fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd

General

Target

fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe
Size

1.2MB
MD5

8031ba7c7db878cb3ddd3bf3f9bea80b
SHA1

58bff6171067acc0b51c5c61c04de60b036bbb5c
SHA256

fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd
SHA512

581fa0775baca47a48c4b14f186d085ea8c8f37e52faa516b4bcf5bd4958b3fbde0df8dcd5ed65163a928e58ef1c4ac2938d476920be7fd8e72d90f494658d11
SSDEEP

24576:+2A4MROxnFE30rXpCrZlI0AilFEvxHinYhrpo:+2jMiuepCrZlI0AilFEvxHig

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe

Executes dropped EXE 2 IoCs

pid	Process
2848	WindowsInput.exe
4804	WindowsInput.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.exe	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Academy\quard.ai	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe
File opened for modification	C:\Program Files\Windows Academy\quard.ai	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe
File created	C:\Program Files\Windows Academy\quard.ai.config	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe
File created	C:\Windows\assembly\Desktop.ini	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3480	OpenWith.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3896 wrote to memory of 2552	3896	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe	83
PID 3896 wrote to memory of 2552	3896	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe	83
PID 2552 wrote to memory of 320	2552	csc.exe	85
PID 2552 wrote to memory of 320	2552	csc.exe	85
PID 3896 wrote to memory of 2848	3896	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe	87
PID 3896 wrote to memory of 2848	3896	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe	87

C:\Users\Admin\AppData\Local\Temp\fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe
"C:\Users\Admin\AppData\Local\Temp\fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ta53kmuz.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA99.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAA98.tmp"
    3⤵
    PID:320
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2848

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:4804

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAA99.tmp

Filesize
1KB

MD5
dad72e0cf5615d3c0256c846c54d0147

SHA1
f937dcdfab5c0c17c74649e22bbcad555769c79a

SHA256
536e3ab5a3e7513e6e4bbc77893c77f7e52e0335cdf0e395ff2430ba25ce5ad8

SHA512
c2774f7daac10dc03ba751e129befa1ed713c7630932d143983808cdca305a6534e554d83726ccb16afc92bcfaa93954e23dbb8cf89f773d06dd75638262d13a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ta53kmuz.dll

Filesize
76KB

MD5
f41b6ed8496a336ddc6d84d9eca352de

SHA1
3e2f7ab184958724048b30130b21e68a8bc6d995

SHA256
f433493e2265aa2b3d240540a5eac37078c588173674fbfb9ec74932a014f621

SHA512
366e595419b4927ae113f3d56b707479c6fc5c94a1f1129ecdc8aa52b715045157bb8efc2218d0f3c84eabdf62b71c2c9213d51fd5cd6370cdd5f16f43a48554

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCAA98.tmp

Filesize
676B

MD5
108d6361cd8f0acf85a43ac5d8d9d087

SHA1
a47b1d0abac07297e00f1b4e2e39fe3a3f2714fe

SHA256
e1ea1e0aaa536c3e6aeb7ed74032dd8db5c0827cf479d5ff85a4c846084f8011

SHA512
45de26df90c376ab43ac06c57e21aa64acc4c9656143a6fdc5759d29accc5477095d23a53ecbeaa72bbb6e6ed595526850a4b2916d8a751ef02b007b3591049c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ta53kmuz.0.cs

Filesize
208KB

MD5
623a887a29ef5982cc8306cdaa2af122

SHA1
c21227c8cf36134d47e36bd06e141170f70e3ad3

SHA256
ca32c2fcf0ef199b64143069ae63e9a88cf800eefaef72837670d9f64872178e

SHA512
2899605d40c47a3c4f0d2f7b3efb97b5ab4855e5a34d90642f4ac46169d477de40fe649123adee1bd33d2a773d1db42914cf0e7ec6add9c85da3a7043e6cd85a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ta53kmuz.cmdline

Filesize
349B

MD5
3e68a0ea9f69a0ec777a3d14dabb2e7c

SHA1
6d2f4f1d559c569903fa23d5b32bff15237e63bb

SHA256
dd8e7fe8331ff751194dbd47effa1cec24e25c86f590896dcc1531d8d3fa32e3

SHA512
05f4f0433daf5ccaf61e8dca65851023700549df5a62520010b2a8eac5655bce7170466cd958c6414f446a5d3cbe82cac38ac6416bc5383bf603a814619e853d

Download Submit
memory/2552-16-0x00007FFAE2D60000-0x00007FFAE3701000-memory.dmp

Filesize
9.6MB

Download
memory/2552-21-0x00007FFAE2D60000-0x00007FFAE3701000-memory.dmp

Filesize
9.6MB

Download
memory/2848-51-0x00007FFADF813000-0x00007FFADF815000-memory.dmp

Filesize
8KB

Download
memory/2848-52-0x0000000000790000-0x000000000079C000-memory.dmp

Filesize
48KB

Download
memory/2848-53-0x0000000002930000-0x0000000002942000-memory.dmp

Filesize
72KB

Download
memory/2848-54-0x000000001B380000-0x000000001B3BC000-memory.dmp

Filesize
240KB

Download
memory/3896-26-0x0000000000E70000-0x0000000000E78000-memory.dmp

Filesize
32KB

Download
memory/3896-34-0x000000001DC70000-0x000000001DCE0000-memory.dmp

Filesize
448KB

Download
memory/3896-25-0x000000001B3D0000-0x000000001B3E2000-memory.dmp

Filesize
72KB

Download
memory/3896-0-0x00007FFAE3015000-0x00007FFAE3016000-memory.dmp

Filesize
4KB

Download
memory/3896-27-0x000000001B460000-0x000000001B468000-memory.dmp

Filesize
32KB

Download
memory/3896-28-0x000000001CB70000-0x000000001CBD2000-memory.dmp

Filesize
392KB

Download
memory/3896-29-0x000000001D4D0000-0x000000001DA8A000-memory.dmp

Filesize
5.7MB

Download
memory/3896-30-0x000000001DA90000-0x000000001DB80000-memory.dmp

Filesize
960KB

Download
memory/3896-31-0x000000001CCD0000-0x000000001CCEE000-memory.dmp

Filesize
120KB

Download
memory/3896-32-0x000000001DB90000-0x000000001DBD9000-memory.dmp

Filesize
292KB

Download
memory/3896-33-0x00007FFAE2D60000-0x00007FFAE3701000-memory.dmp

Filesize
9.6MB

Download
memory/3896-23-0x000000001C780000-0x000000001C796000-memory.dmp

Filesize
88KB

Download
memory/3896-35-0x00007FFAE2D60000-0x00007FFAE3701000-memory.dmp

Filesize
9.6MB

Download
memory/3896-37-0x000000001DF40000-0x000000001DF60000-memory.dmp

Filesize
128KB

Download
memory/3896-8-0x000000001C0E0000-0x000000001C17C000-memory.dmp

Filesize
624KB

Download
memory/3896-7-0x000000001BC10000-0x000000001C0DE000-memory.dmp

Filesize
4.8MB

Download
memory/3896-6-0x000000001B660000-0x000000001B66E000-memory.dmp

Filesize
56KB

Download
memory/3896-3-0x00007FFAE2D60000-0x00007FFAE3701000-memory.dmp

Filesize
9.6MB

Download
memory/3896-2-0x000000001B470000-0x000000001B4CC000-memory.dmp

Filesize
368KB

Download
memory/3896-1-0x00007FFAE2D60000-0x00007FFAE3701000-memory.dmp

Filesize
9.6MB

Download
memory/3896-64-0x00007FFAE2D60000-0x00007FFAE3701000-memory.dmp

Filesize
9.6MB

Download
memory/4804-59-0x000000001A2C0000-0x000000001A3CA000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing