a98a3bfa0515b252c98d8bedb85789865560d4ffa97d43b55f7f35ba7eef3328

General

Target

a98a3bfa0515b252c98d8bedb85789865560d4ffa97d43b55f7f35ba7eef3328N.exe
Size

206KB
MD5

7c3384a0f2119a13a908d1ca08c8e590
SHA1

e674dcbd1e38cf9a84b6a47bd9ca35ad9aa69efd
SHA256

a98a3bfa0515b252c98d8bedb85789865560d4ffa97d43b55f7f35ba7eef3328
SHA512

6290d8643c62de34858caa0f46ebacf40a1ca5a5fa78f0a40c5b93e835b384a58fdfaf422d8a335812a97528d9884a4a4e486b474d777e5d07d5753161e34fdf
SSDEEP

3072:c/frTDzurT1S3CzpdmnATE55zjExkKGruONMvhu5QTXzeJX2vkMfSDPwU:Wfrnzurs3Czpexj2kGOIu5QTyJMKk

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	a98a3bfa0515b252c98d8bedb85789865560d4ffa97d43b55f7f35ba7eef3328N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 4 IoCs

pid	Process
2500	oneetx.exe
4676	oneetx.exe
1040	oneetx.exe
3652	oneetx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oneetx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a98a3bfa0515b252c98d8bedb85789865560d4ffa97d43b55f7f35ba7eef3328N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5060	schtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4668	a98a3bfa0515b252c98d8bedb85789865560d4ffa97d43b55f7f35ba7eef3328N.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 2500	4668	a98a3bfa0515b252c98d8bedb85789865560d4ffa97d43b55f7f35ba7eef3328N.exe	85
PID 4668 wrote to memory of 2500	4668	a98a3bfa0515b252c98d8bedb85789865560d4ffa97d43b55f7f35ba7eef3328N.exe	85
PID 4668 wrote to memory of 2500	4668	a98a3bfa0515b252c98d8bedb85789865560d4ffa97d43b55f7f35ba7eef3328N.exe	85
PID 2500 wrote to memory of 5060	2500	oneetx.exe	86
PID 2500 wrote to memory of 5060	2500	oneetx.exe	86
PID 2500 wrote to memory of 5060	2500	oneetx.exe	86
PID 2500 wrote to memory of 1000	2500	oneetx.exe	88
PID 2500 wrote to memory of 1000	2500	oneetx.exe	88
PID 2500 wrote to memory of 1000	2500	oneetx.exe	88
PID 1000 wrote to memory of 1180	1000	cmd.exe	90
PID 1000 wrote to memory of 1180	1000	cmd.exe	90
PID 1000 wrote to memory of 1180	1000	cmd.exe	90
PID 1000 wrote to memory of 1284	1000	cmd.exe	91
PID 1000 wrote to memory of 1284	1000	cmd.exe	91
PID 1000 wrote to memory of 1284	1000	cmd.exe	91
PID 1000 wrote to memory of 3788	1000	cmd.exe	92
PID 1000 wrote to memory of 3788	1000	cmd.exe	92
PID 1000 wrote to memory of 3788	1000	cmd.exe	92
PID 1000 wrote to memory of 2108	1000	cmd.exe	93
PID 1000 wrote to memory of 2108	1000	cmd.exe	93
PID 1000 wrote to memory of 2108	1000	cmd.exe	93
PID 1000 wrote to memory of 3444	1000	cmd.exe	95
PID 1000 wrote to memory of 3444	1000	cmd.exe	95
PID 1000 wrote to memory of 3444	1000	cmd.exe	95
PID 1000 wrote to memory of 4444	1000	cmd.exe	96
PID 1000 wrote to memory of 4444	1000	cmd.exe	96
PID 1000 wrote to memory of 4444	1000	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\a98a3bfa0515b252c98d8bedb85789865560d4ffa97d43b55f7f35ba7eef3328N.exe
"C:\Users\Admin\AppData\Local\Temp\a98a3bfa0515b252c98d8bedb85789865560d4ffa97d43b55f7f35ba7eef3328N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
  "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:5060
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1180
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "oneetx.exe" /P "Admin:N"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1284
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "oneetx.exe" /P "Admin:R" /E
      4⤵
      System Location Discovery: System Language Discovery
      PID:3788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2108
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\cb7ae701b3" /P "Admin:N"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3444
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\cb7ae701b3" /P "Admin:R" /E
      4⤵
      System Location Discovery: System Language Discovery
      PID:4444

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:4676

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:1040

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:3652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
206KB

MD5
7c3384a0f2119a13a908d1ca08c8e590

SHA1
e674dcbd1e38cf9a84b6a47bd9ca35ad9aa69efd

SHA256
a98a3bfa0515b252c98d8bedb85789865560d4ffa97d43b55f7f35ba7eef3328

SHA512
6290d8643c62de34858caa0f46ebacf40a1ca5a5fa78f0a40c5b93e835b384a58fdfaf422d8a335812a97528d9884a4a4e486b474d777e5d07d5753161e34fdf

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads