663b5f9cc1c8c974a7651cdd6a720a7bc77a59c01b8d27274a504340666fd322

Analysis

max time kernel
148s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2023, 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

663b5f9cc1c8c974a7651cdd6a720a7bc77a59c01b8d27274a504340666fd322.exe
Size

1.9MB
MD5

590b1a7d37d12106e1dbcfd063b23398
SHA1

789e25388a35a54fcf3f956cd582fa5c4ab3f595
SHA256

663b5f9cc1c8c974a7651cdd6a720a7bc77a59c01b8d27274a504340666fd322
SHA512

9c6736ee2181f91630e2208fd70f3097a6d590f3b1c822d6ad0e518d4643cf453269549435e693ff8cd6038cd1274c42d8bb4473e863fa7adb49f80f3aae9a96
SSDEEP

49152:cP0K1HDEsdSiopguI125iZblH7PJdR0ebbau1m:y71HDEfHgB7PJdnw

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	waike.exe

Executes dropped EXE 2 IoCs

pid	Process
4256	waike.exe
3648	v.exe

Loads dropped DLL 1 IoCs

pid	Process
3648	v.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/376-0-0x0000000000400000-0x000000000085F000-memory.dmp	upx
behavioral2/memory/376-3-0x0000000000400000-0x000000000085F000-memory.dmp	upx
behavioral2/files/0x0008000000023042-4.dat	upx
behavioral2/files/0x0008000000023042-5.dat	upx
behavioral2/memory/376-7-0x0000000000400000-0x000000000085F000-memory.dmp	upx
behavioral2/memory/376-8-0x0000000000400000-0x000000000085F000-memory.dmp	upx
behavioral2/memory/4256-12-0x0000000000400000-0x000000000085F000-memory.dmp	upx
behavioral2/memory/4256-13-0x0000000000400000-0x000000000085F000-memory.dmp	upx
behavioral2/memory/4256-32-0x0000000000400000-0x000000000085F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	663b5f9cc1c8c974a7651cdd6a720a7bc77a59c01b8d27274a504340666fd322.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	waike.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
376	663b5f9cc1c8c974a7651cdd6a720a7bc77a59c01b8d27274a504340666fd322.exe
376	663b5f9cc1c8c974a7651cdd6a720a7bc77a59c01b8d27274a504340666fd322.exe
4256	waike.exe
4256	waike.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	3648	v.exe
Token: 35	3648	v.exe
Token: SeSecurityPrivilege	3648	v.exe
Token: SeSecurityPrivilege	3648	v.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
376	663b5f9cc1c8c974a7651cdd6a720a7bc77a59c01b8d27274a504340666fd322.exe
376	663b5f9cc1c8c974a7651cdd6a720a7bc77a59c01b8d27274a504340666fd322.exe
4256	waike.exe
4256	waike.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4256 wrote to memory of 3576	4256	waike.exe	92
PID 4256 wrote to memory of 3576	4256	waike.exe	92
PID 4256 wrote to memory of 3576	4256	waike.exe	92
PID 4256 wrote to memory of 3648	4256	waike.exe	96
PID 4256 wrote to memory of 3648	4256	waike.exe	96
PID 4256 wrote to memory of 3648	4256	waike.exe	96

C:\Users\Admin\AppData\Local\Temp\663b5f9cc1c8c974a7651cdd6a720a7bc77a59c01b8d27274a504340666fd322.exe
"C:\Users\Admin\AppData\Local\Temp\663b5f9cc1c8c974a7651cdd6a720a7bc77a59c01b8d27274a504340666fd322.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:376

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4976

C:\mina\waike.exe
"C:\mina\waike.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Public\xiaodaxzqxia\n.bat
  2⤵
  PID:3576
- C:\Users\Public\xiaodaxzqxia\v.exe
  "C:\Users\Public\xiaodaxzqxia\v.exe" x 111 -y
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:3648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\xiaodaxzqxia\111

Filesize
18B

MD5
11bc70016f1fde86d2cdce0846a5076f

SHA1
d01eb4d8423b89b743643b80b1fb8e649cbad4e5

SHA256
94568641d14104f957b438b273187700590b63f0c22f52235d8e5b77233efd3c

SHA512
e4a25b57d4b682d08911a693ff0fcffc7f3cabbe60d820105f1fc47bd8b7c1740ab371e1ef7f94d5b6b2811d5dc3f4af2c382ee91fe4ba614384e405cd114da1

Download Submit
C:\Users\Public\xiaodaxzqxia\7z.dll

Filesize
1.2MB

MD5
a65e53c974a4e61728ecb632339a0978

SHA1
27e6ec4f8e34b40f1e08503245700c182b918ce9

SHA256
ca8ab5aeef734f24a3c58bf10b3f0152c2ea1329b02d2730448693df563b4c6a

SHA512
b029962f08867496cd3fd5e9af4b0703dae918e938aee759aeffbb4184ea6d3e81e0878ba8957e80d30db5d7b6fc8598e68918a4d16b3d010f31a2e16417593e

Download Submit
C:\Users\Public\xiaodaxzqxia\7z.dll

Filesize
1.2MB

MD5
a65e53c974a4e61728ecb632339a0978

SHA1
27e6ec4f8e34b40f1e08503245700c182b918ce9

SHA256
ca8ab5aeef734f24a3c58bf10b3f0152c2ea1329b02d2730448693df563b4c6a

SHA512
b029962f08867496cd3fd5e9af4b0703dae918e938aee759aeffbb4184ea6d3e81e0878ba8957e80d30db5d7b6fc8598e68918a4d16b3d010f31a2e16417593e

Download Submit
C:\Users\Public\xiaodaxzqxia\n.bat

Filesize
18B

MD5
11bc70016f1fde86d2cdce0846a5076f

SHA1
d01eb4d8423b89b743643b80b1fb8e649cbad4e5

SHA256
94568641d14104f957b438b273187700590b63f0c22f52235d8e5b77233efd3c

SHA512
e4a25b57d4b682d08911a693ff0fcffc7f3cabbe60d820105f1fc47bd8b7c1740ab371e1ef7f94d5b6b2811d5dc3f4af2c382ee91fe4ba614384e405cd114da1

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe

Filesize
329KB

MD5
62d2156e3ca8387964f7aa13dd1ccd5b

SHA1
a5067e046ed9ea5512c94d1d17c394d6cf89ccca

SHA256
59cbfba941d3ac0238219daa11c93969489b40f1e8b38fabdb5805ac3dd72bfa

SHA512
006f7c46021f339b6cbf9f0b80cffa74abb8d48e12986266d069738c4e6bdb799bfba4b8ee4565a01e90dbe679a96a2399d795a6ead6eacbb4818a155858bf60

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe

Filesize
329KB

MD5
62d2156e3ca8387964f7aa13dd1ccd5b

SHA1
a5067e046ed9ea5512c94d1d17c394d6cf89ccca

SHA256
59cbfba941d3ac0238219daa11c93969489b40f1e8b38fabdb5805ac3dd72bfa

SHA512
006f7c46021f339b6cbf9f0b80cffa74abb8d48e12986266d069738c4e6bdb799bfba4b8ee4565a01e90dbe679a96a2399d795a6ead6eacbb4818a155858bf60

Download Submit
C:\mina\kbnaxxc.exe

Filesize
18B

MD5
11bc70016f1fde86d2cdce0846a5076f

SHA1
d01eb4d8423b89b743643b80b1fb8e649cbad4e5

SHA256
94568641d14104f957b438b273187700590b63f0c22f52235d8e5b77233efd3c

SHA512
e4a25b57d4b682d08911a693ff0fcffc7f3cabbe60d820105f1fc47bd8b7c1740ab371e1ef7f94d5b6b2811d5dc3f4af2c382ee91fe4ba614384e405cd114da1

Download Submit
C:\mina\waike.exe

Filesize
1.9MB

MD5
590b1a7d37d12106e1dbcfd063b23398

SHA1
789e25388a35a54fcf3f956cd582fa5c4ab3f595

SHA256
663b5f9cc1c8c974a7651cdd6a720a7bc77a59c01b8d27274a504340666fd322

SHA512
9c6736ee2181f91630e2208fd70f3097a6d590f3b1c822d6ad0e518d4643cf453269549435e693ff8cd6038cd1274c42d8bb4473e863fa7adb49f80f3aae9a96

Download Submit
C:\mina\waike.exe

Filesize
1.9MB

MD5
590b1a7d37d12106e1dbcfd063b23398

SHA1
789e25388a35a54fcf3f956cd582fa5c4ab3f595

SHA256
663b5f9cc1c8c974a7651cdd6a720a7bc77a59c01b8d27274a504340666fd322

SHA512
9c6736ee2181f91630e2208fd70f3097a6d590f3b1c822d6ad0e518d4643cf453269549435e693ff8cd6038cd1274c42d8bb4473e863fa7adb49f80f3aae9a96

Download Submit
memory/376-7-0x0000000000400000-0x000000000085F000-memory.dmp

Filesize
4.4MB

Download
memory/376-8-0x0000000000400000-0x000000000085F000-memory.dmp

Filesize
4.4MB

Download
memory/376-0-0x0000000000400000-0x000000000085F000-memory.dmp

Filesize
4.4MB

Download
memory/376-3-0x0000000000400000-0x000000000085F000-memory.dmp

Filesize
4.4MB

Download
memory/4256-13-0x0000000000400000-0x000000000085F000-memory.dmp

Filesize
4.4MB

Download
memory/4256-12-0x0000000000400000-0x000000000085F000-memory.dmp

Filesize
4.4MB

Download
memory/4256-32-0x0000000000400000-0x000000000085F000-memory.dmp

Filesize
4.4MB

Download