953d5ceb163cd52ce049e4f120a30e60464144a312d892abf81f03fbc75b9936

General

Target

953d5ceb163cd52ce049e4f120a30e60464144a312d892abf81f03fbc75b9936.exe
Size

415KB
MD5

ea1cf232a4bad711276174692234aab2
SHA1

fba44c2496392a43c7ca77ac67ef1d83aae7b695
SHA256

953d5ceb163cd52ce049e4f120a30e60464144a312d892abf81f03fbc75b9936
SHA512

8a982c16646427a93488a20bccf90b7b71dac284ad69c4369932755291288ea65a29069c25bcb4536692a2916631ad81cccaddc6c06971a40f5336edbd1316da
SSDEEP

6144:ITNE3ZRrnaBVlvphVxmP+6CiejgcME1cwYfU+va+RU7g:ITNYrnE3bm/CiejewY5v/

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

953d5ceb163cd52ce049e4f120a30e60464144a312d892abf81f03fbc75b9936.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	953d5ceb163cd52ce049e4f120a30e60464144a312d892abf81f03fbc75b9936.exe

Executes dropped EXE 1 IoCs

Processes:

ximo2ubzn1i.exe

pid	Process
876	ximo2ubzn1i.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

953d5ceb163cd52ce049e4f120a30e60464144a312d892abf81f03fbc75b9936.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c5e4gxfvd4v = "C:\\Users\\Admin\\AppData\\Roaming\\c5e4gxfvd4v\\ximo2ubzn1i.exe"	953d5ceb163cd52ce049e4f120a30e60464144a312d892abf81f03fbc75b9936.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

953d5ceb163cd52ce049e4f120a30e60464144a312d892abf81f03fbc75b9936.exeximo2ubzn1i.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	953d5ceb163cd52ce049e4f120a30e60464144a312d892abf81f03fbc75b9936.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ximo2ubzn1i.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

953d5ceb163cd52ce049e4f120a30e60464144a312d892abf81f03fbc75b9936.exeximo2ubzn1i.exe

description	pid	Process	procid_target
PID 2440 wrote to memory of 876	2440	953d5ceb163cd52ce049e4f120a30e60464144a312d892abf81f03fbc75b9936.exe	86
PID 2440 wrote to memory of 876	2440	953d5ceb163cd52ce049e4f120a30e60464144a312d892abf81f03fbc75b9936.exe	86
PID 2440 wrote to memory of 876	2440	953d5ceb163cd52ce049e4f120a30e60464144a312d892abf81f03fbc75b9936.exe	86
PID 876 wrote to memory of 2064	876	ximo2ubzn1i.exe	87
PID 876 wrote to memory of 2064	876	ximo2ubzn1i.exe	87
PID 876 wrote to memory of 2064	876	ximo2ubzn1i.exe	87

C:\Users\Admin\AppData\Local\Temp\953d5ceb163cd52ce049e4f120a30e60464144a312d892abf81f03fbc75b9936.exe
"C:\Users\Admin\AppData\Local\Temp\953d5ceb163cd52ce049e4f120a30e60464144a312d892abf81f03fbc75b9936.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe
  "C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
    3⤵
    PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe

Filesize
415KB

MD5
c06997057e998a6ffbe854a8137c86b3

SHA1
653e7ee37c757f51a3146d1a2e0821f853b55bd8

SHA256
f717c14f642c6ebbae0192517bd5f0db41f9b5f5f75e968a32a0b98ad95512cc

SHA512
05e05bcbf615fddc56ebea7f4800139aaf0efb026acf8ca836add6370d97da8e51dc263aaee473df05de6ba58419a60063b2145c1f776617875ee1a734fa0af5

Download Submit
memory/876-25-0x00000000752E0000-0x0000000075A90000-memory.dmp

Filesize
7.7MB

Download
memory/876-23-0x00000000752E0000-0x0000000075A90000-memory.dmp

Filesize
7.7MB

Download
memory/876-22-0x00000000752E0000-0x0000000075A90000-memory.dmp

Filesize
7.7MB

Download
memory/876-21-0x00000000752E0000-0x0000000075A90000-memory.dmp

Filesize
7.7MB

Download
memory/2440-3-0x00000000057B0000-0x0000000005842000-memory.dmp

Filesize
584KB

Download
memory/2440-6-0x0000000005A10000-0x0000000005A4C000-memory.dmp

Filesize
240KB

Download
memory/2440-5-0x0000000005780000-0x000000000578A000-memory.dmp

Filesize
40KB

Download
memory/2440-20-0x00000000752E0000-0x0000000075A90000-memory.dmp

Filesize
7.7MB

Download
memory/2440-4-0x00000000752E0000-0x0000000075A90000-memory.dmp

Filesize
7.7MB

Download
memory/2440-0-0x00000000752EE000-0x00000000752EF000-memory.dmp

Filesize
4KB

Download
memory/2440-2-0x0000000005D60000-0x0000000006304000-memory.dmp

Filesize
5.6MB

Download
memory/2440-1-0x0000000000D10000-0x0000000000D7E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads