5df89adb4ee77c297723f878efaa85ef584ef00f404e2fe76f9a4931ec9d8855

General

Target

textview466732.exe
Size

1.1MB
MD5

3a7e5d1f2647dd5b8db9b826116f4ec6
SHA1

85cdf938d50c68137dd6b344dfa54efb7236f486
SHA256

927d0ba12659ceffb9d3f45ad9eb34bc9f8a9b6931499cf08a2d94be0dbf8019
SHA512

5774393a5960b7fb3f63de19ee07b3c5803dd6164a746382014313121f3ce263be9a5122e38e0a83503d38e7eafa3328c325b7c26276c9e7b7ddad5fb5217d10
SSDEEP

24576:0AOcZ2i7OX8FbAQFred8TPwUcztVqEubl83o9ZkbgWf:ifAgdgPTWfqEUU2Zkt

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	textview466732.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
4168	ancwg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4168 set thread context of 5112	4168	ancwg.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1416	5112	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	textview466732.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ancwg.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	textview466732.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 3400	2992	textview466732.exe	83
PID 2992 wrote to memory of 3400	2992	textview466732.exe	83
PID 2992 wrote to memory of 3400	2992	textview466732.exe	83
PID 3400 wrote to memory of 4168	3400	WScript.exe	84
PID 3400 wrote to memory of 4168	3400	WScript.exe	84
PID 3400 wrote to memory of 4168	3400	WScript.exe	84
PID 4168 wrote to memory of 1684	4168	ancwg.exe	85
PID 4168 wrote to memory of 1684	4168	ancwg.exe	85
PID 4168 wrote to memory of 1684	4168	ancwg.exe	85
PID 4168 wrote to memory of 5112	4168	ancwg.exe	86
PID 4168 wrote to memory of 5112	4168	ancwg.exe	86
PID 4168 wrote to memory of 5112	4168	ancwg.exe	86
PID 4168 wrote to memory of 5112	4168	ancwg.exe	86
PID 4168 wrote to memory of 5112	4168	ancwg.exe	86
PID 4168 wrote to memory of 5112	4168	ancwg.exe	86

C:\Users\Admin\AppData\Local\Temp\textview466732.exe
"C:\Users\Admin\AppData\Local\Temp\textview466732.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\9_17\loktij.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3400
- - C:\Users\Admin\AppData\Roaming\9_17\ancwg.exe
    "C:\Users\Admin\AppData\Roaming\9_17\ancwg.exe" tdovgconqm.doo
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4168
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:1684
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:5112
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 184
        5⤵
        Program crash
        
        PID:1416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5112 -ip 5112
1⤵
PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\9_17\ancwg.exe

Filesize
999KB

MD5
1dbba7abb9198c4247cbfb258fe5233d

SHA1
cd5a35e75ec61b6d7c3bbeb7b882d0d2d79b05be

SHA256
6a18e69d28b177619e672f93fd97bdbfd13160faecd63f942728dc18254afb88

SHA512
503cb461c0f60c62bada9b1aefa787ed97480192d8f91455e08ac8781919c1b61751a091ce647d9c92995e925429f0ae616f4d7c2187717397f7a1e6fd811e98

Download Submit
C:\Users\Admin\AppData\Roaming\9_17\loktij.vbe

Filesize
32KB

MD5
a0f2cc1a68c0ee17e6ad23edb5b43b3c

SHA1
ca051ea6a373aef9a0d1fc4f3c820ee49a6d543d

SHA256
828170311fb9150893fabfe2beaefe76fcfc51b6c47ef1c083f9b3abd8d9579f

SHA512
c0a199aa86426f476e53b7e29554d65470344ec00885fa3112eeb1587f1e08b194437686677a5b2bd7211ab14730ac991d531b04fce7ba3261006121ec0fc446

Download Submit
C:\Users\Admin\AppData\Roaming\9_17\mxoh.vck

Filesize
370KB

MD5
83db844b878b3bc92af73d2456006a00

SHA1
7318597c222b84d360536093417394dffdef6488

SHA256
308f70793505d5111933cee976cf565bdc5465e9426d4757d17abe1459f0b344

SHA512
527bf572e87fc14736c70aa0cb89f6276578b19da6d1e23cac29b20684d3138883358d4147d8b9854b80953d382f2eefdfbeaf82e6c79374eab08b39aeeeb4d5

Download Submit
C:\Users\Admin\AppData\Roaming\9_17\uubvcvvjcj.mp3

Filesize
46KB

MD5
76f1eef14097bbbe2b4e376d5c6b1b76

SHA1
304946f2dffde8bbbd4929b347665e20dc5ce04e

SHA256
8fb5ca6e4bbddeee4d83315797b0bbcf3f31670285a36a94505e073d01a78839

SHA512
2d34ee83bcf8e05294c96d117dbf6f3fc7aa45d48a6c638f42d32d118200a59d37d283d75e6d4e15159f85cb6dc0c25cd555a852894814f0fa95b86a330424ae

Download Submit

Analysis

Sharing