2376f9459e9b88e65ada6e461b424a6d78dc14d440c804ae4718d5048d6b4d2d

Analysis

max time kernel
93s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 14:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2376f9459e9b88e65ada6e461b424a6d78dc14d440c804ae4718d5048d6b4d2d.exe
Size

796KB
MD5

06754eb000e0b4b58ad291faf42f14e9
SHA1

bf687aff6d404d0ac93377e7477747d394209c3b
SHA256

2376f9459e9b88e65ada6e461b424a6d78dc14d440c804ae4718d5048d6b4d2d
SHA512

19eacee7b384e288304438518c5696a109bbeacf5beb2e9710bc567ed4c40a51b2bc028c40ffe8dd6be9290408f8a6eb5d638d3911195cf996beb5491c6bf525
SSDEEP

12288:lYUTPi/XM4DShe9EcHPLrLZ5AICgkTP3/xgAmRULccC1sXfyKWkBB9SI2hsdzETb:jyM4DSs9FvzAICgkTmPUosfy8BI4dzG

Score

8^/10

spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
404	crypted.exe
1396	GunzLa11123uncher.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0002000000022df2-140.dat	upx
behavioral2/files/0x0002000000022df2-141.dat	upx
behavioral2/memory/1396-142-0x0000000000400000-0x000000000076C000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	2376f9459e9b88e65ada6e461b424a6d78dc14d440c804ae4718d5048d6b4d2d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	crypted.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 404	4960	2376f9459e9b88e65ada6e461b424a6d78dc14d440c804ae4718d5048d6b4d2d.exe	83
PID 4960 wrote to memory of 404	4960	2376f9459e9b88e65ada6e461b424a6d78dc14d440c804ae4718d5048d6b4d2d.exe	83
PID 4960 wrote to memory of 404	4960	2376f9459e9b88e65ada6e461b424a6d78dc14d440c804ae4718d5048d6b4d2d.exe	83
PID 404 wrote to memory of 1396	404	crypted.exe	84
PID 404 wrote to memory of 1396	404	crypted.exe	84
PID 404 wrote to memory of 1396	404	crypted.exe	84

C:\Users\Admin\AppData\Local\Temp\2376f9459e9b88e65ada6e461b424a6d78dc14d440c804ae4718d5048d6b4d2d.exe
"C:\Users\Admin\AppData\Local\Temp\2376f9459e9b88e65ada6e461b424a6d78dc14d440c804ae4718d5048d6b4d2d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Users\Admin\AppData\Local\Temp\crypted.exe
  "C:\Users\Admin\AppData\Local\Temp\crypted.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Users\Admin\AppData\Roaming\GunzLa11123uncher.exe
    "C:\Users\Admin\AppData\Roaming\GunzLa11123uncher.exe"
    3⤵
    - Executes dropped EXE
    PID:1396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\crypted.exe

Filesize
736KB

MD5
6f848418b4271978bc688a91977a16bb

SHA1
6699b983bd59f8678a3927889d721ccf00945754

SHA256
ae177cf0711421731133a1824feb1fd213b2dd9ee81a890962fb37cfcaefe299

SHA512
0944f9136d779e0013f7603a0121cdad3b28081269fae560dfeb5ca2ce2b0cf8364dbd887b8a48b72f3ddb983986393c130ee422b1ede7bf5c4ba3ed246f5fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\crypted.exe

Filesize
736KB

MD5
6f848418b4271978bc688a91977a16bb

SHA1
6699b983bd59f8678a3927889d721ccf00945754

SHA256
ae177cf0711421731133a1824feb1fd213b2dd9ee81a890962fb37cfcaefe299

SHA512
0944f9136d779e0013f7603a0121cdad3b28081269fae560dfeb5ca2ce2b0cf8364dbd887b8a48b72f3ddb983986393c130ee422b1ede7bf5c4ba3ed246f5fa8

Download Submit
C:\Users\Admin\AppData\Roaming\GunzLa11123uncher.exe

Filesize
395KB

MD5
93ebc09621f224b5bff90acc5cea846f

SHA1
60b6956ef4150a714cba3d57869908bde81e68e3

SHA256
4cd2379ad7c574b9c271537ed12044c131e65f680b0ad35103d2f060f8e67d37

SHA512
ceaea3d0c210372dd93ad969bbbc37dc8086a81cb49914eacd0375a45acd9dc7fa7b59a6e5b0a9aa2bbf506d2b465917d3431d41cedbe3c15f7567d8f5dca5e4

Download Submit
C:\Users\Admin\AppData\Roaming\GunzLa11123uncher.exe

Filesize
395KB

MD5
93ebc09621f224b5bff90acc5cea846f

SHA1
60b6956ef4150a714cba3d57869908bde81e68e3

SHA256
4cd2379ad7c574b9c271537ed12044c131e65f680b0ad35103d2f060f8e67d37

SHA512
ceaea3d0c210372dd93ad969bbbc37dc8086a81cb49914eacd0375a45acd9dc7fa7b59a6e5b0a9aa2bbf506d2b465917d3431d41cedbe3c15f7567d8f5dca5e4

Download Submit
memory/1396-142-0x0000000000400000-0x000000000076C000-memory.dmp

Filesize
3.4MB

Download
memory/4960-135-0x00007FFCED520000-0x00007FFCEDF56000-memory.dmp

Filesize
10.2MB

Download