dd598d177dd0ea11a65634553455381f5765efdbf3cca6f9dc813605211fb269

Analysis

max time kernel
145s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2023 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

I_Type_DataSheet_Rev.1.2.exe
Size

625KB
MD5

d25fd2bf6433842ddaa3325c03a635b2
SHA1

ab77c3d4cdf83fa03b1680d46e1cea3876ecc100
SHA256

dd598d177dd0ea11a65634553455381f5765efdbf3cca6f9dc813605211fb269
SHA512

8f140acbbce890fde111bb77a037dd966bc87a85b082f20c1d348c4d3c72b9fd1572cbada80bb9a0d48986eea1b0b88fbf279a474aeea51017f62fc349860140
SSDEEP

12288:ZYD6x+fitDJhG/y2GHfQiPQlcw//234LS5cJ72A39dNzS5A+eG3ONANKCO:ZYDxatPUe5QlbTO5MKA3LNe5reeONAgF

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	lwpaexujpr.exe

Executes dropped EXE 2 IoCs

pid	Process
2496	lwpaexujpr.exe
4800	lwpaexujpr.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2496 set thread context of 4800	2496	lwpaexujpr.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe
4800	lwpaexujpr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2496	lwpaexujpr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4800	lwpaexujpr.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2496	lwpaexujpr.exe
2496	lwpaexujpr.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2496	lwpaexujpr.exe
2496	lwpaexujpr.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 2496	4248	I_Type_DataSheet_Rev.1.2.exe	84
PID 4248 wrote to memory of 2496	4248	I_Type_DataSheet_Rev.1.2.exe	84
PID 4248 wrote to memory of 2496	4248	I_Type_DataSheet_Rev.1.2.exe	84
PID 2496 wrote to memory of 4800	2496	lwpaexujpr.exe	85
PID 2496 wrote to memory of 4800	2496	lwpaexujpr.exe	85
PID 2496 wrote to memory of 4800	2496	lwpaexujpr.exe	85
PID 2496 wrote to memory of 4800	2496	lwpaexujpr.exe	85

C:\Users\Admin\AppData\Local\Temp\I_Type_DataSheet_Rev.1.2.exe
"C:\Users\Admin\AppData\Local\Temp\I_Type_DataSheet_Rev.1.2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Users\Admin\AppData\Local\Temp\lwpaexujpr.exe
  "C:\Users\Admin\AppData\Local\Temp\lwpaexujpr.exe" "C:\Users\Admin\AppData\Local\Temp\dkjeyk.au3"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Users\Admin\AppData\Local\Temp\lwpaexujpr.exe
    "C:\Users\Admin\AppData\Local\Temp\lwpaexujpr.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dkjeyk.au3

Filesize
4KB

MD5
ec83df204e938f82e2ef46f87ec1b9de

SHA1
7105b454e52203dd546148ab09dc633b1b6622d7

SHA256
e3d9e777c29de4696e4d157e0d83aeb9e6b6920c2e061bc885fcf5dc33bfb455

SHA512
9fc1ab1ef772d6b1c1828ec9d903460b47a25b56c34dc1c4a8196e87e45d9a3a97d2e407c711e8eab5893d6dc0def0b161ba130b0eb243328262890542510254

Download Submit
C:\Users\Admin\AppData\Local\Temp\idfygvx.hi

Filesize
51KB

MD5
c5442681840ea82715f33cb1d6610bf4

SHA1
04e237bcf6537d27067a42626632a2fdaa91b652

SHA256
3646bb02dcca1a7bb9144289b6803e20f23e11922b53e0f7d538d65ad3dc237a

SHA512
a2d6faa2631df18d8ec12a08ba357841cfd0e6e909a3daa4b9d0dc8845d236d50b7663df8ababe3447cd11528f018d0e3258f3318a001e057df3c6c5d2fe197b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwpaexujpr.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwpaexujpr.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\plycxy.k

Filesize
206KB

MD5
6422500ff342b70b8d00b1a1d97a27fe

SHA1
68576eedf5ce38404d18ca119f8777e2a4e9ddc4

SHA256
eeef57763d45048334d25604dd86ecb2fd3f38e6f3cb77b88cc9bd70312c9b3e

SHA512
677d773fcfd619d404ba8b4b3f6b1e8ac476e0dc204622c1236c617fd18266fddf3e047c71ea5bd3061c903d204e394c59ac4b03b23be1def55183b8b7945cf0

Download Submit
memory/2496-141-0x0000000000AF0000-0x0000000000AF2000-memory.dmp

Filesize
8KB

Download
memory/4800-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4800-147-0x0000000001B60000-0x0000000001EAA000-memory.dmp

Filesize
3.3MB

Download
memory/4800-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download