9dc0053878c15164b5589ae5f4e693623a0df49165134d7c52d628657a7219ff

Analysis

max time kernel
152s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 12:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9-27.exe
Size

4.9MB
MD5

652fd497d8e9242ec1c799a5c4082c65
SHA1

02ba874a3f6e9656c9dd1838c045b6f4f000ca6c
SHA256

98915cb3b4f8ba2f373c98a14b1383f4606f17d28e7064bdab5098d92bc1caf7
SHA512

1ccb55449c6783b6634b966c9c89e32c54d0aff4154577afa11f3d6e4de09992c45483b9560f0713c4841ed3144e5e96ab5a674a083abd162bce6e41ab2ca6c1
SSDEEP

98304:CDHfQecech3jH6pZBoj9ghi1RebM390bYViJ5ZNP4c8Zv+1+MXjT:CpShYojD390bYViJ94cUMT

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	9-27.exe

Executes dropped EXE 1 IoCs

pid	Process
620	OBQud8.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000023244-7.dat	upx
behavioral2/files/0x0006000000023244-12.dat	upx
behavioral2/memory/620-13-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral2/files/0x0006000000023244-15.dat	upx
behavioral2/memory/620-55-0x0000000000400000-0x0000000000558000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5064	9-27.exe
5064	9-27.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
5064	9-27.exe
5064	9-27.exe
5064	9-27.exe
5064	9-27.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
5064	9-27.exe
5064	9-27.exe
5064	9-27.exe
5064	9-27.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5064	9-27.exe
5064	9-27.exe
620	OBQud8.exe
620	OBQud8.exe
620	OBQud8.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 620	5064	9-27.exe	86
PID 5064 wrote to memory of 620	5064	9-27.exe	86
PID 5064 wrote to memory of 620	5064	9-27.exe	86
PID 620 wrote to memory of 4196	620	OBQud8.exe	90
PID 620 wrote to memory of 4196	620	OBQud8.exe	90
PID 620 wrote to memory of 4196	620	OBQud8.exe	90

C:\Users\Admin\AppData\Local\Temp\9-27.exe
"C:\Users\Admin\AppData\Local\Temp\9-27.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Users\Public\Videos\OBQud8.exe
  "C:\Users\Public\Videos\OBQud8.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo.>c:\xxxx.ini
    3⤵
    PID:4196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG2.JPG

Filesize
36KB

MD5
f6bf82a293b69aa5b47d4e2de305d45a

SHA1
4948716616d4bbe68be2b4c5bf95350402d3f96f

SHA256
6a9368cdd7b3ff9b590e206c3536569bc45c338966d0059784959f73fe6281e0

SHA512
edf0f3ee60a620cf886184c1014f38d0505aac9e3703d61d7074cfb27d6922f80e570d1a3891593606a09f1296a88c8770445761c11c390a99a5341ee56478aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG3.JPG

Filesize
6KB

MD5
e39405e85e09f64ccde0f59392317dd3

SHA1
9c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b

SHA256
cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f

SHA512
6733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a

Download Submit
C:\Users\Public\Videos\Edge.jpg

Filesize
358KB

MD5
f1c9193af3e7286be2290b8a19792a0f

SHA1
dd70af44fe61187c7348787a1c5bf6a61a9469b9

SHA256
4f6e68496585ae5ad16dcf5b86c7c06b456d4489fefef5ec5439e1d28a4ba2b4

SHA512
e3981ef5ce67cb8863466e02ac227b6ec36d816a841419bcdbb40e163beb92043439f258777fdac62fedf570e4b8cb298a4b72128950ae290e297276d0de22ed

Download Submit
C:\Users\Public\Videos\OBQud8.dat

Filesize
132KB

MD5
6152efa8f8afe22724a626a3ee4936d9

SHA1
5b47f2c6c359a79fe9a8257b6845964102889d14

SHA256
269e7db9d5f6b9a4f14d3e5af166630db4805a9840d48d034e184699bdbcc2af

SHA512
196e402948dd29df4bd352680a75cfda5d83879a57aad4d46471d1239ec694a4d403230fe22e10749afba1f0eb915dbca87a80ea792179597fca8f7c045a0d65

Download Submit
C:\Users\Public\Videos\OBQud8.exe

Filesize
529KB

MD5
49d595ab380b7c7a4cd6916eeb4dfe6f

SHA1
b84649fce92cc0e7a4d25599cc15ffaf312edc0b

SHA256
207d856a56e97f2fdab243742f0cfcd1ba8b5814dc65b3798e54d022ce719661

SHA512
d00ed0d9baae96ccbaf1262b4a4aaf4468e4ace6cebcea81e74d830bf414d9bc61068b8fb0eefa742add14aec47284f3adc11be26c8b8d66bfae4c498f2a4110

Download Submit
C:\Users\Public\Videos\OBQud8.exe

Filesize
529KB

MD5
49d595ab380b7c7a4cd6916eeb4dfe6f

SHA1
b84649fce92cc0e7a4d25599cc15ffaf312edc0b

SHA256
207d856a56e97f2fdab243742f0cfcd1ba8b5814dc65b3798e54d022ce719661

SHA512
d00ed0d9baae96ccbaf1262b4a4aaf4468e4ace6cebcea81e74d830bf414d9bc61068b8fb0eefa742add14aec47284f3adc11be26c8b8d66bfae4c498f2a4110

Download Submit
C:\Users\Public\Videos\OBQud8.exe

Filesize
529KB

MD5
49d595ab380b7c7a4cd6916eeb4dfe6f

SHA1
b84649fce92cc0e7a4d25599cc15ffaf312edc0b

SHA256
207d856a56e97f2fdab243742f0cfcd1ba8b5814dc65b3798e54d022ce719661

SHA512
d00ed0d9baae96ccbaf1262b4a4aaf4468e4ace6cebcea81e74d830bf414d9bc61068b8fb0eefa742add14aec47284f3adc11be26c8b8d66bfae4c498f2a4110

Download Submit
C:\Users\Public\Videos\edge.xml

Filesize
53KB

MD5
cc64e952e00701415a9fc38844d054b5

SHA1
331167ddde024b33b7e6a54fb0bf8ec3d9ea43c4

SHA256
934df4d84704ea31a3846220a044366be6b2acbb9b4f3e968d6f2e1cacd90914

SHA512
16d10454707df89e2cb3a7578bed7e40f13954bacb1b56e9ed73b6af840fa0f9c4cdcc828cd1704e9c9fb10b03a1a148878a6d62e518867e19bba4a8c6adf2bb

Download Submit
memory/620-13-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/620-39-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/620-42-0x00000000037B0000-0x00000000037C2000-memory.dmp

Filesize
72KB

Download
memory/620-44-0x0000000010000000-0x0000000010061000-memory.dmp

Filesize
388KB

Download
memory/620-55-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download