73b6df0add9bc6b5792d274d316ecd70d636847db25ce6f3e63e77fb72369037

General

Target

7c7a1691b47e950616215c93e2cd4ec1893f646a44146ca7b6cd6352b9dee2c8.exe
Size

3.9MB
MD5

c8420fe03d088ed9558dea175de7711f
SHA1

2feece2652375bee5171f31d10caf9ea4291ed36
SHA256

7c7a1691b47e950616215c93e2cd4ec1893f646a44146ca7b6cd6352b9dee2c8
SHA512

ef935456d3fd0a7f32b1abb8bfc2ccb9b37443835157f9b8805875fce15ab1b9ec1639253d6ec20b83dadae714531e49f6c26621fbb5ffca46af665a5df88a2a
SSDEEP

98304:rUg3G64EgdhTNuQmT19jSxkUDsY5HJFWHzFJkyTnIDQVVNdM8LtUIgCfhsT:lGNXNu/LjeOY5pFovkyTIDQs8LqIgCK

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7c7a1691b47e950616215c93e2cd4ec1893f646a44146ca7b6cd6352b9dee2c8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7c7a1691b47e950616215c93e2cd4ec1893f646a44146ca7b6cd6352b9dee2c8.exe

Executes dropped EXE 2 IoCs

Processes:

Setup.exekodoes.exe

pid process

4412 Setup.exe
4864 kodoes.exe

pid	process
4412	Setup.exe
4864	kodoes.exe

Drops file in Program Files directory 22 IoCs

Processes:

Setup.exe

description	ioc	process
File created	C:\Program Files\kameos\nexos.exe	Setup.exe
File opened for modification	C:\Program Files\NSWUSB\NSWUSB¦µ¦ó+v+¦¦˜-¦+˜.txt	Setup.exe
File opened for modification	C:\Program Files\NSWUSB\unin000.exe	Setup.exe
File opened for modification	C:\Program Files\NSWUSB\uninstall.exe	Setup.exe
File opened for modification	C:\Program Files\kameos\gozos\soneos.dll	Setup.exe
File opened for modification	C:\Program Files\kameos\gozos\sonoes.dll	Setup.exe
File created	C:\Program Files\NSWUSB\NSWUSB¦µ¦ó+v+¦¦˜-¦+˜.txt	Setup.exe
File opened for modification	C:\Program Files\NSWUSB\NSW+++º¦-¦¦+¦-¦+˜¦+¦-.txt	Setup.exe
File created	C:\Program Files\NSWUSB\uninstall.exe	Setup.exe
File created	C:\Program Files\kameos\gozos\sonoes.dll	Setup.exe
File created	C:\Program Files\kameos\jy.ini	Setup.exe
File created	C:\Program Files\NSWUSB\ForWin2000XP2003VNSWUSB¦µ¦ó+v+¦¦˜071211.exe	Setup.exe
File created	C:\Program Files\NSWUSB\NSW+++º¦-¦¦+¦-¦+˜¦+¦-.txt	Setup.exe
File opened for modification	C:\Program Files\kameos\kodoes.exe	Setup.exe
File opened for modification	C:\Program Files\kameos\nexos.exe	Setup.exe
File created	C:\Program Files\kameos\kodoes.exe	Setup.exe
File opened for modification	C:\Program Files\NSWUSB\ForWin2000XP2003VNSWUSB¦µ¦ó+v+¦¦˜071211.exe	Setup.exe
File created	C:\Program Files\NSWUSB\unin000.exe	Setup.exe
File created	C:\Program Files\NSWUSB\install.log	Setup.exe
File opened for modification	C:\Program Files\NSWUSB\install.log	Setup.exe
File created	C:\Program Files\kameos\gozos\soneos.dll	Setup.exe
File opened for modification	C:\Program Files\kameos\jy.ini	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

7c7a1691b47e950616215c93e2cd4ec1893f646a44146ca7b6cd6352b9dee2c8.exeSetup.exekodoes.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c7a1691b47e950616215c93e2cd4ec1893f646a44146ca7b6cd6352b9dee2c8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kodoes.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

7c7a1691b47e950616215c93e2cd4ec1893f646a44146ca7b6cd6352b9dee2c8.exeSetup.exe

description	pid	process	target process
PID 2836 wrote to memory of 4412	2836	7c7a1691b47e950616215c93e2cd4ec1893f646a44146ca7b6cd6352b9dee2c8.exe	Setup.exe
PID 2836 wrote to memory of 4412	2836	7c7a1691b47e950616215c93e2cd4ec1893f646a44146ca7b6cd6352b9dee2c8.exe	Setup.exe
PID 2836 wrote to memory of 4412	2836	7c7a1691b47e950616215c93e2cd4ec1893f646a44146ca7b6cd6352b9dee2c8.exe	Setup.exe
PID 4412 wrote to memory of 4864	4412	Setup.exe	kodoes.exe
PID 4412 wrote to memory of 4864	4412	Setup.exe	kodoes.exe
PID 4412 wrote to memory of 4864	4412	Setup.exe	kodoes.exe

C:\Users\Admin\AppData\Local\Temp\7c7a1691b47e950616215c93e2cd4ec1893f646a44146ca7b6cd6352b9dee2c8.exe
"C:\Users\Admin\AppData\Local\Temp\7c7a1691b47e950616215c93e2cd4ec1893f646a44146ca7b6cd6352b9dee2c8.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4412
- - C:\Program Files\kameos\kodoes.exe
    "C:\Program Files\kameos\kodoes.exe" /install /Silent
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\NSWUSB\uninstall.exe

Filesize
369KB

MD5
143022c9ee4ef7bd1a1385176d67b8a2

SHA1
f1a9d4281344226b4ffca6ae32c6dafacf4c8a86

SHA256
a604f66cec56e771c8856f7653b1cf1d171fca7d166bf0396d81f7aa9856799e

SHA512
4c76cb207b0424bc00ded29b8f95da6c2a2d7f9225fa91fa250ac21896d6f762f3d5f9f093f2755e25ab20426b86867e58ef8421607bcbeea41e45c10ae7cfc8

Download Submit
C:\Program Files\kameos\jy.ini

Filesize
87B

MD5
55a05bfe666f1e978320951c40eddeb8

SHA1
a57ba2e8a8cc37918f837b19105ad67095bfbaea

SHA256
dde851b8bed5f3d9fbd0da96203b5a9510a5efb67eaf84987fbc74fd8667df68

SHA512
a0e5f939b2ff00b7c2b614f5f2ce902e23be1330a2a672ee80907f5daee388345f05f4b2f6c7523d318dafa3b11a2254f3315232f91ace0c7fe1d3c31595899b

Download Submit
C:\Program Files\kameos\kodoes.exe

Filesize
695KB

MD5
22ae62f7fc1d0e086e188618d6ce846b

SHA1
29ec7a5c578b0706dbbe56995f265650f7a0c355

SHA256
ed86b5ae8fb89dc3f7919e74deb1bb6f4a97de3a104e2570c4aeda0ee9d28fa2

SHA512
d64d483ca3ca864294d90ead7137fded970fccfdb4957b26d400e2074ecec5878ad2af6f98b386fe96d499673c972dce0f08bf8539081cf251bc433838e18eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.EXE

Filesize
999KB

MD5
7940573022d81cbdb9c04a22f5d88ad5

SHA1
7352716c480ee92ab212bfcd2627f802d03907cc

SHA256
3d413208468ad2a4a8f865ba41544ddad94b020084597ef971848425b38d3d14

SHA512
df06e17515e3e3b1b2b97b49272dd69163fde07ae18ba49b86ae9f9c406b267bb152eaa0b325d044994c328627424b56e9e14948b7d3b93679b165062eeaf60b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\gtemp.dat

Filesize
2.0MB

MD5
c624d07853622e885fa662a927807d18

SHA1
f81b52bba0104240b9f4ff1f838ab4638a238904

SHA256
ba79004542219a0e08a2d235f4a543169fe09c1a3a5cca58b890021ca04abb00

SHA512
f05809a72dc84b966dc485a6cd19c354adf0e8f3e4c04788b400fe489a1b34ab290747aa817149b9dc75d45f5e77d0281d501624a007b2c80a0f489cd6e0935c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jtemp.dat

Filesize
1.4MB

MD5
9a630944845e65577765696a0457e4f9

SHA1
dcdd73f2ba4be4a2503ac46c510ccaa8cd121ad7

SHA256
f90dc276829be8938fee827c009e536b4872e3ddf39d893a18b041d14fbdf6d5

SHA512
e204b3d2c4d793411c0d87c6c1b4fa72e11971a09f88031136624651c443c0f98311687a5b2b6e77ff0e53630b05577a99efd13891dc8ee7cb2b6eeefb3c1de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\license.txt

Filesize
2KB

MD5
9d8bed25504dd1b9917372c1fed19959

SHA1
670d697925f635170b5730751e631c0a445e6c36

SHA256
21ccc1539893ea5d65c18cb259edcc72ac8d9b84ba9c654ba3070fabb4f765f6

SHA512
98dbd6bf1befca6afd93bf3ba35bdcfadc28303a158796aa76f0e9d8380e99e5e716116d1e712e4fd02e4793c75c43fff0b01a74bd49da7c3052d527e19599f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.ini

Filesize
227B

MD5
387fd915fa13d669dc58a84c88eaa943

SHA1
35745ce0cbabf6eecd6fe9719807ef95850ce150

SHA256
0033c9906f7b33f25e12cee7d1e7e07163d509d4569dfd5175ca321587b7fe5b

SHA512
c4e49cce74c81b0c020f28bc9806c118b4863dda464977379146bffc72cb1e9bea3492aed31f62f1499d8d778da676cf1154bc5176a974c46422eeb3a986e5af

Download Submit
memory/4412-23-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/4412-26-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/4412-24-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/4412-21-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/4412-76-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/4864-51-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/4864-53-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads