1164a8f550cdcca584fbef5b09a9acb89fa79fbde89a66e92e1b45dcaa982c8e

General

Target

1164a8f550cdcca584fbef5b09a9acb89fa79fbde89a66e92e1b45dcaa982c8e.exe
Size

70.3MB
MD5

34685447de7a88a522e09b360da83bb8
SHA1

d7a051403a980d484bc4e6be11491c7d27b7c6b1
SHA256

1164a8f550cdcca584fbef5b09a9acb89fa79fbde89a66e92e1b45dcaa982c8e
SHA512

ab29904572ecf226832aac8ecf3ad2e0d5f24c1292b25b3af67741352aa428c008b875447f5a61fd03974ba6ef0433a22e4f11d44efb3b21ef5dd9f9d3972eb8
SSDEEP

6144:9ykTQp8xurN4JlU94SyTKJPpTHf3zZOckmhrK:9JTQp8AiJl6+YxzfDZLK

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2820	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\Geo\Nation	DPexzrYzgU.exe

Executes dropped EXE 1 IoCs

pid	Process
2892	DPexzrYzgU.exe

Loads dropped DLL 4 IoCs

pid	Process
2428	1164a8f550cdcca584fbef5b09a9acb89fa79fbde89a66e92e1b45dcaa982c8e.exe
2664	WerFault.exe
2664	WerFault.exe
2664	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1164a8f550cdcca584fbef5b09a9acb89fa79fbde89a66e92e1b45dcaa982c8e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2820	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2428	1164a8f550cdcca584fbef5b09a9acb89fa79fbde89a66e92e1b45dcaa982c8e.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2892	DPexzrYzgU.exe
Token: SeImpersonatePrivilege	2892	DPexzrYzgU.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2820	2428	1164a8f550cdcca584fbef5b09a9acb89fa79fbde89a66e92e1b45dcaa982c8e.exe	31
PID 2428 wrote to memory of 2820	2428	1164a8f550cdcca584fbef5b09a9acb89fa79fbde89a66e92e1b45dcaa982c8e.exe	31
PID 2428 wrote to memory of 2820	2428	1164a8f550cdcca584fbef5b09a9acb89fa79fbde89a66e92e1b45dcaa982c8e.exe	31
PID 2428 wrote to memory of 2820	2428	1164a8f550cdcca584fbef5b09a9acb89fa79fbde89a66e92e1b45dcaa982c8e.exe	31
PID 2428 wrote to memory of 2892	2428	1164a8f550cdcca584fbef5b09a9acb89fa79fbde89a66e92e1b45dcaa982c8e.exe	33
PID 2428 wrote to memory of 2892	2428	1164a8f550cdcca584fbef5b09a9acb89fa79fbde89a66e92e1b45dcaa982c8e.exe	33
PID 2428 wrote to memory of 2892	2428	1164a8f550cdcca584fbef5b09a9acb89fa79fbde89a66e92e1b45dcaa982c8e.exe	33
PID 2428 wrote to memory of 2892	2428	1164a8f550cdcca584fbef5b09a9acb89fa79fbde89a66e92e1b45dcaa982c8e.exe	33
PID 2892 wrote to memory of 2664	2892	DPexzrYzgU.exe	34
PID 2892 wrote to memory of 2664	2892	DPexzrYzgU.exe	34
PID 2892 wrote to memory of 2664	2892	DPexzrYzgU.exe	34

C:\Users\Admin\AppData\Local\Temp\1164a8f550cdcca584fbef5b09a9acb89fa79fbde89a66e92e1b45dcaa982c8e.exe
"C:\Users\Admin\AppData\Local\Temp\1164a8f550cdcca584fbef5b09a9acb89fa79fbde89a66e92e1b45dcaa982c8e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -WindowStyle Hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABaADcARQB0AEYAeABuAFUASgBZAFwARABQAGUAeAB6AHIAWQB6AGcAVQAuAGUAeABlACcA
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Users\Admin\AppData\Local\Temp\Z7EtFxnUJY\DPexzrYzgU.exe
  "C:\Users\Admin\AppData\Local\Temp\Z7EtFxnUJY\DPexzrYzgU.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2892 -s 616
    3⤵
    - Loads dropped DLL
    PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Z7EtFxnUJY\DPexzrYzgU.exe

Filesize
2.5MB

MD5
823882161f77b0f3dafcbc1112000a98

SHA1
37cc9d3f298a358232a1bbc1cc0376df480525d8

SHA256
bfe90987bd3cee5c347c1db7c6db0f63545bbca447667226798d1ba071915b08

SHA512
4fc2cb284065074498d2b37febba994a9b4d773f9f92555c21c6f8c22a318c25a97f518cb7d0dbf320cf5bcf984b2b9b0e880a9f5a43ed1353f7782ec60343a5

Download Submit
memory/2428-15-0x0000000074CE0000-0x00000000753CE000-memory.dmp

Filesize
6.9MB

Download
memory/2428-1-0x00000000003D0000-0x0000000004A1C000-memory.dmp

Filesize
70.3MB

Download
memory/2428-2-0x0000000074CE0000-0x00000000753CE000-memory.dmp

Filesize
6.9MB

Download
memory/2428-3-0x0000000074CEE000-0x0000000074CEF000-memory.dmp

Filesize
4KB

Download
memory/2428-4-0x0000000074CE0000-0x00000000753CE000-memory.dmp

Filesize
6.9MB

Download
memory/2428-5-0x0000000074CE0000-0x00000000753CE000-memory.dmp

Filesize
6.9MB

Download
memory/2428-0-0x0000000074CEE000-0x0000000074CEF000-memory.dmp

Filesize
4KB

Download
memory/2428-23-0x0000000074CE0000-0x00000000753CE000-memory.dmp

Filesize
6.9MB

Download
memory/2820-9-0x000000006FAA1000-0x000000006FAA2000-memory.dmp

Filesize
4KB

Download
memory/2820-13-0x000000006FAA0000-0x000000007004B000-memory.dmp

Filesize
5.7MB

Download
memory/2820-14-0x000000006FAA0000-0x000000007004B000-memory.dmp

Filesize
5.7MB

Download
memory/2820-12-0x000000006FAA0000-0x000000007004B000-memory.dmp

Filesize
5.7MB

Download
memory/2820-11-0x000000006FAA0000-0x000000007004B000-memory.dmp

Filesize
5.7MB

Download
memory/2820-10-0x000000006FAA0000-0x000000007004B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing