6ce44f34bd45f608f0d6f7078eb8f662258f046d1c1ba19a1f9da2a475632930

General

Target

6ce44f34bd45f608f0d6f7078eb8f662258f046d1c1ba19a1f9da2a475632930N.exe
Size

255KB
MD5

3814b1e3275621d0fd2d800b66c37460
SHA1

aec0738d7c89a5ff5d5486616519aaaaf40f7c01
SHA256

6ce44f34bd45f608f0d6f7078eb8f662258f046d1c1ba19a1f9da2a475632930
SHA512

df80fec77c5649539a596ad1d06f1a3f9049015ac61b61d4ba1d891d28fb866ea992d66f8f8b215a742b81ba5d2d7e9c202a8c832944dcc0b47b245da9663bcc
SSDEEP

6144:85p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ9A:EeGUA5YZazpXUmZhmA

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	6ce44f34bd45f608f0d6f7078eb8f662258f046d1c1ba19a1f9da2a475632930N.exe

Executes dropped EXE 1 IoCs

pid	Process
3612	a1punf5t2of.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe"	6ce44f34bd45f608f0d6f7078eb8f662258f046d1c1ba19a1f9da2a475632930N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6ce44f34bd45f608f0d6f7078eb8f662258f046d1c1ba19a1f9da2a475632930N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1punf5t2of.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 3612	4952	6ce44f34bd45f608f0d6f7078eb8f662258f046d1c1ba19a1f9da2a475632930N.exe	89
PID 4952 wrote to memory of 3612	4952	6ce44f34bd45f608f0d6f7078eb8f662258f046d1c1ba19a1f9da2a475632930N.exe	89
PID 4952 wrote to memory of 3612	4952	6ce44f34bd45f608f0d6f7078eb8f662258f046d1c1ba19a1f9da2a475632930N.exe	89
PID 3612 wrote to memory of 1472	3612	a1punf5t2of.exe	90
PID 3612 wrote to memory of 1472	3612	a1punf5t2of.exe	90
PID 3612 wrote to memory of 1472	3612	a1punf5t2of.exe	90

C:\Users\Admin\AppData\Local\Temp\6ce44f34bd45f608f0d6f7078eb8f662258f046d1c1ba19a1f9da2a475632930N.exe
"C:\Users\Admin\AppData\Local\Temp\6ce44f34bd45f608f0d6f7078eb8f662258f046d1c1ba19a1f9da2a475632930N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
  "C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
    "C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
    3⤵
    PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

Filesize
255KB

MD5
1af05aa27446ffca4ab12db5311cf2e6

SHA1
9753162662afcfcd1c1d5b6ee4588894be308443

SHA256
8fad780e5c90e79b2b1b94ec987c155a537b9482253e9802fbcf4041e76403d9

SHA512
5cea58a443229036c13c28874c762b7e1dc00ff757ffd0e0566e43a7bcf4e4bf9d2968f14c4f060959baa05bec64460dc5377240b15d277f6fb9d44d3369dc3b

Download Submit
memory/3612-24-0x00000000755E0000-0x0000000075B91000-memory.dmp

Filesize
5.7MB

Download
memory/3612-23-0x00000000755E0000-0x0000000075B91000-memory.dmp

Filesize
5.7MB

Download
memory/3612-29-0x00000000755E0000-0x0000000075B91000-memory.dmp

Filesize
5.7MB

Download
memory/3612-27-0x00000000755E0000-0x0000000075B91000-memory.dmp

Filesize
5.7MB

Download
memory/3612-21-0x00000000755E0000-0x0000000075B91000-memory.dmp

Filesize
5.7MB

Download
memory/3612-26-0x00000000755E0000-0x0000000075B91000-memory.dmp

Filesize
5.7MB

Download
memory/3612-25-0x00000000755E0000-0x0000000075B91000-memory.dmp

Filesize
5.7MB

Download
memory/4952-7-0x00000000755E0000-0x0000000075B91000-memory.dmp

Filesize
5.7MB

Download
memory/4952-5-0x00000000755E0000-0x0000000075B91000-memory.dmp

Filesize
5.7MB

Download
memory/4952-1-0x00000000755E0000-0x0000000075B91000-memory.dmp

Filesize
5.7MB

Download
memory/4952-22-0x00000000755E0000-0x0000000075B91000-memory.dmp

Filesize
5.7MB

Download
memory/4952-0-0x00000000755E2000-0x00000000755E3000-memory.dmp

Filesize
4KB

Download
memory/4952-2-0x00000000755E0000-0x0000000075B91000-memory.dmp

Filesize
5.7MB

Download
memory/4952-6-0x00000000755E0000-0x0000000075B91000-memory.dmp

Filesize
5.7MB

Download
memory/4952-4-0x00000000755E2000-0x00000000755E3000-memory.dmp

Filesize
4KB

Download
memory/4952-3-0x00000000755E0000-0x0000000075B91000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads