c43ee639d5bd670380d60f87cbc5ec33dfb86f13f73dca0e1add6ad174dd3927

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2023, 16:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

CMS.exe
Size

30.9MB
MD5

805286832dbafa6f8656d2195e0de804
SHA1

a03be35bcce8e82d301e0feed30e74d4ae32c164
SHA256

c43ee639d5bd670380d60f87cbc5ec33dfb86f13f73dca0e1add6ad174dd3927
SHA512

3cfc9f3fd4ab0feb8a82788e43d9f964d9de35624972758e4f0da27adbad5a5af6a0502057818cbc9f7bf8041003904196aa30c116a8ff9fe5ff2eeec1720260
SSDEEP

786432:KFRzzjjR5HPHB0/a0yuCtVjw6x1CVVEJi0:Ezp5vHB0y0BCbx1e6

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	CMS.exe

Executes dropped EXE 1 IoCs

pid	Process
1936	irsetup.exe

Loads dropped DLL 1 IoCs

pid	Process
1936	irsetup.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000022f83-138.dat	upx
behavioral2/files/0x0007000000022f83-143.dat	upx
behavioral2/files/0x0007000000022f83-144.dat	upx
behavioral2/memory/1936-145-0x0000000000400000-0x00000000007CB000-memory.dmp	upx
behavioral2/memory/1936-156-0x0000000000400000-0x00000000007CB000-memory.dmp	upx
behavioral2/memory/1936-160-0x0000000000400000-0x00000000007CB000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\CMS Setup Log.txt	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1936	irsetup.exe
1936	irsetup.exe
1936	irsetup.exe
1936	irsetup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 660 wrote to memory of 1936	660	CMS.exe	84
PID 660 wrote to memory of 1936	660	CMS.exe	84
PID 660 wrote to memory of 1936	660	CMS.exe	84

C:\Users\Admin\AppData\Local\Temp\CMS.exe
"C:\Users\Admin\AppData\Local\Temp\CMS.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:660
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1742194 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\CMS.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-4238149048-355649189-894321705-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:1936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
dec931e86140139380ea0df57cd132b6

SHA1
b717fd548382064189c16cb94dda28b1967a5712

SHA256
5ffd4b20dccfb84c8890abdb780184a7651e760aefba4ab0c6fba5b2a81f97d9

SHA512
14d594e88c4a1f0ec8bc1b4fe2d66e26358f907b1106c047ada35d500ca9e608f1ce5a57599453cf10f11f4d9f1948ced9056ce8bd944b16eca7e9b83e8b27af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
dec931e86140139380ea0df57cd132b6

SHA1
b717fd548382064189c16cb94dda28b1967a5712

SHA256
5ffd4b20dccfb84c8890abdb780184a7651e760aefba4ab0c6fba5b2a81f97d9

SHA512
14d594e88c4a1f0ec8bc1b4fe2d66e26358f907b1106c047ada35d500ca9e608f1ce5a57599453cf10f11f4d9f1948ced9056ce8bd944b16eca7e9b83e8b27af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
dec931e86140139380ea0df57cd132b6

SHA1
b717fd548382064189c16cb94dda28b1967a5712

SHA256
5ffd4b20dccfb84c8890abdb780184a7651e760aefba4ab0c6fba5b2a81f97d9

SHA512
14d594e88c4a1f0ec8bc1b4fe2d66e26358f907b1106c047ada35d500ca9e608f1ce5a57599453cf10f11f4d9f1948ced9056ce8bd944b16eca7e9b83e8b27af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
318KB

MD5
b5fc476c1bf08d5161346cc7dd4cb0ba

SHA1
280fac9cf711d93c95f6b80ac97d89cf5853c096

SHA256
12cb9b8f59c00ef40ea8f28bfc59a29f12dc28332bf44b1a5d8d6a8823365650

SHA512
17fa97f399287b941e958d2d42fe6adb62700b01d9dbe0c824604e8e06d903b330f9d7d8ffb109bfb7f6742f46e7e9cedad6981f0d94d629b8402d0a0174f697

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
318KB

MD5
b5fc476c1bf08d5161346cc7dd4cb0ba

SHA1
280fac9cf711d93c95f6b80ac97d89cf5853c096

SHA256
12cb9b8f59c00ef40ea8f28bfc59a29f12dc28332bf44b1a5d8d6a8823365650

SHA512
17fa97f399287b941e958d2d42fe6adb62700b01d9dbe0c824604e8e06d903b330f9d7d8ffb109bfb7f6742f46e7e9cedad6981f0d94d629b8402d0a0174f697

Download Submit
memory/1936-145-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download
memory/1936-156-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download
memory/1936-160-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download