0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa

General

Target

0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe
Size

17.0MB
MD5

96bf35f133c4c351e259d425d9596124
SHA1

58684797094fac1b895a4b61640b26b3d2996ac4
SHA256

0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa
SHA512

48267b65bfc3daea9a34108a548d18d09b9096d574a35ccf3e4c864077451471e86bfb4d4139c263186964c9e8b1b5e951fe96d533d7b09353a737f0c5075a05
SSDEEP

6144:NLb1zp2t2koczX3GIf4O4kLsyuVKHwNsFq4hsbboPNv4Mz3wLgOIAfMdPCds2eU0:oBfZ4LAwekIZvOIw0CdgoOwM

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3492 created 3416	3492	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe	56

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe

Deletes itself 1 IoCs

pid	Process
1636	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
1900	dllfileinstalll.exe
4784	dllfileinstal.exe

AutoIT Executable 5 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3848-8-0x0000000140000000-0x00000001402FC000-memory.dmp	autoit_exe
behavioral2/memory/3848-9-0x0000000140000000-0x00000001402FC000-memory.dmp	autoit_exe
behavioral2/memory/3848-46-0x0000000140000000-0x00000001402FC000-memory.dmp	autoit_exe
behavioral2/memory/1900-60-0x00007FF75D800000-0x00007FF75D948000-memory.dmp	autoit_exe
behavioral2/memory/4784-62-0x0000000000240000-0x0000000000353000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3492 set thread context of 3848	3492	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe	82

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3848-3-0x0000000140000000-0x00000001402FC000-memory.dmp	upx
behavioral2/memory/3848-8-0x0000000140000000-0x00000001402FC000-memory.dmp	upx
behavioral2/memory/3848-9-0x0000000140000000-0x00000001402FC000-memory.dmp	upx
behavioral2/memory/3848-7-0x0000000140000000-0x00000001402FC000-memory.dmp	upx
behavioral2/files/0x0007000000023c7b-22.dat	upx
behavioral2/files/0x0007000000023c79-16.dat	upx
behavioral2/memory/1900-34-0x00007FF75D800000-0x00007FF75D948000-memory.dmp	upx
behavioral2/memory/4784-44-0x0000000000240000-0x0000000000353000-memory.dmp	upx
behavioral2/memory/3848-46-0x0000000140000000-0x00000001402FC000-memory.dmp	upx
behavioral2/memory/1900-60-0x00007FF75D800000-0x00007FF75D948000-memory.dmp	upx
behavioral2/memory/4784-62-0x0000000000240000-0x0000000000353000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllfileinstal.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1636	powershell.exe
1636	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1636	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3848	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe
3848	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe
3848	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe
3848	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
3848	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe
3848	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe
3848	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe
3848	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
452	OpenWith.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 3848	3492	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe	82
PID 3492 wrote to memory of 3848	3492	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe	82
PID 3492 wrote to memory of 3848	3492	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe	82
PID 3492 wrote to memory of 3848	3492	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe	82
PID 3492 wrote to memory of 3848	3492	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe	82
PID 3492 wrote to memory of 3848	3492	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe	82
PID 3492 wrote to memory of 3848	3492	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe	82
PID 3848 wrote to memory of 1900	3848	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe	84
PID 3848 wrote to memory of 1900	3848	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe	84
PID 3848 wrote to memory of 4784	3848	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe	86
PID 3848 wrote to memory of 4784	3848	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe	86
PID 3848 wrote to memory of 4784	3848	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe	86
PID 3492 wrote to memory of 1636	3492	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe	87
PID 3492 wrote to memory of 1636	3492	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe	87

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3416
- C:\Users\Admin\AppData\Local\Temp\0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe
  "C:\Users\Admin\AppData\Local\Temp\0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $file='C:\Users\Admin\AppData\Local\Temp\0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe';for($i=1;$i -le 600 -and (Test-Path $file -PathType leaf);$i++){Remove-Item $file;Start-Sleep -m 100}
    3⤵
    - Deletes itself
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1636
- C:\Users\Admin\AppData\Local\Temp\0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe
  "C:\Users\Admin\AppData\Local\Temp\0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3848
- - C:\Users\Admin\AppData\Local\Temp\dllfileinstalll.exe
    "C:\Users\Admin\AppData\Local\Temp\dllfileinstalll.exe"
    3⤵
    - Executes dropped EXE
    PID:1900
- - C:\Users\Admin\AppData\Local\Temp\dllfileinstal.exe
    "C:\Users\Admin\AppData\Local\Temp\dllfileinstal.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4784

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oryzmdwk.dar.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dllfileinstal.exe

Filesize
461KB

MD5
65dc9fcfa113e6b794962bdf55b5b55c

SHA1
5d0455a455a4c9c86a98cc1dda1ffca6c0e9d69d

SHA256
93ae6864b4b7c4cb52fc50e8dcf4a9cf0ecc61718553f6602a04363fdf46e381

SHA512
4f23085f39addc6a5db195b8c99b19be536a130707b7d4f4faef8b284755d82eeffca4f6d901233c1473174a7e88dd70bf4effebc9bfa898f80e74d01f84cdbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\dllfileinstalll.exe

Filesize
543KB

MD5
4ab7a19af297d2ab155c3ed20365beda

SHA1
5a59e8990af6071e48fa4e7453a10386f9c02d56

SHA256
9eb2d8a45f7df1032c99f5e6e3b1d8ddc745bddc07c5a9fc2d8c042ccc8f9317

SHA512
166e1b74ed195b9a0dd062daa49525edce4bc84658190b041064fe271e7bee644d79f74be6120a3d57ede13ec99f3fe2008b1119362d2527c255611fda320872

Download Submit
memory/1636-48-0x00000148FEFE0000-0x00000148FF002000-memory.dmp

Filesize
136KB

Download
memory/1900-34-0x00007FF75D800000-0x00007FF75D948000-memory.dmp

Filesize
1.3MB

Download
memory/1900-60-0x00007FF75D800000-0x00007FF75D948000-memory.dmp

Filesize
1.3MB

Download
memory/3492-2-0x000000001DB30000-0x000000001DCC2000-memory.dmp

Filesize
1.6MB

Download
memory/3492-0-0x00007FFFE6FD3000-0x00007FFFE6FD5000-memory.dmp

Filesize
8KB

Download
memory/3492-1-0x0000000000BB0000-0x0000000001CC0000-memory.dmp

Filesize
17.1MB

Download
memory/3848-8-0x0000000140000000-0x00000001402FC000-memory.dmp

Filesize
3.0MB

Download
memory/3848-9-0x0000000140000000-0x00000001402FC000-memory.dmp

Filesize
3.0MB

Download
memory/3848-7-0x0000000140000000-0x00000001402FC000-memory.dmp

Filesize
3.0MB

Download
memory/3848-3-0x0000000140000000-0x00000001402FC000-memory.dmp

Filesize
3.0MB

Download
memory/3848-46-0x0000000140000000-0x00000001402FC000-memory.dmp

Filesize
3.0MB

Download
memory/4784-44-0x0000000000240000-0x0000000000353000-memory.dmp

Filesize
1.1MB

Download
memory/4784-62-0x0000000000240000-0x0000000000353000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing