d298091720ef629a5875e8401bab0d52b69bda21405f33c6b2fc541d7a76ea5a

General

Target

d298091720ef629a5875e8401bab0d52b69bda21405f33c6b2fc541d7a76ea5aN.exe
Size

255KB
MD5

b752dabd40b9c00fe078081203724b90
SHA1

6a4e8bbc68cf11783cd03c00be469cd39d97a10a
SHA256

d298091720ef629a5875e8401bab0d52b69bda21405f33c6b2fc541d7a76ea5a
SHA512

2854ac169f620d1cd880b636371139e746ac8c8f210f4dd9d307590f878bed70bf43ed7f11eb43fb4a4ef5433a1c93913bf805940555938a2f5fa4cdf8b04aa6
SSDEEP

6144:85p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQSD:EeGUA5YZazpXUmZhdD

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d298091720ef629a5875e8401bab0d52b69bda21405f33c6b2fc541d7a76ea5aN.exe

Executes dropped EXE 1 IoCs

pid	Process
4012	a1punf5t2of.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe"	d298091720ef629a5875e8401bab0d52b69bda21405f33c6b2fc541d7a76ea5aN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d298091720ef629a5875e8401bab0d52b69bda21405f33c6b2fc541d7a76ea5aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1punf5t2of.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 4012	1800	d298091720ef629a5875e8401bab0d52b69bda21405f33c6b2fc541d7a76ea5aN.exe	87
PID 1800 wrote to memory of 4012	1800	d298091720ef629a5875e8401bab0d52b69bda21405f33c6b2fc541d7a76ea5aN.exe	87
PID 1800 wrote to memory of 4012	1800	d298091720ef629a5875e8401bab0d52b69bda21405f33c6b2fc541d7a76ea5aN.exe	87
PID 4012 wrote to memory of 4808	4012	a1punf5t2of.exe	90
PID 4012 wrote to memory of 4808	4012	a1punf5t2of.exe	90
PID 4012 wrote to memory of 4808	4012	a1punf5t2of.exe	90

C:\Users\Admin\AppData\Local\Temp\d298091720ef629a5875e8401bab0d52b69bda21405f33c6b2fc541d7a76ea5aN.exe
"C:\Users\Admin\AppData\Local\Temp\d298091720ef629a5875e8401bab0d52b69bda21405f33c6b2fc541d7a76ea5aN.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
  "C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
    "C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
    3⤵
    PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

Filesize
255KB

MD5
742ebc9126b225b65e1366b183d12f75

SHA1
063c281d2f4a2dc9ca9baeac446baf3ddbaa8421

SHA256
59d28feb37517a5e8eae24dea9fc24bf65b72c47311dd9a5f63d41157b99cc12

SHA512
d1a1d1779f612174ed52f990d777dc1776e7ec2ab23378d974d9f90bf6b5534799143334c7ea502c94ebf1ed79466288d8eda97fcab92c29ef1f83cb1efff4c4

Download Submit
memory/1800-4-0x00000000753D2000-0x00000000753D3000-memory.dmp

Filesize
4KB

Download
memory/1800-21-0x00000000753D0000-0x0000000075981000-memory.dmp

Filesize
5.7MB

Download
memory/1800-3-0x00000000753D0000-0x0000000075981000-memory.dmp

Filesize
5.7MB

Download
memory/1800-0-0x00000000753D2000-0x00000000753D3000-memory.dmp

Filesize
4KB

Download
memory/1800-5-0x00000000753D0000-0x0000000075981000-memory.dmp

Filesize
5.7MB

Download
memory/1800-6-0x00000000753D0000-0x0000000075981000-memory.dmp

Filesize
5.7MB

Download
memory/1800-2-0x00000000753D0000-0x0000000075981000-memory.dmp

Filesize
5.7MB

Download
memory/1800-1-0x00000000753D0000-0x0000000075981000-memory.dmp

Filesize
5.7MB

Download
memory/1800-7-0x00000000753D0000-0x0000000075981000-memory.dmp

Filesize
5.7MB

Download
memory/4012-22-0x00000000753D0000-0x0000000075981000-memory.dmp

Filesize
5.7MB

Download
memory/4012-23-0x00000000753D0000-0x0000000075981000-memory.dmp

Filesize
5.7MB

Download
memory/4012-24-0x00000000753D0000-0x0000000075981000-memory.dmp

Filesize
5.7MB

Download
memory/4012-25-0x00000000753D0000-0x0000000075981000-memory.dmp

Filesize
5.7MB

Download
memory/4012-26-0x00000000753D0000-0x0000000075981000-memory.dmp

Filesize
5.7MB

Download
memory/4012-28-0x00000000753D0000-0x0000000075981000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads