4e63dde927cbcf9398224adc3a3d1b5407f92fef63bb1daecb7e1f46b2dc6740

General

Target

4e63dde927cbcf9398224adc3a3d1b5407f92fef63bb1daecb7e1f46b2dc6740.exe
Size

281KB
MD5

902f329132d38b6ab6a8cd38cc59a493
SHA1

94462ef8f247e98259c8b7b08ea76dac2f94e701
SHA256

4e63dde927cbcf9398224adc3a3d1b5407f92fef63bb1daecb7e1f46b2dc6740
SHA512

4faeb3f2375692ea1f74ecd844cf9b7ba46cbc9611fbe64ab5f804b783a277e63fab197e1ba0a5b52550c61bf6829bfa2f180e3c7422f7b0946fc38e3b3d5746
SSDEEP

6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66fKkfi:boSeGUA5YZazpXUmZhZ6S/

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	4e63dde927cbcf9398224adc3a3d1b5407f92fef63bb1daecb7e1f46b2dc6740.exe

Executes dropped EXE 1 IoCs

pid	Process
1848	a1punf5t2of.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe"	4e63dde927cbcf9398224adc3a3d1b5407f92fef63bb1daecb7e1f46b2dc6740.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e63dde927cbcf9398224adc3a3d1b5407f92fef63bb1daecb7e1f46b2dc6740.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1punf5t2of.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 1848	4992	4e63dde927cbcf9398224adc3a3d1b5407f92fef63bb1daecb7e1f46b2dc6740.exe	100
PID 4992 wrote to memory of 1848	4992	4e63dde927cbcf9398224adc3a3d1b5407f92fef63bb1daecb7e1f46b2dc6740.exe	100
PID 4992 wrote to memory of 1848	4992	4e63dde927cbcf9398224adc3a3d1b5407f92fef63bb1daecb7e1f46b2dc6740.exe	100
PID 1848 wrote to memory of 2260	1848	a1punf5t2of.exe	101
PID 1848 wrote to memory of 2260	1848	a1punf5t2of.exe	101
PID 1848 wrote to memory of 2260	1848	a1punf5t2of.exe	101

C:\Users\Admin\AppData\Local\Temp\4e63dde927cbcf9398224adc3a3d1b5407f92fef63bb1daecb7e1f46b2dc6740.exe
"C:\Users\Admin\AppData\Local\Temp\4e63dde927cbcf9398224adc3a3d1b5407f92fef63bb1daecb7e1f46b2dc6740.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
  "C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
    "C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
    3⤵
    PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

Filesize
281KB

MD5
5fdde3fc6d54aff7748bc4d13a2a3fb3

SHA1
454d0fc46538e7feaa049df9ceddbc16e376e647

SHA256
c9386319d9d66fedd4fbeff61f69ce92713bf84d74628d3028edad2add31fbc3

SHA512
f66030ae8b507f19da9ae5561958361989784cca744c3339817bfb2d05d0c701607e191cb008798c0029419cd992e7c5906c1cb134fb92c40a339bb15abcba93

Download Submit
memory/1848-24-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/1848-25-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/1848-30-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/1848-28-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/1848-22-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/1848-27-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/1848-26-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/1848-23-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/4992-6-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/4992-5-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/4992-1-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/4992-0-0x0000000074BB2000-0x0000000074BB3000-memory.dmp

Filesize
4KB

Download
memory/4992-3-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/4992-7-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/4992-2-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/4992-4-0x0000000074BB2000-0x0000000074BB3000-memory.dmp

Filesize
4KB

Download
memory/4992-21-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads