47462368df6de2d5cacba41ec50a611122c81f80a80b43267ec8a521ba39defd

Analysis

max time kernel
148s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2023, 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47462368df6de2d5cacba41ec50a611122c81f80a80b43267ec8a521ba39defd.exe
Size

58KB
MD5

3f86cb6afbfb77e5364211eccb475aaf
SHA1

b8c7ad29b8656721f3d070971e209df99a72b909
SHA256

47462368df6de2d5cacba41ec50a611122c81f80a80b43267ec8a521ba39defd
SHA512

b7f929bcd63292e4c935a923cdfd50d03bffc98928ab738c7f20ce492de13111f0341d4e0610c39948dbc0057378f63ec75bd88e19a5ccc45aca008519a27cd1
SSDEEP

768:ewC7DvsqpL3A9wrDlmgeU1MbL1403s9Nsg/C3bhmWu7hU2:d4DnLaw3eU1MbL14fqg/YTy

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	47462368df6de2d5cacba41ec50a611122c81f80a80b43267ec8a521ba39defd.exe

Executes dropped EXE 1 IoCs

pid	Process
1792	RJW620230603C5XK.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1920-133-0x00000000005F0000-0x0000000000617000-memory.dmp	upx
behavioral2/files/0x00020000000225e5-152.dat	upx
behavioral2/memory/1920-156-0x00000000005F0000-0x0000000000617000-memory.dmp	upx
behavioral2/files/0x00020000000225e5-155.dat	upx
behavioral2/files/0x00020000000225e5-154.dat	upx
behavioral2/memory/1792-159-0x0000000000A70000-0x0000000000A97000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1792	RJW620230603C5XK.exe
1792	RJW620230603C5XK.exe
1792	RJW620230603C5XK.exe
1792	RJW620230603C5XK.exe
1792	RJW620230603C5XK.exe
1792	RJW620230603C5XK.exe
1792	RJW620230603C5XK.exe
1792	RJW620230603C5XK.exe
1792	RJW620230603C5XK.exe
1792	RJW620230603C5XK.exe
1792	RJW620230603C5XK.exe
1792	RJW620230603C5XK.exe
1792	RJW620230603C5XK.exe
1792	RJW620230603C5XK.exe
1792	RJW620230603C5XK.exe
1792	RJW620230603C5XK.exe
1792	RJW620230603C5XK.exe
1792	RJW620230603C5XK.exe
1792	RJW620230603C5XK.exe
1792	RJW620230603C5XK.exe
1792	RJW620230603C5XK.exe
1792	RJW620230603C5XK.exe
1792	RJW620230603C5XK.exe
1792	RJW620230603C5XK.exe
1792	RJW620230603C5XK.exe
1792	RJW620230603C5XK.exe
1792	RJW620230603C5XK.exe
1792	RJW620230603C5XK.exe
1792	RJW620230603C5XK.exe
1792	RJW620230603C5XK.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1792	RJW620230603C5XK.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 1792	1920	47462368df6de2d5cacba41ec50a611122c81f80a80b43267ec8a521ba39defd.exe	84
PID 1920 wrote to memory of 1792	1920	47462368df6de2d5cacba41ec50a611122c81f80a80b43267ec8a521ba39defd.exe	84
PID 1920 wrote to memory of 1792	1920	47462368df6de2d5cacba41ec50a611122c81f80a80b43267ec8a521ba39defd.exe	84

C:\Users\Admin\AppData\Local\Temp\47462368df6de2d5cacba41ec50a611122c81f80a80b43267ec8a521ba39defd.exe
"C:\Users\Admin\AppData\Local\Temp\47462368df6de2d5cacba41ec50a611122c81f80a80b43267ec8a521ba39defd.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1920
- C:\ProgramData\A\RJW620230603C5XK.exe
  "C:\ProgramData\A\RJW620230603C5XK.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\A\RJW620230603C5XK.exe

Filesize
58KB

MD5
3f86cb6afbfb77e5364211eccb475aaf

SHA1
b8c7ad29b8656721f3d070971e209df99a72b909

SHA256
47462368df6de2d5cacba41ec50a611122c81f80a80b43267ec8a521ba39defd

SHA512
b7f929bcd63292e4c935a923cdfd50d03bffc98928ab738c7f20ce492de13111f0341d4e0610c39948dbc0057378f63ec75bd88e19a5ccc45aca008519a27cd1

Download Submit
C:\ProgramData\A\RJW620230603C5XK.exe

Filesize
58KB

MD5
3f86cb6afbfb77e5364211eccb475aaf

SHA1
b8c7ad29b8656721f3d070971e209df99a72b909

SHA256
47462368df6de2d5cacba41ec50a611122c81f80a80b43267ec8a521ba39defd

SHA512
b7f929bcd63292e4c935a923cdfd50d03bffc98928ab738c7f20ce492de13111f0341d4e0610c39948dbc0057378f63ec75bd88e19a5ccc45aca008519a27cd1

Download Submit
C:\ProgramData\A\RJW620230603C5XK.exe

Filesize
58KB

MD5
3f86cb6afbfb77e5364211eccb475aaf

SHA1
b8c7ad29b8656721f3d070971e209df99a72b909

SHA256
47462368df6de2d5cacba41ec50a611122c81f80a80b43267ec8a521ba39defd

SHA512
b7f929bcd63292e4c935a923cdfd50d03bffc98928ab738c7f20ce492de13111f0341d4e0610c39948dbc0057378f63ec75bd88e19a5ccc45aca008519a27cd1

Download Submit
C:\ProgramData\H

Filesize
144KB

MD5
a29623afa0f30b83b24ecd3b3e347b0b

SHA1
4ba08887adc21c05f175ee403d5122d647aac7ae

SHA256
f57c5e3be5bc0d81239bd2ba39f8b3e3d4da356a6812c62d974e08d4f2c4df1b

SHA512
753d1fd90a45e10dd837a8bdc5935d3a1e8ecc981e3035d09ba3d2ec7a78936d1ba6bf783f3d798bcd01421d12269cd2a6327861c15967e2982d66edefb987fb

Download Submit
memory/1792-158-0x00000000008B0000-0x00000000008D7000-memory.dmp

Filesize
156KB

Download
memory/1792-159-0x0000000000A70000-0x0000000000A97000-memory.dmp

Filesize
156KB

Download
memory/1920-133-0x00000000005F0000-0x0000000000617000-memory.dmp

Filesize
156KB

Download
memory/1920-147-0x0000000005530000-0x0000000005557000-memory.dmp

Filesize
156KB

Download
memory/1920-156-0x00000000005F0000-0x0000000000617000-memory.dmp

Filesize
156KB

Download