927410e5f71f8159ec20d0f12f280fbd5187f40b90e8f9f4f9a5b556e5d679d5

General

Target

test.exe
Size

27KB
MD5

97dc472b0e7e8fbb5613ba8b4456c49d
SHA1

9d4f28a6fca25c4e478e2582f748288ecf3437a0
SHA256

927410e5f71f8159ec20d0f12f280fbd5187f40b90e8f9f4f9a5b556e5d679d5
SHA512

3b26c906558c26bc795df6114867638249256e1e3a685951a7325bcdc6ff9ed388e7b1f9b1d729247fc6bf82271d54301ac00f9aa5699e38f26e6c8e01dee848
SSDEEP

384:fLbQKJ3bEZjmgERA40DwoyumGPiJRjMFAQk93vmhm7UMKmIEecKdbXTzm9bVhcac:T8K5bEQE40fLFA/vMHTi9bD

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

test.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation test.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	test.exe

Drops startup file 4 IoCs

Processes:

Payload.exetest.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	Payload.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	test.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Payload.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	Payload.exe

Executes dropped EXE 1 IoCs

Processes:

Payload.exe

pid process

3120 Payload.exe

pid	process
3120	Payload.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

test.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe"	test.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

attrib.exetest.exePayload.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payload.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

Payload.exe

description	pid	process
Token: SeDebugPrivilege	3120	Payload.exe
Token: 33	3120	Payload.exe
Token: SeIncBasePriorityPrivilege	3120	Payload.exe
Token: 33	3120	Payload.exe
Token: SeIncBasePriorityPrivilege	3120	Payload.exe
Token: 33	3120	Payload.exe
Token: SeIncBasePriorityPrivilege	3120	Payload.exe
Token: 33	3120	Payload.exe
Token: SeIncBasePriorityPrivilege	3120	Payload.exe
Token: 33	3120	Payload.exe
Token: SeIncBasePriorityPrivilege	3120	Payload.exe
Token: 33	3120	Payload.exe
Token: SeIncBasePriorityPrivilege	3120	Payload.exe
Token: 33	3120	Payload.exe
Token: SeIncBasePriorityPrivilege	3120	Payload.exe
Token: 33	3120	Payload.exe
Token: SeIncBasePriorityPrivilege	3120	Payload.exe
Token: 33	3120	Payload.exe
Token: SeIncBasePriorityPrivilege	3120	Payload.exe
Token: 33	3120	Payload.exe
Token: SeIncBasePriorityPrivilege	3120	Payload.exe
Token: 33	3120	Payload.exe
Token: SeIncBasePriorityPrivilege	3120	Payload.exe
Token: 33	3120	Payload.exe
Token: SeIncBasePriorityPrivilege	3120	Payload.exe
Token: 33	3120	Payload.exe
Token: SeIncBasePriorityPrivilege	3120	Payload.exe
Token: 33	3120	Payload.exe
Token: SeIncBasePriorityPrivilege	3120	Payload.exe
Token: 33	3120	Payload.exe
Token: SeIncBasePriorityPrivilege	3120	Payload.exe
Token: 33	3120	Payload.exe
Token: SeIncBasePriorityPrivilege	3120	Payload.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

test.exe

description	pid	process	target process
PID 2324 wrote to memory of 3120	2324	test.exe	Payload.exe
PID 2324 wrote to memory of 3120	2324	test.exe	Payload.exe
PID 2324 wrote to memory of 3120	2324	test.exe	Payload.exe
PID 2324 wrote to memory of 4612	2324	test.exe	attrib.exe
PID 2324 wrote to memory of 4612	2324	test.exe	attrib.exe
PID 2324 wrote to memory of 4612	2324	test.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

4612 attrib.exe

pid	process
4612	attrib.exe

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Local\Temp\Payload.exe
  "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3120
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Payload.exe

Filesize
27KB

MD5
97dc472b0e7e8fbb5613ba8b4456c49d

SHA1
9d4f28a6fca25c4e478e2582f748288ecf3437a0

SHA256
927410e5f71f8159ec20d0f12f280fbd5187f40b90e8f9f4f9a5b556e5d679d5

SHA512
3b26c906558c26bc795df6114867638249256e1e3a685951a7325bcdc6ff9ed388e7b1f9b1d729247fc6bf82271d54301ac00f9aa5699e38f26e6c8e01dee848

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Filesize
1KB

MD5
a2bdf65651bf647b5e2f008501d71ddc

SHA1
af9dd7b7c2ccae950ee2d21c585fccdcdd58220d

SHA256
37118466e955a6ca34b5bdbeebbccaa4da1b857682a986dde4e64e710fd0cb38

SHA512
d7b7b58d9e4ce0f7441048f46470b2a02289699119683ff2b33a7011bae1eba2d419ab637f6cf1f51d5a08b4d8d1b08f69548ecb0484892b331d1c17642e287a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

Filesize
1KB

MD5
8922f999a87fa684ec8c7a335b19e64b

SHA1
a7a37c39da3f4185fd3d271cf5842d5db460c907

SHA256
edfadcfeb9f9750f0017d0111127297eda3c0f50590408c44f8d894c5af97422

SHA512
abb8fe922afc8801b58944d45e0364ab684b42993e442895302566a4d9f3f26829e3275d22ce8895e191c41d83e1780d74f8723d04698210cbeb7dc6bc29ad92

Download Submit
memory/2324-5-0x0000000074E92000-0x0000000074E93000-memory.dmp

Filesize
4KB

Download
memory/2324-6-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/2324-0-0x0000000074E92000-0x0000000074E93000-memory.dmp

Filesize
4KB

Download
memory/2324-16-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/2324-2-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/2324-1-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/3120-17-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/3120-18-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/3120-20-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/3120-24-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads