d587be51aa8da3d6ec72c1c3ad9c24c04c5ef97d4da7f8edb9c0ae04f6e111ab

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
28-07-2023 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

274KB
MD5

a0bfccb8cc68d350b02287d70507e70d
SHA1

3b274838cd098c2f26ece2928300fe4f1e24a9d4
SHA256

d587be51aa8da3d6ec72c1c3ad9c24c04c5ef97d4da7f8edb9c0ae04f6e111ab
SHA512

2e697d859c3c40acf033b20716fd2ecf427dbd85db470fd42907090b17dd73b7ba2506a9c56836d75f9f52ffead67258c7fb24de03715293d63ba0c349ff8cec
SSDEEP

6144:PYa689fXW3LMiiTEqOyYKFEZWAQoAALLg6UM6KYUvjuyT2XH9PDD0:PYS9fXW+TEqdXkLg6YUrui2Xd7D0

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation	tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1588	tmp.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{8DDC302F-732D-4C70-BD2C-987883A4F838}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1588 set thread context of 2916	1588	tmp.exe	81

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe
2916	tmp.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1588	tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2916	tmp.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 2916	1588	tmp.exe	81
PID 1588 wrote to memory of 2916	1588	tmp.exe	81
PID 1588 wrote to memory of 2916	1588	tmp.exe	81
PID 1588 wrote to memory of 2916	1588	tmp.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2916

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:3172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsd8E19.tmp\wkybeb.dll

Filesize
49KB

MD5
9da370474c2a7427495e83bed70b87ab

SHA1
de2b22ba5cf618e0fc6ff30a8927820f1544068a

SHA256
9cba1183ed6a9a89a34805730da01edaed2026b3d3cad0e3ef9710fbeb3ec442

SHA512
bc736a5dcf5d6e227773dd59747eeb0f0035f09bc93bb85d9dc78c48e1fa62a17cef3f200102a47b94fe868020caf52aa0e3cc93b93d26db483b46e5f7aef54a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsuE947.tmp

Filesize
14KB

MD5
c01eaa0bdcd7c30a42bbb35a9acbf574

SHA1
0aee3e1b873e41d040f1991819d0027b6cc68f54

SHA256
32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40

SHA512
d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
52e5987262830ac06a64d03096f14c9f

SHA1
c46677c13180eede2c083357ecfb895685aa9d96

SHA256
344c9b27f017c7aea8b0749a54bc78d8cfcdb888abe0c0d092a11c2e35d7e054

SHA512
3de5bc70c45adcc2769ad895a562fdf30257d032e4217387603330bf0ac7468a92a27231be82c98d26a1e424d37e5dbbf6ec39579b5104e93a00e86053555952

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
4ae8effaf219686f2eddd1ec82a4720b

SHA1
d6b211e04657fa7f84df9a2b2d144a29b96927ca

SHA256
38773e59bacc99159d6860b21ed54106eb0164c8ab66a6d8f2b0fcde933b4cb5

SHA512
aed3553e949955c97bd0d94682963b5305114dba261709bbeaacc6b605c4ef2785fdadc2cf5788cb1d6df652ec5c6828e994166be0392f4ebec9e64355707da2

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
d0111e183ad8a2dbb21a1e5fd2695d3c

SHA1
e73619ac0ff2a086756560b032b3d65dba22cc4e

SHA256
67647144698abe439496f7acf8632b0cb0ef27672809205c3be15f5e952b7484

SHA512
3676e83e9058a6643097460c97168b480f187b3ac9438341f8fcfa34be55e33a1db2ebec146018d7cadc7fb4db7facd1fed86322b46bb88fc67ffbee6013cd30

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
961c227edec58db77e7bb8c9e95fb97e

SHA1
f8005b22c463d1053399e25c5e965293d9e66a2a

SHA256
f6abcf428bee721584eee491e8a34ae4bca1bbcd34ffe688cd8739b64c8613c3

SHA512
b6fb25f553cccab5cda81985bd7b3d19d45be81d258a31354753ecbb84fc5cb131586c8fe5c0aa7ab8ae0128a1f413ed0377f2d5f9354c7e18a67406a33a10fd

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
a4b3f4312dfce5082f3d8d39bf3c504b

SHA1
7f74334df4613f6377ebc2d947951e18e390fa70

SHA256
62fb06efd9448958ca877cf42ed0ac54b3a37521f612ef95590b4bfff7be73c9

SHA512
ad9358bb89e498f52bfdb5b8a1ed1b43f75b8099bf040ad622dba8e187542c08d57720fef32b0ecf222365877631215fd5d17faf98ebdb4cd00da667098fa950

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
ce0f260c4779ee04f37356422a528ff3

SHA1
781fd60f19a0564875c0406ba6c5f562078993e6

SHA256
baa7e5c3dbb45c1c8772807a62ec2216934374f72031880bd8cf46053a9d4ad9

SHA512
1e2434b4645788d780d87e04e67847926f90babec088d1711f5d4535695aeafa63f4ac388b58b974aed8d4391fa7389414dfbae7dd857296416198d934761bea

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
46e8a96f2fe29bc5cd26ab8e72402754

SHA1
e57419df0869c6359c6e14b9454ae65523fbcf27

SHA256
64b31d5ff22fb0ba5382553b5a19789d1fcc2fb42585a2c1ca3ed24930e502ac

SHA512
86e4f61babf05bd15cc896e17deb0b477be92b6edc5f79d0baa4524b4383736fe5922b44e3217748cbca7fb4caeac9726848db90a1d130e8762aaa56e70a6cec

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
68ea3359e1322624e3aba8c974e79a29

SHA1
2bb860fadba9be0648ae94caf7dedbf3d35feb5f

SHA256
b9d45317381f516f253e781b2595716f5cd1687b3bc074c0bdb64d256a4c4443

SHA512
fb5d62b296ff79f9522640f954ac20e24743ad56bfdbdf695b4ae72bfa49a2006cb425e4a1f833105200538b8c81c2a66c1ede9582619f43f77a9046e5e98436

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
c439a9eade2487f43bad60063c8ab02e

SHA1
1901bf749202e27e339788c592c483ef72e2ca09

SHA256
8c38b08947be6233f13e9b6b6ae979e62ef0aaf8b4101077fe01d3be3941b4e1

SHA512
9c3b40fc95e6def4eeac55e1594ab6703e70543d879084ced60d1098be759c4c8a58154445800d5c53246aa2b24bd9643cd6d6bb62998dda445c5ad8fdca349b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
afb7c6ad930770870eb1db21e3cb8c66

SHA1
a1f25fa281148096eb04e872b6cafe61b4d6e7c5

SHA256
d454b92d38c91d4b6919bd4bf99ed0cea0198866fc64508a60fdf4c69dcc6a97

SHA512
5e489e3b48839b027ca061f516a8cd9f401b441f4ce27a89a1c9e6f5c1088ef2aaca5e76124d2c0c22a85952331d9b86e6b789e48ab8aed669b0cb8c5bbff108

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
85b6f522ef6ecb6545f44a302dc2a227

SHA1
00eb2b76f79908788b8c75ea0a06ad7985cc3792

SHA256
3b8a7c2850c4d604b9d801d92466d9df97096063a5a365d71c842054c53590fe

SHA512
2d6026fc54122b5601505e40e6528fe7d99e60409b715a55dec24bd4b5fd7b375b27b71473d1e17fd526c2db31e0ef6c03b87d50c902637a4b877b036182cf69

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
cd67a9d7299b9b11bee6b68c35746a69

SHA1
0b1efaad13fe1af09ca3c74985aafd841e735533

SHA256
a16a3045ebd47f6440ac4bd597c9334208178d39894e472670232120792a2792

SHA512
23aa3cfa2c0b2c9b6f90bf10129edfc896c5e4c04d8bbd45c16d60bac1746b3e6abfc3e398bc4152233bb9c62ce0f2a36e74ce4d41a03c0c802c0738fe2cb375

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
602ed23aea1020f1425b3d44f94b257d

SHA1
eaeae347acdd9f029f3714c79452b5e6e5b798a1

SHA256
6e19043f80f0017f9070c93c3c63d675d77ae2de4550c4c09e61f0dce4dcbbb8

SHA512
9e384464ad3f6eb09a5a6436df1a2be26d4e9844316799e102328bd5a15f28e340e45d9fd2a24d7d87bfed99d910927265d6a5ac5c20b5ba7d54dfedee1305dc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
cb8968d9c66dd23a648bf8f83009a391

SHA1
02ccfa30ace5cd03f75fc442b1e8ae8b9dfa575e

SHA256
2498405c62d0e12794d6f2c6cfc60aeb9d30aef70ac384720e8b8c869ad8eb44

SHA512
58194420ed168274a1b9c4035e7d633010cb1c298f76d80014a514baec85640ee26ce00f55d8fdb778030e2bf83358aa0eb870f2ccea95d326c7783da36446f7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
a5c37be36cb684569c4c7b65d9968fbf

SHA1
bed5a8d34636c0834ec89c4d89cb080fd9f05789

SHA256
8818a174f09026e7a1e87f21e8d9170248807ef62d4285034f24241ea815549d

SHA512
b8d43bce336f841a8e06f5723f36e43780bdc87ac545be02f224d003a285ff60ab2f5733f6d1d1f4aa7261573235cac2df85e06bd1b03e129a439730ddd25650

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
b2a96133c66d276bdbaf4a32c6719436

SHA1
ad0dbc7ebeee6180545632489c72a558889def53

SHA256
478e08c5552f7044aaf1168ef1fc05ef514a044f1761b3c8f5d7db9a4940ef4e

SHA512
e4f1a4f8b24f2a0a3c8861a74c3925cbf88c92551965fa2d1fff32a6c5d46a07b41b346e79e73ad7813ca8a7f8930d73686c6fff98214aa3964e2c29db4cc317

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
8507b2f9df4f2784ea6daee933bb857c

SHA1
c23414cb0b1fb1e3f23874ad934c81a6633e489f

SHA256
a5884ba95773ac8fc7f969fbb1b1694854a71cd4a06018076ecf5cb518f453f9

SHA512
9779340c4a59117b4c4162d8730581560b4a5dd52604a1a64006fa4e60b4a4c2a246a054d9de00ec4cd164225de66c9de382aebcf8ac84cbd101381a3d49f83b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
6ecd0633fd73612d3aa931b6d8e7ce08

SHA1
f6c330a40bcc94fb530b517db884e02badd79be2

SHA256
ca55cc49cd41a90e43f0aec7b61de3f786b34e6ad1915b8ad2affb655475da27

SHA512
7e6a49e793ebf424702b92c561b703bd71a342f5501c34675a46d7dc47cafccb38039761702eee1804dd976facd4ee239a8c1f7bf28d966668bf20a07db4db7c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
957a22ae2bbf02ba0318988b4ec6f2a7

SHA1
924b89e1e091f62ecd6eab1f7b0f4fe2d23fe7c2

SHA256
3173fe4b5b13e6ef27bc8e26275ccda4a8368d339c5c595b83a113c8e0e11a1d

SHA512
43de5a92fb9c683c83f3ae2f615d7351ee33cb22bea5a3f1d3392b90f6063ded44941104e6b6aad25b51d7f18cbbfa5c6adf65b915589c367904f6a7ffedb557

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
64d960b26b371a6ebcfe3fcbe64d300c

SHA1
ccc8806267197c3c0ef5c018c7f076fe1f2c75f1

SHA256
f3b39e99a251d36f85c1cd48d7997d6513f95bd712c8b40bd92c42853d9354d0

SHA512
5653c1fedcd10b5e9d66b03acb5ffc0004791328c0bdb2340287fed4818aa78b9cd1e73c9d71275cc88ebccd124d1db812b839b06af9462f1d4420bc7bc1c2f7

Download Submit
memory/1588-139-0x00000000000A0000-0x00000000001A0000-memory.dmp

Filesize
1024KB

Download
memory/2916-140-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2916-141-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2916-142-0x0000000000A60000-0x0000000000DAA000-memory.dmp

Filesize
3.3MB

Download
memory/2916-143-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download