5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17/07/2023, 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e.exe
Size

203KB
MD5

d209d42e2d604e6018129634fc2a2f38
SHA1

931d1ab97dba24013e97ee6a9247e70b0bf0ef13
SHA256

5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e
SHA512

269b0822e8160693046f30539db2ff96281f004ad37356d16aba34d5eda122dc9a0684bc414724bf90acce484b767a0dce9b4ee590eb4e620c4a7d36f964d2ef
SSDEEP

6144:Dz1xOecgEnOxUwWz1w4mcH+dZvF4lBFusBQW:31seJzWz1l+LIb

Score

8^/10

upx

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
46	2388	cscript.exe
50	2388	cscript.exe
54	2388	cscript.exe
55	2388	cscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1388-133-0x0000000000970000-0x0000000000A07000-memory.dmp	upx
behavioral2/memory/1388-153-0x0000000000970000-0x0000000000A07000-memory.dmp	upx

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\System32\WWanHC7kS.sys	cscript.exe
File created	C:\Windows\System32\notepadvba.sys	cscript.exe
File created	C:\Windows\System32\KBDGKLjdbq.sys	cscript.exe
File created	C:\Windows\System32\TabbtncGL.sys	cscript.exe
File created	C:\Windows\System32\secproc_ssp_isv7zAi.sys	cscript.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsShell8630744.log	5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e.exe
File opened for modification	C:\Windows\WindowSystemNewUpdate12.log	PackagedCWALauncher.exe
File opened for modification	C:\Windows\WindowTerminalVaild204.log	PackagedCWALauncher.exe
File opened for modification	C:\Windows\WindowsShell1651150.log	PackagedCWALauncher.exe
File opened for modification	C:\Windows\WindowRedSystem21.log	cscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\9743EE39882EFD63036E6EAD3AFFD6D765628161\Blob = 0300000001000000140000009743ee39882efd63036e6ead3affd6d7656281612000000001000000a7030000308203a33082028ba003020102020900fbf05b1de85f7471300d06092a864886f70d01010b05003068310b3009060355040613024245311a3018060355040a0c11476c6f62616c5369676e206e762d736132313d303b06035504030c34476c6f62616c5369676e204f7267616e697a6174696f6e2056616c69646174696f6e204341202d20534841323536202d20473230301e170d3230303730343033313932375a170d3330303730323033313932375a3068310b3009060355040613024245311a3018060355040a0c11476c6f62616c5369676e206e762d736132313d303b06035504030c34476c6f62616c5369676e204f7267616e697a6174696f6e2056616c69646174696f6e204341202d20534841323536202d2047323030820122300d06092a864886f70d01010105000382010f003082010a0282010100cc61da00673a536137db9ce83a8be1de99f849f34478baf32c5c5054ce3e282a76ec8312bd3464f920bf58425395e092d085f90c213b925e0871b1ea0f4753e00fc6c125462ed2d6d9c2ef5f05f0a8962982e990871c17a0aab47730728c0adb85e9f1c3f418bf34b7518281c1f9e6c475cf4076f6bf079e5b293f8d7da1e615e77cf9c537e08cec62bc50a64680cedafa1c831e04cdbd4c2cc584d01b0e9cd8bf563aaed9073596dd47a5f251f17d2aad4a2ceab564b4eace34ac1feacb5e2fbb4708856ed8492aede77cf4efe0c9393a94f521a23b7b91d2e11d1cbfc03a30f830a10219c80bc29ecb19f8ddf90c1a33bd8a062436b449a5ebd15298d5af070203010001a350304e301d0603551d0e041604149f643ac2270b3df4fb5275f235218f24ccfab143301f0603551d230418301680149f643ac2270b3df4fb5275f235218f24ccfab143300c0603551d13040530030101ff300d06092a864886f70d01010b050003820101007146eaba5a2022fafd1e8b3691ce98ac13170cbd01306433966ba6fba7c1e71da1726f86000e111a449ee8099595a532f83adba6f1f8d3a4eff5f5ea912a4503c91107db5e5ba18393555755067f4362508b123c0bc7b9eb6c300781351ba08fced43e12801c210e3ba73f24c5bceee2890b1a690033078f10a1f708f617cae77f834be56609126cb78d72d57ffa48439ffba9f50f495e3f073b1163a1e6b761180c4dccd76b50f9350046c5a1a3befaf6ca11cd31e7997d6dd4f5193a12801aad5fbb0779745de07edb50628d4a5d39109d7381133568e363578ffa7866784a3404e4e6b7a563c9830c7607b3956e7878ca2de421aafa979f17971a47198cdf	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\9743EE39882EFD63036E6EAD3AFFD6D765628161	cscript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe
2388	cscript.exe

Suspicious behavior: LoadsDriver 5 IoCs

pid	Process
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1388	5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e.exe
Token: SeDebugPrivilege	4932	PackagedCWALauncher.exe
Token: SeIncBasePriorityPrivilege	1388	5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e.exe
Token: SeDebugPrivilege	4932	PackagedCWALauncher.exe
Token: SeDebugPrivilege	4932	PackagedCWALauncher.exe
Token: SeDebugPrivilege	4932	PackagedCWALauncher.exe
Token: SeDebugPrivilege	2388	cscript.exe
Token: SeDebugPrivilege	4932	PackagedCWALauncher.exe
Token: SeDebugPrivilege	4932	PackagedCWALauncher.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 4932	1388	5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e.exe	86
PID 1388 wrote to memory of 4932	1388	5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e.exe	86
PID 1388 wrote to memory of 4932	1388	5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e.exe	86
PID 1388 wrote to memory of 4932	1388	5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e.exe	86
PID 1388 wrote to memory of 4932	1388	5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e.exe	86
PID 1388 wrote to memory of 4932	1388	5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e.exe	86
PID 1388 wrote to memory of 3764	1388	5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e.exe	92
PID 1388 wrote to memory of 3764	1388	5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e.exe	92
PID 1388 wrote to memory of 3764	1388	5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e.exe	92
PID 4932 wrote to memory of 2388	4932	PackagedCWALauncher.exe	96
PID 4932 wrote to memory of 2388	4932	PackagedCWALauncher.exe	96
PID 4932 wrote to memory of 2388	4932	PackagedCWALauncher.exe	96
PID 4932 wrote to memory of 2388	4932	PackagedCWALauncher.exe	96
PID 4932 wrote to memory of 2388	4932	PackagedCWALauncher.exe	96
PID 4932 wrote to memory of 2388	4932	PackagedCWALauncher.exe	96

C:\Users\Admin\AppData\Local\Temp\5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e.exe
"C:\Users\Admin\AppData\Local\Temp\5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\SysWOW64\PackagedCWALauncher.exe
  "C:\Windows\SysWOW64\PackagedCWALauncher.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Windows\SysWOW64\cscript.exe
    "C:\Windows\SysWOW64\cscript.exe"
    3⤵
    - Blocklisted process makes network request
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2388
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\5A1309~1.EXE > nul
  2⤵
  PID:3764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\WindowRedSystem21.log

Filesize
5KB

MD5
3277beefd3914319ac2e0e069ced5ce5

SHA1
f9795784e4dcd3b64d1808a0e491b6ff77e4ef60

SHA256
8aad6e35a45e55ebb143feba595a55cdec37e9c27f821ca818f8ae4a4778a261

SHA512
a3d9f232acead641bae93e6e31aaab9e3e4f169c975adbb8297549d711056c2082025b9671aa30a68f1fb896d3403ebe260b6d4af10a0dcc48f0287e6885d1ff

Download Submit
C:\Windows\WindowSystemNewUpdate12.log

Filesize
4KB

MD5
88921a5e2ba77c0ab353969c7a8b32f3

SHA1
ae3cd89c31f885a2d7ee494c8dee314436285718

SHA256
d65f56108c6849e044b429535b7f8ccc243d21b813b0ed8006b313affe390b38

SHA512
8a88fe3a31a5aa230d6d771bcab5c68021d22bb507eca7fffcd2427eda712c7fcbb4aaff04d20d54e0a02fca3de844737a85ffd76a53d0138b93d4fad2cc5aed

Download Submit
memory/1388-153-0x0000000000970000-0x0000000000A07000-memory.dmp

Filesize
604KB

Download
memory/1388-133-0x0000000000970000-0x0000000000A07000-memory.dmp

Filesize
604KB

Download
memory/2388-260-0x0000000010000000-0x0000000010444000-memory.dmp

Filesize
4.3MB

Download
memory/2388-246-0x0000000000C30000-0x0000000000C4B000-memory.dmp

Filesize
108KB

Download
memory/2388-313-0x0000000010000000-0x0000000010444000-memory.dmp

Filesize
4.3MB

Download
memory/2388-308-0x0000000010000000-0x0000000010444000-memory.dmp

Filesize
4.3MB

Download
memory/2388-247-0x0000000010000000-0x0000000010444000-memory.dmp

Filesize
4.3MB

Download
memory/2388-261-0x0000000010000000-0x0000000010444000-memory.dmp

Filesize
4.3MB

Download
memory/2388-249-0x0000000010000000-0x0000000010444000-memory.dmp

Filesize
4.3MB

Download
memory/2388-248-0x0000000010000000-0x0000000010444000-memory.dmp

Filesize
4.3MB

Download
memory/2388-263-0x0000000010000000-0x0000000010444000-memory.dmp

Filesize
4.3MB

Download
memory/2388-242-0x0000000010000000-0x0000000010444000-memory.dmp

Filesize
4.3MB

Download
memory/2388-223-0x0000000000600000-0x0000000000A51000-memory.dmp

Filesize
4.3MB

Download
memory/2388-224-0x0000000000C30000-0x0000000000C4B000-memory.dmp

Filesize
108KB

Download
memory/2388-227-0x0000000000C30000-0x0000000000C4B000-memory.dmp

Filesize
108KB

Download
memory/2388-231-0x0000000010000000-0x0000000010444000-memory.dmp

Filesize
4.3MB

Download
memory/2388-241-0x0000000010000000-0x0000000010444000-memory.dmp

Filesize
4.3MB

Download
memory/2388-244-0x0000000010000000-0x0000000010444000-memory.dmp

Filesize
4.3MB

Download
memory/4932-141-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/4932-259-0x0000000003720000-0x0000000003819000-memory.dmp

Filesize
996KB

Download
memory/4932-183-0x0000000001300000-0x0000000001338000-memory.dmp

Filesize
224KB

Download
memory/4932-192-0x0000000004340000-0x0000000004671000-memory.dmp

Filesize
3.2MB

Download
memory/4932-179-0x0000000003720000-0x0000000003819000-memory.dmp

Filesize
996KB

Download
memory/4932-251-0x0000000003720000-0x0000000003819000-memory.dmp

Filesize
996KB

Download
memory/4932-254-0x0000000003720000-0x0000000003819000-memory.dmp

Filesize
996KB

Download
memory/4932-255-0x0000000003720000-0x0000000003819000-memory.dmp

Filesize
996KB

Download
memory/4932-257-0x0000000003720000-0x0000000003819000-memory.dmp

Filesize
996KB

Download
memory/4932-204-0x0000000003720000-0x0000000003819000-memory.dmp

Filesize
996KB

Download
memory/4932-139-0x0000000001660000-0x000000000167B000-memory.dmp

Filesize
108KB

Download
memory/4932-177-0x0000000003720000-0x0000000003819000-memory.dmp

Filesize
996KB

Download
memory/4932-175-0x0000000003720000-0x0000000003819000-memory.dmp

Filesize
996KB

Download
memory/4932-167-0x0000000003720000-0x0000000003819000-memory.dmp

Filesize
996KB

Download
memory/4932-140-0x0000000001660000-0x000000000167B000-memory.dmp

Filesize
108KB

Download
memory/4932-137-0x0000000001660000-0x000000000167B000-memory.dmp

Filesize
108KB

Download
memory/4932-135-0x0000000000F90000-0x0000000000FF7000-memory.dmp

Filesize
412KB

Download
memory/4932-365-0x0000000007060000-0x00000000073E3000-memory.dmp

Filesize
3.5MB

Download
memory/4932-366-0x0000000007060000-0x00000000073E3000-memory.dmp

Filesize
3.5MB

Download
memory/4932-377-0x0000000007060000-0x00000000073E3000-memory.dmp

Filesize
3.5MB

Download