1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26

General

Target

1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe
Size

14KB
MD5

2906e9954d3a92a8ef1775fa5e3c2580
SHA1

eed8ecc850cb2f9f7200f765e4789897a5c12fbd
SHA256

1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26
SHA512

09c9ef9fda2f3b5850344d06c4eaf12abea8db44d26531acce526d2694e8149723adbfc9e5de8ded896a56e05bb65c73223d5b153d1193813e7b25802cc787b1
SSDEEP

384:FhM8ifXjqMmzP2o9U25j7AkFI/E8mkvha1H94Ni4bhG:FhMr78it25q/EF1H9D49G

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2612	cmd.exe
944	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
944	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 5092	1132	1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe	91
PID 1132 wrote to memory of 5092	1132	1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe	91
PID 1132 wrote to memory of 5092	1132	1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe	91
PID 5092 wrote to memory of 2708	5092	csc.exe	93
PID 5092 wrote to memory of 2708	5092	csc.exe	93
PID 5092 wrote to memory of 2708	5092	csc.exe	93
PID 1132 wrote to memory of 2612	1132	1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe	94
PID 1132 wrote to memory of 2612	1132	1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe	94
PID 1132 wrote to memory of 2612	1132	1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe	94
PID 2612 wrote to memory of 944	2612	cmd.exe	96
PID 2612 wrote to memory of 944	2612	cmd.exe	96
PID 2612 wrote to memory of 944	2612	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe
"C:\Users\Admin\AppData\Local\Temp\1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\svo1gn4e\svo1gn4e.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES85C6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEDDD506DC3584F6B87119C59550C31B.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2708
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe" & move "갛갈갭간갌.exe" "C:\Users\Admin\AppData\Local\Temp\1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES85C6.tmp

Filesize
1KB

MD5
e344bf4505c3a682cfc0663dbab6f520

SHA1
df6c6a7dfd0730a4b85e0ee177b155199af089bb

SHA256
ebdb6b33c7dde70b1cf4c5ad575d86a9e97151b37b85bcbe89fb7ed350b5ef14

SHA512
65cd8758509bb975b1cc9fa259fe7001411c6cb93b3868faf7565d3859045606be0da98f4baedc55776e39efcd59eb9eeca45434add60ccc96ef6ec021f09951

Download Submit
C:\Users\Admin\AppData\Local\Temp\갛갈갭간갌.exe

Filesize
14KB

MD5
492d022709caa6fe8fea0986311fe59e

SHA1
78245de2255b2534357f8aa997fce7453e0c9e92

SHA256
c08da2811a0e86a148a1c68c3bd527e83db919ecfd32291bf701c538ced1b54c

SHA512
4ce9b6083554acc22ac5373e32f6d1f623ba45a88fece91fafd9dfc040134e3fd8b37e8c4cc54278dacee893172c38f37c70c9f318d1456af8931a25c0893a77

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCEDDD506DC3584F6B87119C59550C31B.TMP

Filesize
1KB

MD5
a5a77eb087cff7cdaf222ba2cb1be528

SHA1
80b283cba9a48fd5280cb85af2d4c948af169faf

SHA256
fd67818558606ff8e556df0abd3f18b2edbbd06bbfc884a8a5315e0ed78f375c

SHA512
ad6ef72e61da8aeb18a7da12ca8db127524577d709e7f96e619c1c51511355b5d187843601526067611e2f1510f2cfbc3a13b2984d3dd85b3148614bad7ac0dc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\svo1gn4e\svo1gn4e.0.cs

Filesize
23KB

MD5
42def916e8d5425fc2312c73019b6281

SHA1
71fbaf74706b4208823f5c9b5ba1efab3782b791

SHA256
cebedd75a44db202c50f6667116d8983d7cb17e4742f3fb63d6d77dbd774d42a

SHA512
5b814aac2a15ee11cb666a215b4435e27c50cb73cc5e92d23399d01277a1a88bd5992995442677bc12a6e2a665269e034357992e05ca245a9ccae767bf28ce69

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\svo1gn4e\svo1gn4e.cmdline

Filesize
275B

MD5
d12b304b2fc9716fa9c61bb59ac727cd

SHA1
00c6ff6277a10a8bc52e5d4b21cf69ecdc92fda3

SHA256
a16487fbd9acea8102e4f06e2250e07c4deebc9b3fc34c03130b5b3c9e7a66ed

SHA512
36aeac40e7342c503b45d22b999cc458050d8d910a75e6e2de83c7d1bebb220175fd30dc78e2a0e69168ff629b80254b2c48b413152ccb6490595d4cf37f3ee4

Download Submit
memory/1132-5-0x00000000752C0000-0x0000000075A70000-memory.dmp

Filesize
7.7MB

Download
memory/1132-0-0x00000000752CE000-0x00000000752CF000-memory.dmp

Filesize
4KB

Download
memory/1132-4-0x0000000005340000-0x00000000053D2000-memory.dmp

Filesize
584KB

Download
memory/1132-3-0x0000000005290000-0x0000000005298000-memory.dmp

Filesize
32KB

Download
memory/1132-2-0x0000000005840000-0x0000000005DE4000-memory.dmp

Filesize
5.6MB

Download
memory/1132-1-0x0000000000950000-0x000000000095A000-memory.dmp

Filesize
40KB

Download
memory/1132-18-0x0000000005420000-0x000000000542A000-memory.dmp

Filesize
40KB

Download
memory/1132-23-0x00000000752C0000-0x0000000075A70000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads