fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd

General

Target

fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe
Size

1.2MB
MD5

8031ba7c7db878cb3ddd3bf3f9bea80b
SHA1

58bff6171067acc0b51c5c61c04de60b036bbb5c
SHA256

fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd
SHA512

581fa0775baca47a48c4b14f186d085ea8c8f37e52faa516b4bcf5bd4958b3fbde0df8dcd5ed65163a928e58ef1c4ac2938d476920be7fd8e72d90f494658d11
SSDEEP

24576:+2A4MROxnFE30rXpCrZlI0AilFEvxHinYhrpo:+2jMiuepCrZlI0AilFEvxHig

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe

Executes dropped EXE 2 IoCs

pid	Process
3712	WindowsInput.exe
2080	WindowsInput.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.exe	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Academy\quard.ai	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe
File opened for modification	C:\Program Files\Windows Academy\quard.ai	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe
File created	C:\Program Files\Windows Academy\quard.ai.config	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe
File created	C:\Windows\assembly\Desktop.ini	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2468	OpenWith.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 4092	316	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe	84
PID 316 wrote to memory of 4092	316	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe	84
PID 4092 wrote to memory of 4020	4092	csc.exe	86
PID 4092 wrote to memory of 4020	4092	csc.exe	86
PID 316 wrote to memory of 3712	316	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe	88
PID 316 wrote to memory of 3712	316	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe	88

C:\Users\Admin\AppData\Local\Temp\fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe
"C:\Users\Admin\AppData\Local\Temp\fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:316
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fl3uhf1_.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4092
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E39.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7E38.tmp"
    3⤵
    PID:4020
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:3712

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:2080

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7E39.tmp

Filesize
1KB

MD5
e00c06b9d381d5e2dc2abf067879b993

SHA1
f5f27a5bc9b2503015f09bb4db0a4644be0d3737

SHA256
b80ce57ded51291a0539c44a8f33cc09bea67f7e06d32a9c71c3bee114ad7e58

SHA512
7d71913ed9b5de591a0fd97c8ed1a1cf0f97ff551e2d1d3d82c36050644f7cfd4d229976c0d19377ab43d5604471cae24ef7ec4dc71afc258e3ffff85a2b4826

Download Submit
C:\Users\Admin\AppData\Local\Temp\fl3uhf1_.dll

Filesize
76KB

MD5
b0fa9e36f6d4571d6046f1afe8b05f5e

SHA1
f39c3e0e2da16c694dc3682aecef6e7a72bba407

SHA256
242367ce8e74dc9b8a6d16b67989e9831ebf4158be278020798ce28426c498e5

SHA512
64c0ea0fc8b5b1328fc083d773e49e029d99eabb2ff0ceed5c7db2fae7ff864927e95c514a4a723f9f88d1232c1991149f3a1ef0424361dd20ebf5624fdc142e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC7E38.tmp

Filesize
676B

MD5
ef41cadd0412aa3306ba47248215bfa5

SHA1
2dc0d058d06bcd01289b377c965bacaa65e24829

SHA256
2c1ed363f46f5371e2084478fd6029aa388eeeb39dc2d1f1813d1b19ce50f6fc

SHA512
6ccc306fe2c3e69ffef061dd47db7b42a458f76403f64370aa1fb256efd49f9068c39a99645d443f92511e67c29430df214f870d1de6d9b410c83f5bc20cc849

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fl3uhf1_.0.cs

Filesize
208KB

MD5
e3cd938efa5531036103fd7e5448b46d

SHA1
04f1a25cb644627568807f4d6fb1b892ffdf9704

SHA256
a35e437546da0f52654e0f763794ccf925631f4c4f2f39858a3a480adc614ae0

SHA512
30f76ddc3f85391fcc131f0afb6f86b3cac7579702f6faab8308f36c5fdd75650bf47f07c72537827177094a5197d85766a7169ddf9fcdf37e865d7548545aa1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fl3uhf1_.cmdline

Filesize
349B

MD5
a9965a129b625696f84ef9811309eb96

SHA1
64b6aee24a82fb3a97018f834ece9c4f0412716a

SHA256
e443a3b0fb24949b00df151fe942bc697363e4e74d783c637852b8c3db64a967

SHA512
0798b42c02017fda9a9aaa32b37f83017c627c716caceffefd4fa93314f625151c271c2348acd9797a86cb5748a8523c39aa0060dc193df39df6ed74682fac93

Download Submit
memory/316-28-0x000000001D6B0000-0x000000001D712000-memory.dmp

Filesize
392KB

Download
memory/316-27-0x000000001BFB0000-0x000000001BFB8000-memory.dmp

Filesize
32KB

Download
memory/316-7-0x000000001C6B0000-0x000000001CB7E000-memory.dmp

Filesize
4.8MB

Download
memory/316-64-0x00007FFC0EA90000-0x00007FFC0F431000-memory.dmp

Filesize
9.6MB

Download
memory/316-23-0x000000001D2C0000-0x000000001D2D6000-memory.dmp

Filesize
88KB

Download
memory/316-6-0x00007FFC0EA90000-0x00007FFC0F431000-memory.dmp

Filesize
9.6MB

Download
memory/316-1-0x00007FFC0EA90000-0x00007FFC0F431000-memory.dmp

Filesize
9.6MB

Download
memory/316-5-0x000000001C0B0000-0x000000001C0BE000-memory.dmp

Filesize
56KB

Download
memory/316-25-0x00000000019E0000-0x00000000019F2000-memory.dmp

Filesize
72KB

Download
memory/316-0-0x00007FFC0ED45000-0x00007FFC0ED46000-memory.dmp

Filesize
4KB

Download
memory/316-29-0x000000001E010000-0x000000001E5CA000-memory.dmp

Filesize
5.7MB

Download
memory/316-31-0x000000001D810000-0x000000001D82E000-memory.dmp

Filesize
120KB

Download
memory/316-30-0x000000001E5D0000-0x000000001E6C0000-memory.dmp

Filesize
960KB

Download
memory/316-8-0x000000001CC20000-0x000000001CCBC000-memory.dmp

Filesize
624KB

Download
memory/316-26-0x00000000019C0000-0x00000000019C8000-memory.dmp

Filesize
32KB

Download
memory/316-32-0x000000001E6D0000-0x000000001E719000-memory.dmp

Filesize
292KB

Download
memory/316-33-0x00007FFC0EA90000-0x00007FFC0F431000-memory.dmp

Filesize
9.6MB

Download
memory/316-34-0x000000001E7B0000-0x000000001E820000-memory.dmp

Filesize
448KB

Download
memory/316-35-0x00007FFC0EA90000-0x00007FFC0F431000-memory.dmp

Filesize
9.6MB

Download
memory/316-37-0x000000001EA80000-0x000000001EAA0000-memory.dmp

Filesize
128KB

Download
memory/316-2-0x000000001BFC0000-0x000000001C01C000-memory.dmp

Filesize
368KB

Download
memory/2080-59-0x0000000019DF0000-0x0000000019EFA000-memory.dmp

Filesize
1.0MB

Download
memory/3712-52-0x00000000006C0000-0x00000000006CC000-memory.dmp

Filesize
48KB

Download
memory/3712-51-0x00007FFC0BCE3000-0x00007FFC0BCE5000-memory.dmp

Filesize
8KB

Download
memory/3712-54-0x0000000001020000-0x000000000105C000-memory.dmp

Filesize
240KB

Download
memory/3712-53-0x0000000000FA0000-0x0000000000FB2000-memory.dmp

Filesize
72KB

Download
memory/4092-21-0x00007FFC0EA90000-0x00007FFC0F431000-memory.dmp

Filesize
9.6MB

Download
memory/4092-16-0x00007FFC0EA90000-0x00007FFC0F431000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing