aecc6105bc130da6ad74e239984b1bb75081c0bd6b6344e78deefa10be3036da

General

Target

aecc6105bc130da6ad74e239984b1bb75081c0bd6b6344e78deefa10be3036da.exe
Size

1.3MB
MD5

6b384d1c44fd0c32dcfe671f21dd4dae
SHA1

21c41e64f6015537a8840158f4f4f6b74ecd7e86
SHA256

aecc6105bc130da6ad74e239984b1bb75081c0bd6b6344e78deefa10be3036da
SHA512

41fe5f2439f5ae7c84ea03ab35c3b530cf97f3ac3d211cc59b78662794aa866c387e36bd098b6c1b8df1bff504308894501e9cc61471bd18887b031ed672b2b8
SSDEEP

12288:xHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yxw:xDgINfAuBcgcZG2uG24MG4YO

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	aecc6105bc130da6ad74e239984b1bb75081c0bd6b6344e78deefa10be3036da.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	~DFA266.tmp

Executes dropped EXE 3 IoCs

pid	Process
1836	tahaby.exe
3260	~DFA266.tmp
2544	yglory.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yglory.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aecc6105bc130da6ad74e239984b1bb75081c0bd6b6344e78deefa10be3036da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tahaby.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~DFA266.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2544	yglory.exe
2544	yglory.exe
2544	yglory.exe
2544	yglory.exe
2544	yglory.exe
2544	yglory.exe
2544	yglory.exe
2544	yglory.exe
2544	yglory.exe
2544	yglory.exe
2544	yglory.exe
2544	yglory.exe
2544	yglory.exe
2544	yglory.exe
2544	yglory.exe
2544	yglory.exe
2544	yglory.exe
2544	yglory.exe
2544	yglory.exe
2544	yglory.exe
2544	yglory.exe
2544	yglory.exe
2544	yglory.exe
2544	yglory.exe
2544	yglory.exe
2544	yglory.exe
2544	yglory.exe
2544	yglory.exe
2544	yglory.exe
2544	yglory.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3260	~DFA266.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 1836	2328	aecc6105bc130da6ad74e239984b1bb75081c0bd6b6344e78deefa10be3036da.exe	82
PID 2328 wrote to memory of 1836	2328	aecc6105bc130da6ad74e239984b1bb75081c0bd6b6344e78deefa10be3036da.exe	82
PID 2328 wrote to memory of 1836	2328	aecc6105bc130da6ad74e239984b1bb75081c0bd6b6344e78deefa10be3036da.exe	82
PID 1836 wrote to memory of 3260	1836	tahaby.exe	83
PID 1836 wrote to memory of 3260	1836	tahaby.exe	83
PID 1836 wrote to memory of 3260	1836	tahaby.exe	83
PID 2328 wrote to memory of 1072	2328	aecc6105bc130da6ad74e239984b1bb75081c0bd6b6344e78deefa10be3036da.exe	84
PID 2328 wrote to memory of 1072	2328	aecc6105bc130da6ad74e239984b1bb75081c0bd6b6344e78deefa10be3036da.exe	84
PID 2328 wrote to memory of 1072	2328	aecc6105bc130da6ad74e239984b1bb75081c0bd6b6344e78deefa10be3036da.exe	84
PID 3260 wrote to memory of 2544	3260	~DFA266.tmp	95
PID 3260 wrote to memory of 2544	3260	~DFA266.tmp	95
PID 3260 wrote to memory of 2544	3260	~DFA266.tmp	95

C:\Users\Admin\AppData\Local\Temp\aecc6105bc130da6ad74e239984b1bb75081c0bd6b6344e78deefa10be3036da.exe
"C:\Users\Admin\AppData\Local\Temp\aecc6105bc130da6ad74e239984b1bb75081c0bd6b6344e78deefa10be3036da.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Local\Temp\tahaby.exe
  C:\Users\Admin\AppData\Local\Temp\tahaby.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Users\Admin\AppData\Local\Temp\~DFA266.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA266.tmp OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3260
  - - C:\Users\Admin\AppData\Local\Temp\yglory.exe
      "C:\Users\Admin\AppData\Local\Temp\yglory.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
3b7f6bb2926652872f2c96622bc6bcd1

SHA1
0f048ca81f94c24e74642eae940c6429530ea576

SHA256
f262038ef7b87f0d22bed30d3e5da8f68f6740bad099335c8a6bd3a5cd5efc1c

SHA512
3d2c42d3e469cd7a3bf514dbbb010d8a4b3bfd969688053e91173fd15c4677c252fe32e4d6ec1da15073e2a4f336a19d34126178dfe9dba4f2fa4cd66838e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
2a24d0ac0ea02b016c654758b77ea9dc

SHA1
4a56beb90b83ed1f694ec297db02fd2084f017f3

SHA256
016c90521c8e172ac2e1753207852e0dc3cccd79c9b19d94c37f57532ec945ce

SHA512
b3080891502627f959227fad03067929ba5ed8b8e463dc18446c1f409e3d212628430997ac177f985b13326ca699765a05226ee96d649ffd757d2e3c42e9d5d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tahaby.exe

Filesize
1.3MB

MD5
3100a88e1d2b9de7e2fe05e90e85d128

SHA1
b66a8e9ca29a12621ba6f360b35d6d10d40e5bab

SHA256
be7b8a1f3b6531fe707a0e9935e47c68864fd8c226dd7f89c8beddb392c48dc6

SHA512
dd7a56ce4d75767868793adb837ff0a90121fe1264cd7bea5989362364fd51d5e22df5726ea38bf525617a5bd4298a16a3de177c184caa6a17654beea40aedc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\yglory.exe

Filesize
419KB

MD5
b1db72c2ecb04974eb7bf9efb6162604

SHA1
f630920b7424bd1d97f6f1e4303c993d1101ec71

SHA256
49fc582a5925fd9b33cd6a51491725ff82e131dce4ce574858205772309c24f3

SHA512
8bd967349105ae7272fb77fffd5a8fca96fa1fd05b351d08f27805a294a09e36f40560caf4aa86240ab0927181aa97cfeea1bb81ae1bb5b62d6af5cc0a204604

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA266.tmp

Filesize
1.3MB

MD5
6051cef2ce3abb8ba0156fabc167f416

SHA1
54cc3624a4faddb4d31a709bd63f06bcd9b69a49

SHA256
2884ba57978356c28ca723922a562250dca495ab69625015a39395d2fa740f24

SHA512
6ee14e3d1e1bea2cea3956ca148582ead728a7f4d659640ee58bcfdc8c20ecf6c9d054f7795364d1ace470d2819ed86211b12f355dc3324da78fa05786876c8e

Download Submit
memory/1836-19-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2328-17-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2328-0-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2544-36-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2544-38-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/2544-42-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/2544-41-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3260-21-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3260-40-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download

Analysis

Sharing