: SeIncBasePriorityPrivilege	264	Payload.exe
Token: 33	264	Payload.exe
Token: SeIncBasePriorityPrivilege	264	Payload.exe
Token: 33	264	Payload.exe
Token: SeIncBasePriorityPrivilege	264	Payload.exe
Token: 33	264	Payload.exe
Token: SeIncBasePriorityPrivilege	264	Payload.exe
Token: 33	264	Payload.exe
Token: SeIncBasePriorityPrivilege	264	Payload.exe
Token: 33	264	Payload.exe
Token: SeIncBasePriorityPrivilege	264	Payload.exe
Token: 33	264	Payload.exe
Token: SeIncBasePriorityPrivilege	264	Payload.exe
Token: 33	264	Payload.exe
Token: SeIncBasePriorityPrivilege	264	Payload.exe
Token: 33	264	Payload.exe
Token: SeIncBasePriorityPrivilege	264	Payload.exe
Token: 33	264	Payload.exe
Token: SeIncBasePriorityPrivilege	264	Payload.exe
Token: 33	264	Payload.exe
Token: SeIncBasePriorityPrivilege	264	Payload.exe
Token: 33	264	Payload.exe
Token: SeIncBasePriorityPrivilege	264	Payload.exe
Token: 33	264	Payload.exe
Token: SeIncBasePriorityPrivilege	264	Payload.exe
Token: 33	264	Payload.exe
Token: SeIncBasePriorityPrivilege	264	Payload.exe
Token: 33	264	Payload.exe
Token: SeIncBasePriorityPrivilege	264	Payload.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 264	1344	65abbb1b8cb5f121249ad00bf99995aa.exe	86
PID 1344 wrote to memory of 264	1344	65abbb1b8cb5f121249ad00bf99995aa.exe	86
PID 1344 wrote to memory of 264	1344	65abbb1b8cb5f121249ad00bf99995aa.exe	86
PID 1344 wrote to memory of 208	1344	65abbb1b8cb5f121249ad00bf99995aa.exe	87
PID 1344 wrote to memory of 208	1344	65abbb1b8cb5f121249ad00bf99995aa.exe	87
PID 1344 wrote to memory of 208	1344	65abbb1b8cb5f121249ad00bf99995aa.exe	87

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
208	attrib.exe

C:\Users\Admin\AppData\Local\Temp\65abbb1b8cb5f121249ad00bf99995aa.exe
"C:\Users\Admin\AppData\Local\Temp\65abbb1b8cb5f121249ad00bf99995aa.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Users\Admin\AppData\Local\Temp\Payload.exe
  "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:264
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Payload.exe

Filesize
27KB

MD5
65abbb1b8cb5f121249ad00bf99995aa

SHA1
e2716aa2af91bfa1e44e029fc86776690d3d2c74

SHA256
455193e153b09c0c36a9f14f7c1db75e21231615f992c413281b1135dd5b8334

SHA512
bef09a4254b4c0087487d2d28172ecfd133e05508f665545cc2c94b7349cd254edd22e3b37eeeb01f9aeac6dfb4caf024bfa9b52abfe67d42ae3923ac3ae295c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Filesize
1KB

MD5
933490161b0b59c49a01b612b65e7911

SHA1
b14f486248cef2a24f2b97a17eb0e41a5eef1b19

SHA256
e762e2c786953a74b5bc9d033dd7079d461878ce5daab7553ef3e9a167c4a616

SHA512
18f70920bac4f24d2a28e3698066e6dd43af8095a56a572426eaf9f3a5d9ec191417ec65ff608fc4e882629a5bc78eb0a25f818d5a7e193e9b304c8ad93ee74d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

Filesize
1KB

MD5
965e6302945bcceb865364e8b236e877

SHA1
93fa7c16c468a8c51abd8fee2aac5cbd86b4762f

SHA256
f7f347cf948f21b405726e3773883de988de72b41e954943cc9b4c8af53e45b5

SHA512
beddca6ae7c5d09f03de7fa716529d0a349d7b377b2e0a3d8689c07fe2b30335814f7e8d631c61823aec23b4b71be2f73e1589e7fde82818dcb454fe6c845cf6

Download Submit
memory/264-18-0x0000000074F80000-0x0000000075531000-memory.dmp

Filesize
5.7MB

Download
memory/264-17-0x0000000074F80000-0x0000000075531000-memory.dmp

Filesize
5.7MB

Download
memory/264-23-0x0000000074F80000-0x0000000075531000-memory.dmp

Filesize
5.7MB

Download
memory/1344-0-0x0000000074F82000-0x0000000074F83000-memory.dmp

Filesize
4KB

Download
memory/1344-1-0x0000000074F80000-0x0000000075531000-memory.dmp

Filesize
5.7MB

Download
memory/1344-2-0x0000000074F80000-0x0000000075531000-memory.dmp

Filesize
5.7MB

Download
memory/1344-5-0x0000000074F82000-0x0000000074F83000-memory.dmp

Filesize
4KB

Download
memory/1344-6-0x0000000074F80000-0x0000000075531000-memory.dmp

Filesize
5.7MB

Download
memory/1344-16-0x0000000074F80000-0x0000000075531000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads