8429d738392a7baf7d4fe289c560dfa3233169dd234d9885452c81691b39373c

General

Target

8429d738392a7baf7d4fe289c560dfa3233169dd234d9885452c81691b39373cN.exe
Size

527KB
MD5

9078ea88145489ae166ec9c534000ff0
SHA1

3d84ed1e46534edc57b260f81e0dc5afacc78d6a
SHA256

8429d738392a7baf7d4fe289c560dfa3233169dd234d9885452c81691b39373c
SHA512

f22e2e8b4448d3aa827d2f264ad02d591980209d411a432e0da1b7253b6bc6ff93ba17a8e72ddc6acdf48e128902d1ce78d829684c957e30ce3a47f5a9fbb450
SSDEEP

12288:QYBzgc7Bs/4DeYYzYBzgc783y84CGtjnVB5ONbs9Qj:QUgc7e/4jYzUgc78RQXBQhj

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	8429d738392a7baf7d4fe289c560dfa3233169dd234d9885452c81691b39373cN.exe

Executes dropped EXE 4 IoCs

pid	Process
2400	Patch IDM 6.xx.exe
3944	123456.exe
3872	Patch IDM 6.xx.exe
3932	123456.exe

Loads dropped DLL 1 IoCs

pid	Process
3872	Patch IDM 6.xx.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2400 set thread context of 3872	2400	Patch IDM 6.xx.exe	84
PID 3944 set thread context of 3932	3944	123456.exe	85

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3872-40-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/3872-38-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/3872-47-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/3872-45-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/3872-39-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/3872-60-0x0000000000400000-0x0000000000444000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8429d738392a7baf7d4fe289c560dfa3233169dd234d9885452c81691b39373cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Patch IDM 6.xx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	123456.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Patch IDM 6.xx.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2316	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2316	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4004	8429d738392a7baf7d4fe289c560dfa3233169dd234d9885452c81691b39373cN.exe
2400	Patch IDM 6.xx.exe
3944	123456.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4004 wrote to memory of 2400	4004	8429d738392a7baf7d4fe289c560dfa3233169dd234d9885452c81691b39373cN.exe	82
PID 4004 wrote to memory of 2400	4004	8429d738392a7baf7d4fe289c560dfa3233169dd234d9885452c81691b39373cN.exe	82
PID 4004 wrote to memory of 2400	4004	8429d738392a7baf7d4fe289c560dfa3233169dd234d9885452c81691b39373cN.exe	82
PID 4004 wrote to memory of 3944	4004	8429d738392a7baf7d4fe289c560dfa3233169dd234d9885452c81691b39373cN.exe	83
PID 4004 wrote to memory of 3944	4004	8429d738392a7baf7d4fe289c560dfa3233169dd234d9885452c81691b39373cN.exe	83
PID 4004 wrote to memory of 3944	4004	8429d738392a7baf7d4fe289c560dfa3233169dd234d9885452c81691b39373cN.exe	83
PID 2400 wrote to memory of 3872	2400	Patch IDM 6.xx.exe	84
PID 2400 wrote to memory of 3872	2400	Patch IDM 6.xx.exe	84
PID 2400 wrote to memory of 3872	2400	Patch IDM 6.xx.exe	84
PID 2400 wrote to memory of 3872	2400	Patch IDM 6.xx.exe	84
PID 2400 wrote to memory of 3872	2400	Patch IDM 6.xx.exe	84
PID 2400 wrote to memory of 3872	2400	Patch IDM 6.xx.exe	84
PID 2400 wrote to memory of 3872	2400	Patch IDM 6.xx.exe	84
PID 2400 wrote to memory of 3872	2400	Patch IDM 6.xx.exe	84
PID 3944 wrote to memory of 3932	3944	123456.exe	85
PID 3944 wrote to memory of 3932	3944	123456.exe	85
PID 3944 wrote to memory of 3932	3944	123456.exe	85
PID 3944 wrote to memory of 3932	3944	123456.exe	85
PID 3944 wrote to memory of 3932	3944	123456.exe	85
PID 3944 wrote to memory of 3932	3944	123456.exe	85
PID 3944 wrote to memory of 3932	3944	123456.exe	85

C:\Users\Admin\AppData\Local\Temp\8429d738392a7baf7d4fe289c560dfa3233169dd234d9885452c81691b39373cN.exe
"C:\Users\Admin\AppData\Local\Temp\8429d738392a7baf7d4fe289c560dfa3233169dd234d9885452c81691b39373cN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Users\Admin\AppData\Local\Temp\Patch IDM 6.xx.exe
  "C:\Users\Admin\AppData\Local\Temp\Patch IDM 6.xx.exe" 0
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Users\Admin\AppData\Local\Temp\Patch IDM 6.xx.exe
    "C:\Users\Admin\AppData\Local\Temp\Patch IDM 6.xx.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3872
- C:\Users\Admin\AppData\Local\Temp\123456.exe
  "C:\Users\Admin\AppData\Local\Temp\123456.exe" 0
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Users\Admin\AppData\Local\Temp\123456.exe
    C:\Users\Admin\AppData\Local\Temp\123456.exe
    3⤵
    - Executes dropped EXE
    PID:3932

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x308 0x394
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\123456.exe

Filesize
299KB

MD5
8285e8a3752fe609776497efde3ddcd4

SHA1
49cf1f293cdf0271600176ce08931a022f42731d

SHA256
3c59f214ae5d53379f36522e41b71f429de802aac74951e239d17f98bda340bd

SHA512
a6bbf39a8380b076ff9f9d7c940d863d63662d6a06de53e90b857c4a15ab95ab3e65b8b5a17af25fc4da435df07ed59b562c691c38ba83e82df3dc70417b97a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Patch IDM 6.xx.exe

Filesize
215KB

MD5
9fd4ec851eea8905f5cf0e5b18928a5d

SHA1
580e42f43b3fcf72023f87a726f108f08b22d228

SHA256
eadb6538f312408451f6033bad587b34f7f5b265c76a27de12fb5ec177eaec30

SHA512
69e1ff1005afac8d050b3cf0ae9d7d2da69ca20a0b0bbee21be81bd54416dc59bd0e2d26b90e214a435bc66d35d3627798e25f1332059d3b4e164eb2f8367a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\bassmod.dll

Filesize
9KB

MD5
780d14604d49e3c634200c523def8351

SHA1
e208ef6f421d2260070a9222f1f918f1de0a8eeb

SHA256
844eb66a10b848d3a71a8c63c35f0a01550a46d2ff8503e2ca8947978b03b4d2

SHA512
a49c030f11da8f0cdc4205c86bec00653ec2f8899983cad9d7195fd23255439291aaec5a7e128e1a103efd93b8566e86f15af89eba4efebf9debce14a7a5564b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3442511616-637977696-3186306149-1000\88603cb2913a7df3fbd16b5f958e6447_5ab270f5-f3a9-47d1-97d7-bbd50acf9955

Filesize
51B

MD5
5fc2ac2a310f49c14d195230b91a8885

SHA1
90855cc11136ba31758fe33b5cf9571f9a104879

SHA256
374e0e2897a7a82e0e44794cad89df0f3cdd7703886239c1fe06d625efd48092

SHA512
ab46554df9174b9fe9beba50a640f67534c3812f64d96a1fb8adfdc136dfe730ca2370825cd45b7f87a544d6a58dd868cb5a3a7f42e2789f6d679dbc0fdd52c3

Download Submit
memory/2400-46-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2400-26-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2400-25-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2400-24-0x0000000000425000-0x0000000000426000-memory.dmp

Filesize
4KB

Download
memory/2400-21-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2400-17-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2400-16-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3872-40-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3872-38-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3872-47-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3872-45-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3872-39-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3872-60-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3932-50-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3932-49-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3944-32-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3944-59-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3944-33-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing