ea2a102a0c59bfec24a404070337d82f2f32457339264aea5784291ab11d079c

General

Target

ea2a102a0c59bfec24a404070337d82f2f32457339264aea5784291ab11d079c.exe
Size

282KB
MD5

1f2fa7137a179b847cb83874c8779daf
SHA1

63f6a1977b1b4a6b8393c3336499aa90cafdc221
SHA256

ea2a102a0c59bfec24a404070337d82f2f32457339264aea5784291ab11d079c
SHA512

e04a568fbe572009db6746f40075599d04dbce0d486eb546ce80d5195225f5cad6987cb1567eb0f34b2517d9aed73c352c56ef5d15e11f526de9a1f56d74fb61
SSDEEP

6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66fKkfp9:boSeGUA5YZazpXUmZhZ6Se

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ea2a102a0c59bfec24a404070337d82f2f32457339264aea5784291ab11d079c.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	ea2a102a0c59bfec24a404070337d82f2f32457339264aea5784291ab11d079c.exe

Executes dropped EXE 1 IoCs

Processes:

a1punf5t2of.exe

pid	Process
4664	a1punf5t2of.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ea2a102a0c59bfec24a404070337d82f2f32457339264aea5784291ab11d079c.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe"	ea2a102a0c59bfec24a404070337d82f2f32457339264aea5784291ab11d079c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ea2a102a0c59bfec24a404070337d82f2f32457339264aea5784291ab11d079c.exea1punf5t2of.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea2a102a0c59bfec24a404070337d82f2f32457339264aea5784291ab11d079c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1punf5t2of.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

ea2a102a0c59bfec24a404070337d82f2f32457339264aea5784291ab11d079c.exea1punf5t2of.exe

description	pid	Process	procid_target
PID 4816 wrote to memory of 4664	4816	ea2a102a0c59bfec24a404070337d82f2f32457339264aea5784291ab11d079c.exe	85
PID 4816 wrote to memory of 4664	4816	ea2a102a0c59bfec24a404070337d82f2f32457339264aea5784291ab11d079c.exe	85
PID 4816 wrote to memory of 4664	4816	ea2a102a0c59bfec24a404070337d82f2f32457339264aea5784291ab11d079c.exe	85
PID 4664 wrote to memory of 3420	4664	a1punf5t2of.exe	86
PID 4664 wrote to memory of 3420	4664	a1punf5t2of.exe	86
PID 4664 wrote to memory of 3420	4664	a1punf5t2of.exe	86

C:\Users\Admin\AppData\Local\Temp\ea2a102a0c59bfec24a404070337d82f2f32457339264aea5784291ab11d079c.exe
"C:\Users\Admin\AppData\Local\Temp\ea2a102a0c59bfec24a404070337d82f2f32457339264aea5784291ab11d079c.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
  "C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
    "C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
    3⤵
    PID:3420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

Filesize
282KB

MD5
951cc37d5e7ab7db7442b1444e3d4ff2

SHA1
498f6f352d4a47f517901cc58e94791c5e25a69c

SHA256
ac6216130cba6a39734be5e3f2e3a975151603e0b73c3c64f690e7caaf7e00fc

SHA512
8c8d5acc26c2b643ccd8ba0669e299455211e5be659ed3d1cdfefe26500750eaf3b35f62698a7144f6ae6553db26b283ecf04bf902f03099c88b6d27a0ead6ea

Download Submit
memory/4664-21-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/4664-23-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/4664-29-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/4664-27-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/4664-26-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/4664-25-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/4664-24-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/4816-22-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/4816-5-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/4816-7-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/4816-2-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/4816-0-0x0000000074BE2000-0x0000000074BE3000-memory.dmp

Filesize
4KB

Download
memory/4816-6-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/4816-1-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/4816-4-0x0000000074BE2000-0x0000000074BE3000-memory.dmp

Filesize
4KB

Download
memory/4816-3-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads