c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183

General

Target

c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183N.exe
Size

27KB
MD5

3eaff8ce09f497995f5be4dc1b3aa820
SHA1

f2b7c3546b6f55d2c797eeb2b8ed2a37e05e16e1
SHA256

c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183
SHA512

41d223f11aa428a5e262783bf732ffabb967785c7f2a7299b259f1398bb64b4a1ab3478e7e11312268fd86ee824d0f7f33c2b1b1aa5a31754c168ca4d8a26b62
SSDEEP

384:tjLyib+vLGgkhRzeTwIiTSmLPeJ97MaAQk93vmhm7UMKmIEecKdbXTzm9bVhcax8:9lgKNzevO7aA/vMHTi9bDx

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183N.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183N.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Payload.exe

Executes dropped EXE 1 IoCs

pid	Process
4760	Payload.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe"	c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	4760	Payload.exe
Token: 33	4760	Payload.exe
Token: SeIncBasePriorityPrivilege	4760	Payload.exe
Token: 33	4760	Payload.exe
Token: SeIncBasePriorityPrivilege	4760	Payload.exe
Token: 33	4760	Payload.exe
Token: SeIncBasePriorityPrivilege	4760	Payload.exe
Token: 33	4760	Payload.exe
Token: SeIncBasePriorityPrivilege	4760	Payload.exe
Token: 33	4760	Payload.exe
Token: SeIncBasePriorityPrivilege	4760	Payload.exe
Token: 33	4760	Payload.exe
Token: SeIncBasePriorityPrivilege	4760	Payload.exe
Token: 33	4760	Payload.exe
Token: SeIncBasePriorityPrivilege	4760	Payload.exe
Token: 33	4760	Payload.exe
Token: SeIncBasePriorityPrivilege	4760	Payload.exe
Token: 33	4760	Payload.exe
Token: SeIncBasePriorityPrivilege	4760	Payload.exe
Token: 33	4760	Payload.exe
Token: SeIncBasePriorityPrivilege	4760	Payload.exe
Token: 33	4760	Payload.exe
Token: SeIncBasePriorityPrivilege	4760	Payload.exe
Token: 33	4760	Payload.exe
Token: SeIncBasePriorityPrivilege	4760	Payload.exe
Token: 33	4760	Payload.exe
Token: SeIncBasePriorityPrivilege	4760	Payload.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 4760	4616	c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183N.exe	91
PID 4616 wrote to memory of 4760	4616	c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183N.exe	91
PID 4616 wrote to memory of 4760	4616	c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183N.exe	91
PID 4616 wrote to memory of 724	4616	c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183N.exe	92
PID 4616 wrote to memory of 724	4616	c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183N.exe	92
PID 4616 wrote to memory of 724	4616	c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183N.exe	92
PID 4760 wrote to memory of 1728	4760	Payload.exe	100
PID 4760 wrote to memory of 1728	4760	Payload.exe	100
PID 4760 wrote to memory of 1728	4760	Payload.exe	100
PID 4760 wrote to memory of 4208	4760	Payload.exe	102
PID 4760 wrote to memory of 4208	4760	Payload.exe	102
PID 4760 wrote to memory of 4208	4760	Payload.exe	102

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1728	attrib.exe
4208	attrib.exe
724	attrib.exe

C:\Users\Admin\AppData\Local\Temp\c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183N.exe
"C:\Users\Admin\AppData\Local\Temp\c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183N.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Users\Admin\AppData\Local\Temp\Payload.exe
  "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1728
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:4208
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Payload.exe

Filesize
27KB

MD5
3eaff8ce09f497995f5be4dc1b3aa820

SHA1
f2b7c3546b6f55d2c797eeb2b8ed2a37e05e16e1

SHA256
c597a3de3db7b77b11beb33640dca13812dbc26cf291856810bd170039b17183

SHA512
41d223f11aa428a5e262783bf732ffabb967785c7f2a7299b259f1398bb64b4a1ab3478e7e11312268fd86ee824d0f7f33c2b1b1aa5a31754c168ca4d8a26b62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Filesize
1KB

MD5
fb3265e9a00916c090c8e20631d780c9

SHA1
b0f1735898631574ce674b72bf44dcad86bde9a8

SHA256
9805ff89469df497f964431805b4d5dd5c1c56cba56146c47b8771d6379db255

SHA512
c799bcb189d1f168a3ba5a2d3bcbd299edb7f467e17a404a8ded57333dc63f3f6271200e533fa8b8091ccedcdb9a42948a4a21697b1612883e77f8bceac0b56c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

Filesize
1KB

MD5
8a4a77f365cf4c94e6fe4c57bf5a64db

SHA1
63414a5d1837faa0a2a1706ea8556c8107599516

SHA256
daaf22e3564585771e9c7886c476966386fddd59a8a30a0ede906d6b5d531fdd

SHA512
bb7bc82ee8549760e5243648cecec66b195ef35e837f6a675c3720525107f29cfa420b8057cf03d0c5203979bb3d864517cdb49ddfafd10cdf63e1c713dd0bd1

Download Submit
memory/4616-0-0x0000000075452000-0x0000000075453000-memory.dmp

Filesize
4KB

Download
memory/4616-1-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/4616-2-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/4616-15-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/4760-14-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/4760-20-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads