dc66c84fd4a91decac655fe0c7f400c3af181cb0cc9c97f8795d47b40bdf3584

General

Target

dc66c84fd4a91decac655fe0c7f400c3af181cb0cc9c97f8795d47b40bdf3584N.exe
Size

235KB
MD5

ba9dc83c0248fe213563b4dfff33be00
SHA1

4d5236631d4bb339f1ba93627764fd79e42c37b9
SHA256

dc66c84fd4a91decac655fe0c7f400c3af181cb0cc9c97f8795d47b40bdf3584
SHA512

277917b1eccf715eb116fed517e6e0df08846b86b5d7c4543c030616250a4a41815d523221cbf5dfa1c075698c1fdb0f6f68537e3929950829a8bee1328954b6
SSDEEP

6144:+/qDDbAZiwe41jLDzpZWS2ouViF3nxIkJk:S7xjLLW+uViZxI7

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	dc66c84fd4a91decac655fe0c7f400c3af181cb0cc9c97f8795d47b40bdf3584N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	ghaaer.exe

Executes dropped EXE 3 IoCs

pid	Process
4860	ghaaer.exe
4028	ghaaer.exe
4292	ghaaer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc66c84fd4a91decac655fe0c7f400c3af181cb0cc9c97f8795d47b40bdf3584N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ghaaer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5032	schtasks.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 4860	4532	dc66c84fd4a91decac655fe0c7f400c3af181cb0cc9c97f8795d47b40bdf3584N.exe	85
PID 4532 wrote to memory of 4860	4532	dc66c84fd4a91decac655fe0c7f400c3af181cb0cc9c97f8795d47b40bdf3584N.exe	85
PID 4532 wrote to memory of 4860	4532	dc66c84fd4a91decac655fe0c7f400c3af181cb0cc9c97f8795d47b40bdf3584N.exe	85
PID 4860 wrote to memory of 5032	4860	ghaaer.exe	87
PID 4860 wrote to memory of 5032	4860	ghaaer.exe	87
PID 4860 wrote to memory of 5032	4860	ghaaer.exe	87
PID 4860 wrote to memory of 3208	4860	ghaaer.exe	89
PID 4860 wrote to memory of 3208	4860	ghaaer.exe	89
PID 4860 wrote to memory of 3208	4860	ghaaer.exe	89
PID 3208 wrote to memory of 1772	3208	cmd.exe	91
PID 3208 wrote to memory of 1772	3208	cmd.exe	91
PID 3208 wrote to memory of 1772	3208	cmd.exe	91
PID 3208 wrote to memory of 2844	3208	cmd.exe	92
PID 3208 wrote to memory of 2844	3208	cmd.exe	92
PID 3208 wrote to memory of 2844	3208	cmd.exe	92
PID 3208 wrote to memory of 2552	3208	cmd.exe	93
PID 3208 wrote to memory of 2552	3208	cmd.exe	93
PID 3208 wrote to memory of 2552	3208	cmd.exe	93
PID 3208 wrote to memory of 2908	3208	cmd.exe	94
PID 3208 wrote to memory of 2908	3208	cmd.exe	94
PID 3208 wrote to memory of 2908	3208	cmd.exe	94
PID 3208 wrote to memory of 1200	3208	cmd.exe	95
PID 3208 wrote to memory of 1200	3208	cmd.exe	95
PID 3208 wrote to memory of 1200	3208	cmd.exe	95
PID 3208 wrote to memory of 4908	3208	cmd.exe	96
PID 3208 wrote to memory of 4908	3208	cmd.exe	96
PID 3208 wrote to memory of 4908	3208	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\dc66c84fd4a91decac655fe0c7f400c3af181cb0cc9c97f8795d47b40bdf3584N.exe
"C:\Users\Admin\AppData\Local\Temp\dc66c84fd4a91decac655fe0c7f400c3af181cb0cc9c97f8795d47b40bdf3584N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe
  "C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ghaaer.exe /TR "C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:5032
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "ghaaer.exe" /P "Admin:N"&&CACLS "ghaaer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\46aee2aca4" /P "Admin:N"&&CACLS "..\46aee2aca4" /P "Admin:R" /E&&Exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3208
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1772
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "ghaaer.exe" /P "Admin:N"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2844
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "ghaaer.exe" /P "Admin:R" /E
      4⤵
      System Location Discovery: System Language Discovery
      PID:2552
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2908
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\46aee2aca4" /P "Admin:N"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1200
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\46aee2aca4" /P "Admin:R" /E
      4⤵
      System Location Discovery: System Language Discovery
      PID:4908

C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe
C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe
1⤵
- Executes dropped EXE
PID:4028

C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe
C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe
1⤵
- Executes dropped EXE
PID:4292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe

Filesize
235KB

MD5
ba9dc83c0248fe213563b4dfff33be00

SHA1
4d5236631d4bb339f1ba93627764fd79e42c37b9

SHA256
dc66c84fd4a91decac655fe0c7f400c3af181cb0cc9c97f8795d47b40bdf3584

SHA512
277917b1eccf715eb116fed517e6e0df08846b86b5d7c4543c030616250a4a41815d523221cbf5dfa1c075698c1fdb0f6f68537e3929950829a8bee1328954b6

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

Filesize
153B

MD5
a53e183b2c571a68b246ad570b76da19

SHA1
7eac95d26ba1e92a3b4d6fd47ee057f00274ac13

SHA256
29574dc19a017adc4a026deb6d9a90708110eafe9a6acdc6496317382f9a4dc7

SHA512
1ca8f70acd82a194984a248a15541e0d2c75e052e00fc43c1c6b6682941dad6ce4b6c2cab4833e208e79f3546758c30857d1d4a3b05d8e571f0ce7a3a5b357be

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads