fec3b50d44a1a15ae93ab429bef45c15e7538a5b12857f183a5fc4fd820d7b5e

General

Target

fec3b50d44a1a15ae93ab429bef45c15e7538a5b12857f183a5fc4fd820d7b5e.exe
Size

255KB
MD5

2dde1f5597487da67e8b2c503998bb07
SHA1

32cf050fafd9ebce574e944d9b0afa27b46aa00d
SHA256

fec3b50d44a1a15ae93ab429bef45c15e7538a5b12857f183a5fc4fd820d7b5e
SHA512

b9818ddfe9dcc87d538c3768985b36eb7bf13ecfa18ed8fdb95ce7d98c27e8615309b74fb479d7ca307552f1249498f5937d93302bbb9e1894c2498631482e7f
SSDEEP

6144:85p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQSu:EeGUA5YZazpXUmZh9u

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fec3b50d44a1a15ae93ab429bef45c15e7538a5b12857f183a5fc4fd820d7b5e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fec3b50d44a1a15ae93ab429bef45c15e7538a5b12857f183a5fc4fd820d7b5e.exe

Executes dropped EXE 1 IoCs

Processes:

a1punf5t2of.exe

pid process

2764 a1punf5t2of.exe

pid	process
2764	a1punf5t2of.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fec3b50d44a1a15ae93ab429bef45c15e7538a5b12857f183a5fc4fd820d7b5e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe"	fec3b50d44a1a15ae93ab429bef45c15e7538a5b12857f183a5fc4fd820d7b5e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

a1punf5t2of.exefec3b50d44a1a15ae93ab429bef45c15e7538a5b12857f183a5fc4fd820d7b5e.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1punf5t2of.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fec3b50d44a1a15ae93ab429bef45c15e7538a5b12857f183a5fc4fd820d7b5e.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

fec3b50d44a1a15ae93ab429bef45c15e7538a5b12857f183a5fc4fd820d7b5e.exea1punf5t2of.exe

description	pid	process	target process
PID 752 wrote to memory of 2764	752	fec3b50d44a1a15ae93ab429bef45c15e7538a5b12857f183a5fc4fd820d7b5e.exe	a1punf5t2of.exe
PID 752 wrote to memory of 2764	752	fec3b50d44a1a15ae93ab429bef45c15e7538a5b12857f183a5fc4fd820d7b5e.exe	a1punf5t2of.exe
PID 752 wrote to memory of 2764	752	fec3b50d44a1a15ae93ab429bef45c15e7538a5b12857f183a5fc4fd820d7b5e.exe	a1punf5t2of.exe
PID 2764 wrote to memory of 4892	2764	a1punf5t2of.exe	a1punf5t2of.exe
PID 2764 wrote to memory of 4892	2764	a1punf5t2of.exe	a1punf5t2of.exe
PID 2764 wrote to memory of 4892	2764	a1punf5t2of.exe	a1punf5t2of.exe

C:\Users\Admin\AppData\Local\Temp\fec3b50d44a1a15ae93ab429bef45c15e7538a5b12857f183a5fc4fd820d7b5e.exe
"C:\Users\Admin\AppData\Local\Temp\fec3b50d44a1a15ae93ab429bef45c15e7538a5b12857f183a5fc4fd820d7b5e.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:752
- C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
  "C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
    "C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
    3⤵
    PID:4892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

Filesize
255KB

MD5
814b4158737b1c5addb7a6cd90723a95

SHA1
99ffa3e90e15624460e40893b28f5422b834efc9

SHA256
2715bd709e0c9c9f7a43c29ecd74371630842f8223904652f1c577ddff791de4

SHA512
bdb1414bb25b0e2248c9ae915cf0665df777dae0fe624590c9002f87745bae91d88cfe652575b22d8de5f4b05832e8cfa4726bad56df9f7f1130850a3f6de501

Download Submit
memory/752-4-0x0000000075142000-0x0000000075143000-memory.dmp

Filesize
4KB

Download
memory/752-7-0x0000000075140000-0x00000000756F1000-memory.dmp

Filesize
5.7MB

Download
memory/752-3-0x0000000075140000-0x00000000756F1000-memory.dmp

Filesize
5.7MB

Download
memory/752-0-0x0000000075142000-0x0000000075143000-memory.dmp

Filesize
4KB

Download
memory/752-22-0x0000000075140000-0x00000000756F1000-memory.dmp

Filesize
5.7MB

Download
memory/752-6-0x0000000075140000-0x00000000756F1000-memory.dmp

Filesize
5.7MB

Download
memory/752-2-0x0000000075140000-0x00000000756F1000-memory.dmp

Filesize
5.7MB

Download
memory/752-1-0x0000000075140000-0x00000000756F1000-memory.dmp

Filesize
5.7MB

Download
memory/752-5-0x0000000075140000-0x00000000756F1000-memory.dmp

Filesize
5.7MB

Download
memory/2764-23-0x0000000075140000-0x00000000756F1000-memory.dmp

Filesize
5.7MB

Download
memory/2764-21-0x0000000075140000-0x00000000756F1000-memory.dmp

Filesize
5.7MB

Download
memory/2764-24-0x0000000075140000-0x00000000756F1000-memory.dmp

Filesize
5.7MB

Download
memory/2764-25-0x0000000075140000-0x00000000756F1000-memory.dmp

Filesize
5.7MB

Download
memory/2764-26-0x0000000075140000-0x00000000756F1000-memory.dmp

Filesize
5.7MB

Download
memory/2764-27-0x0000000075140000-0x00000000756F1000-memory.dmp

Filesize
5.7MB

Download
memory/2764-29-0x0000000075140000-0x00000000756F1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads