47d6b422100dd4d6cf86810837a41e3915a593c97399a52f3fc16562d6addf2c

Analysis

max time kernel
151s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2023, 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b83863b916a3a3d41179c974c8316c0_exe32_JC.exe
Size

405KB
MD5

1b83863b916a3a3d41179c974c8316c0
SHA1

42baf8cfae77453b7181b529c62dd69f16df556a
SHA256

47d6b422100dd4d6cf86810837a41e3915a593c97399a52f3fc16562d6addf2c
SHA512

2729d6e570f4a84208df9ae27101d8d6f8868d0377a696454872fac743c33322e534ce064e0b6c83db309786253a52b623037b3e5b10a76f0ea317ca0167fd34
SSDEEP

6144:Llfj4dhMo4GEeBVRot846iQ/5Dc6gvBve/eUsVA8rPpb:LlfsdhMo4BLdQ9c6g5vemNVA2Ppb

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	1b83863b916a3a3d41179c974c8316c0_exe32_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
928	Sysceampugbh.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/640-0-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/640-9-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/files/0x000400000001e7f7-32.dat	upx
behavioral2/files/0x000400000001e7f7-60.dat	upx
behavioral2/files/0x000400000001e7f7-61.dat	upx
behavioral2/memory/640-66-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/928-80-0x0000000000400000-0x0000000000468000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1b83863b916a3a3d41179c974c8316c0_exe32_JC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe
928	Sysceampugbh.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 928	640	1b83863b916a3a3d41179c974c8316c0_exe32_JC.exe	90
PID 640 wrote to memory of 928	640	1b83863b916a3a3d41179c974c8316c0_exe32_JC.exe	90
PID 640 wrote to memory of 928	640	1b83863b916a3a3d41179c974c8316c0_exe32_JC.exe	90

C:\Users\Admin\AppData\Local\Temp\1b83863b916a3a3d41179c974c8316c0_exe32_JC.exe
"C:\Users\Admin\AppData\Local\Temp\1b83863b916a3a3d41179c974c8316c0_exe32_JC.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:640
- C:\Users\Admin\AppData\Local\Temp\Sysceampugbh.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceampugbh.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
1KB

MD5
7233f8178d8baeefaeb773964dc24cac

SHA1
7a02da25c26f65f58bab40f38ceacbc24f0233f4

SHA256
0607262c77ea6796798379bb263adb002cbfc670c26b0217c8a2b0c33e18ea4e

SHA512
986a029904f4a11be9ece251bc0eee5e7f9d9a8e86c7ae25b9406b16d7548724e9939aaab4c7c1ca0e48f48cc4cb449f9969b8f6f908f6c272e5fdc68797f52d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
c84119624f6e48050b67b54386344c56

SHA1
61d27105a60ce4f320b7a5212ef202d465d8b500

SHA256
866ead6e3b5b93179215d7cefb23d57bbc5e7e049b37f871a48e7c3b5661adca

SHA512
ffe1d462741f8714b7fdde28cef63668326ff2c8dc267cf82a31d6ecd2942e04e8cc09206c8c8e978599fb14bddab0a23ab96af9eea1a9df1a970096d03fa2cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_0EFD97AA1ED1EC939D6B2DC09A53FAC0

Filesize
471B

MD5
2babc720c53778b586da518ccd6d22d3

SHA1
7abefb949fb1f5dbdcd2cf7938b850c3b3f786e5

SHA256
f02012968fca9b39db98b8ecb5e35bbc6ea49f08d90fb02f1600d9f4fd7a2c70

SHA512
3a6e8a8ca827f7f4312a041e76910b861ed5593ebe48078969be5ed66427ddc8542bd373a7a977168920e9545a32578b3c79cc8cd06d6c5dc8352ac69f38715b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_810F262D4E1A3C00EAAC386AD696F184

Filesize
471B

MD5
a207d1e94f5c05f1a377fe81a113e7b9

SHA1
49b9e3d14ce9baa8e044408ef8f82eb23ddecc8d

SHA256
cabca97da3cdda2bcad8ba1de55f2fa63ea78de19d71f4b3c3e4a8bec36f4740

SHA512
6265ecc0af38569a8c1d3d3ec104a572f581800454e237f38b130af69df73a07db6772d6abf140fb33368feab0ef24093574bacb64d2b2fb84a4894cd85d3d69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_62869752D223B27BDF86429DD102BA2D

Filesize
1KB

MD5
8fbe3494de9cf496ed8fdb61ae4f3bef

SHA1
ee69bdc8743a33671f20a2a063013db1401b2d13

SHA256
2825da0967f17a4940a3087a5863f81c084666b46dd885f7924ff98f8ba39221

SHA512
0102e9c08e247ef88485cf6d9de44c32b6a2f308ef922ad6453a61709cc4c574c1cdb93dcf2eb869bbd6f389082007ea76750146ef2b34e3dc9a4535f9155459

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
500B

MD5
11d07df02b69451b3ffd3eb51e3a988c

SHA1
e675bceed89c0b50d0b6238b58ca5d81020d6841

SHA256
e32f3a8346832b4f842e57cf5d519e362dd07fca46967f6caa403e4d89c0b257

SHA512
9ce197368631829ca890750dcba971374b0361af6bdef597dfb858c3cb5d9440181e6960c72499f6dd6d5f3023be1f6725904b01f57157efffaac023f790ef28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
20ae9ce66a22e08441412014da5c2bc3

SHA1
f753c588f20a120337ef26347f7b1d67fb7750d7

SHA256
2a073b61bcb0ef205a25a166301813c57a934022013bb31ca7c04ed51019a209

SHA512
165978ee988cc9c5d732ebabdd988996314c0df38d51644c56970adaece8c5eb6ca8df06f96347e5646bfcef530c5ac63a13041bbb7937ed080c1f9f9b2d00c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_0EFD97AA1ED1EC939D6B2DC09A53FAC0

Filesize
402B

MD5
cc1448cb9f0efd225caf67d8a0a37f3a

SHA1
8b9fe6d6fee29e933392c2efecee800952e67739

SHA256
4d62034a836d4a06683570aa841f60d28c88804a22c56c98f81f6fa2a7ceec57

SHA512
c6b8d3617c878dafd3550b92f8c0ffed86bb42bf15bddfbd68febeed30f7a2c758d0b3e6339ebbfa496138fe66b1c8e5391417c51bec3f9a52b2de688a818fe0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_810F262D4E1A3C00EAAC386AD696F184

Filesize
402B

MD5
3da424f70f80cd2edb345b4c4843d5b8

SHA1
43a7ad95629a36ac152ab4f5cf31a5fdf124ba98

SHA256
92e77372e9bed1326c0131cf8794201dffa2fd87bfa265a9eef7d9a70953eee4

SHA512
103cf819333d4284d6bf44b3d444e54f3ea4fa867a66624b401c06019e81d39f4e44ec839ef8625a75e33ec577f88d4ba2d35fb6084ce36d6cb451edfd4b91ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_62869752D223B27BDF86429DD102BA2D

Filesize
532B

MD5
b9b742c162dd9fafbdbdd905dcc1639d

SHA1
a6542b1d3c596bfbd240ef43b8e3fe1613975ac2

SHA256
98d33a0eaa15ee7bb58800f725c8fbe18d8d4ffdc471ad3e717c9b1de6c70c15

SHA512
0ec130d3c6731b29553f3d98a0e0a311e5cfc6bafa666761b71ee98cabe53409024d8884ebb2c702fee53ed8b71ea95c52a9fa8b229f80d7cf17d2ee40ab0d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceampugbh.exe

Filesize
405KB

MD5
09714cb4b8fd29a3dd4d14d2fcf3e079

SHA1
100757854aafe24fe9b370cc60692ea2481e3e9a

SHA256
71c08cac565719efa546c0c6e4f9ce28ca6b3229bdcf7c22d1d748bdd4a13618

SHA512
8aa6cb8bbd4fb9303a7f4fa95ee47770bba7495a3408cd4a9ed3322e4f13468d1da211a9e46019c819bd95a281b57dfb1ece6a220b6407b85818a142b4a49d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceampugbh.exe

Filesize
405KB

MD5
09714cb4b8fd29a3dd4d14d2fcf3e079

SHA1
100757854aafe24fe9b370cc60692ea2481e3e9a

SHA256
71c08cac565719efa546c0c6e4f9ce28ca6b3229bdcf7c22d1d748bdd4a13618

SHA512
8aa6cb8bbd4fb9303a7f4fa95ee47770bba7495a3408cd4a9ed3322e4f13468d1da211a9e46019c819bd95a281b57dfb1ece6a220b6407b85818a142b4a49d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceampugbh.exe

Filesize
405KB

MD5
09714cb4b8fd29a3dd4d14d2fcf3e079

SHA1
100757854aafe24fe9b370cc60692ea2481e3e9a

SHA256
71c08cac565719efa546c0c6e4f9ce28ca6b3229bdcf7c22d1d748bdd4a13618

SHA512
8aa6cb8bbd4fb9303a7f4fa95ee47770bba7495a3408cd4a9ed3322e4f13468d1da211a9e46019c819bd95a281b57dfb1ece6a220b6407b85818a142b4a49d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
79B

MD5
5ba779026c4a9f9ff6c425f0ed1433f4

SHA1
13fc0e1dabf2900128f7ea0b21c5272fa9033995

SHA256
d72eaa23c58b09f34e77bcdc91d805088373d3fce9fd1a19854aca7e3798b7cf

SHA512
1745da4a96f96d6d906b862488a0f5a793629111581139c92d7a707ff2dbe912a6787397cb0f195c232e66d08e1beb4b344b0f7fe5ae6ff83d69a6a3011ad176

Download Submit
memory/640-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/640-66-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/640-9-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/928-80-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download