046de6836ee8444c13d3c1544533093ec44dd61e90f1a6e2743351e7daf371b1

Analysis

max time kernel
34s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

046de6836ee8444c13d3c1544533093ec44dd61e90f1a6e2743351e7daf371b1.exe
Size

364KB
MD5

be96132451b2a81b7959ebb4ab55d028
SHA1

42ec1976b38e8dbb8c4f89024f1d3a51835f20d6
SHA256

046de6836ee8444c13d3c1544533093ec44dd61e90f1a6e2743351e7daf371b1
SHA512

e020a72931412539cc62377afcb5ef78bbfc639b45564c8f619438361f72eb194bba317845dd5a766de98e6b9044bfc3f733838958caeee57034eb44fa60398c
SSDEEP

6144:CI09vpbAQ6nGavV0vu3a7tYECfwdzObXUHjIGINJgpJoPJwLfK6ormyo5o+SFWD/:e9vpN6D0vkxwVCEDINOpJOAK3yy+SFk/

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1672-55-0x0000000000400000-0x00000000004F4000-memory.dmp	upx
behavioral1/memory/1672-56-0x0000000000400000-0x00000000004F4000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

046de6836ee8444c13d3c1544533093ec44dd61e90f1a6e2743351e7daf371b1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation	046de6836ee8444c13d3c1544533093ec44dd61e90f1a6e2743351e7daf371b1.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

046de6836ee8444c13d3c1544533093ec44dd61e90f1a6e2743351e7daf371b1.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1672	046de6836ee8444c13d3c1544533093ec44dd61e90f1a6e2743351e7daf371b1.exe
Token: SeSecurityPrivilege	1672	046de6836ee8444c13d3c1544533093ec44dd61e90f1a6e2743351e7daf371b1.exe
Token: SeTakeOwnershipPrivilege	1672	046de6836ee8444c13d3c1544533093ec44dd61e90f1a6e2743351e7daf371b1.exe
Token: SeLoadDriverPrivilege	1672	046de6836ee8444c13d3c1544533093ec44dd61e90f1a6e2743351e7daf371b1.exe
Token: SeSystemProfilePrivilege	1672	046de6836ee8444c13d3c1544533093ec44dd61e90f1a6e2743351e7daf371b1.exe
Token: SeSystemtimePrivilege	1672	046de6836ee8444c13d3c1544533093ec44dd61e90f1a6e2743351e7daf371b1.exe
Token: SeProfSingleProcessPrivilege	1672	046de6836ee8444c13d3c1544533093ec44dd61e90f1a6e2743351e7daf371b1.exe
Token: SeIncBasePriorityPrivilege	1672	046de6836ee8444c13d3c1544533093ec44dd61e90f1a6e2743351e7daf371b1.exe
Token: SeCreatePagefilePrivilege	1672	046de6836ee8444c13d3c1544533093ec44dd61e90f1a6e2743351e7daf371b1.exe
Token: SeBackupPrivilege	1672	046de6836ee8444c13d3c1544533093ec44dd61e90f1a6e2743351e7daf371b1.exe
Token: SeRestorePrivilege	1672	046de6836ee8444c13d3c1544533093ec44dd61e90f1a6e2743351e7daf371b1.exe
Token: SeShutdownPrivilege	1672	046de6836ee8444c13d3c1544533093ec44dd61e90f1a6e2743351e7daf371b1.exe
Token: SeDebugPrivilege	1672	046de6836ee8444c13d3c1544533093ec44dd61e90f1a6e2743351e7daf371b1.exe
Token: SeSystemEnvironmentPrivilege	1672	046de6836ee8444c13d3c1544533093ec44dd61e90f1a6e2743351e7daf371b1.exe
Token: SeChangeNotifyPrivilege	1672	046de6836ee8444c13d3c1544533093ec44dd61e90f1a6e2743351e7daf371b1.exe
Token: SeRemoteShutdownPrivilege	1672	046de6836ee8444c13d3c1544533093ec44dd61e90f1a6e2743351e7daf371b1.exe
Token: SeUndockPrivilege	1672	046de6836ee8444c13d3c1544533093ec44dd61e90f1a6e2743351e7daf371b1.exe
Token: SeManageVolumePrivilege	1672	046de6836ee8444c13d3c1544533093ec44dd61e90f1a6e2743351e7daf371b1.exe
Token: SeImpersonatePrivilege	1672	046de6836ee8444c13d3c1544533093ec44dd61e90f1a6e2743351e7daf371b1.exe
Token: SeCreateGlobalPrivilege	1672	046de6836ee8444c13d3c1544533093ec44dd61e90f1a6e2743351e7daf371b1.exe
Token: 33	1672	046de6836ee8444c13d3c1544533093ec44dd61e90f1a6e2743351e7daf371b1.exe
Token: 34	1672	046de6836ee8444c13d3c1544533093ec44dd61e90f1a6e2743351e7daf371b1.exe
Token: 35	1672	046de6836ee8444c13d3c1544533093ec44dd61e90f1a6e2743351e7daf371b1.exe

C:\Users\Admin\AppData\Local\Temp\046de6836ee8444c13d3c1544533093ec44dd61e90f1a6e2743351e7daf371b1.exe
"C:\Users\Admin\AppData\Local\Temp\046de6836ee8444c13d3c1544533093ec44dd61e90f1a6e2743351e7daf371b1.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1672

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1672-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1672-55-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/1672-56-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download