f862f85bc053d246be5d8bbec4a0486bec53a1168d5f06ffa7223d6fa3afc2d7

General

Target

f862f85bc053d246be5d8bbec4a0486bec53a1168d5f06ffa7223d6fa3afc2d7.exe
Size

279KB
MD5

20a311b4d4e248c0f3845293df9976c5
SHA1

cfbf38d13475e96d3f5897fb8ee1c8be9ec8683d
SHA256

f862f85bc053d246be5d8bbec4a0486bec53a1168d5f06ffa7223d6fa3afc2d7
SHA512

e38e0f92892fcf3a33fdb0f3fe27c90535cd3ae136f46255b1f23ddbe0cbd3d1831c99871ee35a289860e9f2938614bc36e5e2fa6f6f0ad3f20adee91f606dda
SSDEEP

6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66fc:boSeGUA5YZazpXUmZhZ6E

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	f862f85bc053d246be5d8bbec4a0486bec53a1168d5f06ffa7223d6fa3afc2d7.exe

Executes dropped EXE 1 IoCs

pid	Process
1852	a1punf5t2of.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe"	f862f85bc053d246be5d8bbec4a0486bec53a1168d5f06ffa7223d6fa3afc2d7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1punf5t2of.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f862f85bc053d246be5d8bbec4a0486bec53a1168d5f06ffa7223d6fa3afc2d7.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 1852	4860	f862f85bc053d246be5d8bbec4a0486bec53a1168d5f06ffa7223d6fa3afc2d7.exe	84
PID 4860 wrote to memory of 1852	4860	f862f85bc053d246be5d8bbec4a0486bec53a1168d5f06ffa7223d6fa3afc2d7.exe	84
PID 4860 wrote to memory of 1852	4860	f862f85bc053d246be5d8bbec4a0486bec53a1168d5f06ffa7223d6fa3afc2d7.exe	84
PID 1852 wrote to memory of 1900	1852	a1punf5t2of.exe	97
PID 1852 wrote to memory of 1900	1852	a1punf5t2of.exe	97
PID 1852 wrote to memory of 1900	1852	a1punf5t2of.exe	97

C:\Users\Admin\AppData\Local\Temp\f862f85bc053d246be5d8bbec4a0486bec53a1168d5f06ffa7223d6fa3afc2d7.exe
"C:\Users\Admin\AppData\Local\Temp\f862f85bc053d246be5d8bbec4a0486bec53a1168d5f06ffa7223d6fa3afc2d7.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
  "C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
    "C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
    3⤵
    PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

Filesize
279KB

MD5
08784e1f419cf779e85996c4683e96f0

SHA1
f589d0ab68b630c35a245c8d69af7f15284f6a94

SHA256
f177c493346892e89eccfb57655156f2731cb9625d7596c5ccc788d2e249dbd2

SHA512
2bb4f6832e7144984819bd597877311bf02ccb6ec75e081590b14137d4fe3127f4b62f63dca7a42c2f88581003e3de27ca85f5b76b388fe5299c66b8738b1b07

Download Submit
memory/1852-21-0x0000000074A70000-0x0000000075021000-memory.dmp

Filesize
5.7MB

Download
memory/1852-22-0x0000000074A70000-0x0000000075021000-memory.dmp

Filesize
5.7MB

Download
memory/1852-29-0x0000000074A70000-0x0000000075021000-memory.dmp

Filesize
5.7MB

Download
memory/1852-27-0x0000000074A70000-0x0000000075021000-memory.dmp

Filesize
5.7MB

Download
memory/1852-24-0x0000000074A70000-0x0000000075021000-memory.dmp

Filesize
5.7MB

Download
memory/1852-26-0x0000000074A70000-0x0000000075021000-memory.dmp

Filesize
5.7MB

Download
memory/1852-25-0x0000000074A70000-0x0000000075021000-memory.dmp

Filesize
5.7MB

Download
memory/4860-7-0x0000000074A70000-0x0000000075021000-memory.dmp

Filesize
5.7MB

Download
memory/4860-5-0x0000000074A70000-0x0000000075021000-memory.dmp

Filesize
5.7MB

Download
memory/4860-23-0x0000000074A70000-0x0000000075021000-memory.dmp

Filesize
5.7MB

Download
memory/4860-1-0x0000000074A70000-0x0000000075021000-memory.dmp

Filesize
5.7MB

Download
memory/4860-0-0x0000000074A72000-0x0000000074A73000-memory.dmp

Filesize
4KB

Download
memory/4860-2-0x0000000074A70000-0x0000000075021000-memory.dmp

Filesize
5.7MB

Download
memory/4860-6-0x0000000074A70000-0x0000000075021000-memory.dmp

Filesize
5.7MB

Download
memory/4860-4-0x0000000074A72000-0x0000000074A73000-memory.dmp

Filesize
4KB

Download
memory/4860-3-0x0000000074A70000-0x0000000075021000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads