eb69742654de8079a24a8d1ebf1973b50849dbf5d21f8e9d920a1cec4138c2ee

Analysis

max time kernel
150s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2023, 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f862158c1fb0f47d50a021d61705c10_exe32.exe
Size

208KB
MD5

3f862158c1fb0f47d50a021d61705c10
SHA1

eca7a0878646529292211d1e9e02d6911c78648c
SHA256

eb69742654de8079a24a8d1ebf1973b50849dbf5d21f8e9d920a1cec4138c2ee
SHA512

6e6f1e75892b1d660389658c09cbf0cafe01740817ced5f414d09993acbc59f25125052e606c506ce230eb1f48808ba9d64fae11fa5ffa50dc4415d2f51a2436
SSDEEP

3072:BzawjZllLtly7pYahUF15ar/i9XEN0y60xVQCGqWAW35I0Dmcur/Dni/14NLthEB:sKZlAFYaqFLa2NENc0xVQS25/EnIQEj1

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	3f862158c1fb0f47d50a021d61705c10_exe32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	BEAKR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	ITUY.exe

Executes dropped EXE 3 IoCs

pid	Process
4940	BEAKR.exe
644	ITUY.exe
2432	YDBSXXL.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\ITUY.exe	BEAKR.exe
File opened for modification	C:\windows\SysWOW64\ITUY.exe	BEAKR.exe
File created	C:\windows\SysWOW64\ITUY.exe.bat	BEAKR.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\windows\BEAKR.exe	3f862158c1fb0f47d50a021d61705c10_exe32.exe
File opened for modification	C:\windows\BEAKR.exe	3f862158c1fb0f47d50a021d61705c10_exe32.exe
File created	C:\windows\BEAKR.exe.bat	3f862158c1fb0f47d50a021d61705c10_exe32.exe
File created	C:\windows\system\YDBSXXL.exe	ITUY.exe
File opened for modification	C:\windows\system\YDBSXXL.exe	ITUY.exe
File created	C:\windows\system\YDBSXXL.exe.bat	ITUY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4352	796	WerFault.exe	36
1212	4940	WerFault.exe	90
2892	644	WerFault.exe	96
4952	2432	WerFault.exe	100

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
796	3f862158c1fb0f47d50a021d61705c10_exe32.exe
796	3f862158c1fb0f47d50a021d61705c10_exe32.exe
4940	BEAKR.exe
4940	BEAKR.exe
644	ITUY.exe
644	ITUY.exe
2432	YDBSXXL.exe
2432	YDBSXXL.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
796	3f862158c1fb0f47d50a021d61705c10_exe32.exe
796	3f862158c1fb0f47d50a021d61705c10_exe32.exe
4940	BEAKR.exe
4940	BEAKR.exe
644	ITUY.exe
644	ITUY.exe
2432	YDBSXXL.exe
2432	YDBSXXL.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 796 wrote to memory of 5080	796	3f862158c1fb0f47d50a021d61705c10_exe32.exe	85
PID 796 wrote to memory of 5080	796	3f862158c1fb0f47d50a021d61705c10_exe32.exe	85
PID 796 wrote to memory of 5080	796	3f862158c1fb0f47d50a021d61705c10_exe32.exe	85
PID 5080 wrote to memory of 4940	5080	cmd.exe	90
PID 5080 wrote to memory of 4940	5080	cmd.exe	90
PID 5080 wrote to memory of 4940	5080	cmd.exe	90
PID 4940 wrote to memory of 2012	4940	BEAKR.exe	92
PID 4940 wrote to memory of 2012	4940	BEAKR.exe	92
PID 4940 wrote to memory of 2012	4940	BEAKR.exe	92
PID 2012 wrote to memory of 644	2012	cmd.exe	96
PID 2012 wrote to memory of 644	2012	cmd.exe	96
PID 2012 wrote to memory of 644	2012	cmd.exe	96
PID 644 wrote to memory of 3648	644	ITUY.exe	97
PID 644 wrote to memory of 3648	644	ITUY.exe	97
PID 644 wrote to memory of 3648	644	ITUY.exe	97
PID 3648 wrote to memory of 2432	3648	cmd.exe	100
PID 3648 wrote to memory of 2432	3648	cmd.exe	100
PID 3648 wrote to memory of 2432	3648	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\3f862158c1fb0f47d50a021d61705c10_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\3f862158c1fb0f47d50a021d61705c10_exe32.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\BEAKR.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\windows\BEAKR.exe
    C:\windows\BEAKR.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ITUY.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2012
    - - C:\windows\SysWOW64\ITUY.exe
        
        C:\windows\system32\ITUY.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:644
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YDBSXXL.exe.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\windows\system\YDBSXXL.exe
        
        C:\windows\system\YDBSXXL.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 844
        8⤵
        Program crash
        
        PID:4952
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 1336
        6⤵
        Program crash
        
        PID:2892
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 972
      4⤵
      Program crash
      PID:1212
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 988
  2⤵
  - Program crash
  PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 796 -ip 796
1⤵
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4940 -ip 4940
1⤵
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 644 -ip 644
1⤵
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2432 -ip 2432
1⤵
PID:3716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\BEAKR.exe

Filesize
208KB

MD5
d40a05a7348c89d0962c5c0e4300148f

SHA1
1317d82bd4a7824d5ac0d58b7b4b26fb907aadac

SHA256
2e3cd64e9c9ff198cb57dbd68d19b642c3dd74cea91daef71de20be978ba46ee

SHA512
67ee56961077de7cbdfea73ff86abe1d2fd612cba1845bd422cef9908a331252cf37fd0f383c32bdf23be7ab5f1b659f16663ae5420fa3978dc89890dc7635d7

Download Submit
C:\Windows\SysWOW64\ITUY.exe

Filesize
208KB

MD5
5b151583f8f0fbb98fafb1565a69967e

SHA1
7f9e22eb1c0943a1bce1d8285ed4e6c5b4226c0b

SHA256
fe5674f7d12b1acb9d5f2811c5c036a960a7cd62a326b4cdb09c8aa3e0ae2f6c

SHA512
1e197292f2684cf4d7d75758add1619329398d6132fbab570edfe7ebf28615b7ce55d7025665f5096e81b7babe68a8915e40fe69db913adc748e73ca6d062935

Download Submit
C:\Windows\SysWOW64\ITUY.exe

Filesize
208KB

MD5
648e7f51d6cda0a0a80286f872ff8e3f

SHA1
f09b2c0afecbe691931cf56fcd4999ee20da9d54

SHA256
3449df94fc550de1bb673cdd0a7d339e26ebfe085a93f63485082d8c60e65bb6

SHA512
501c2b8f97f01d533547994e0f3b2a2f26929c214f002fc69c3a195dfdffb7d47f870523a7dc8c59cabe500f85394a9e9d520a69d37b5145f6afe7517cd44d63

Download Submit
C:\Windows\System\YDBSXXL.exe

Filesize
208KB

MD5
4ae6132a305b376675b7b85044b804dd

SHA1
6c867640569706030ac44d3d937c3f9bcb469b59

SHA256
82a5c0ab949603d32b549e32cd71974c57923e9d62a3f14cc4c5607cb277e81a

SHA512
bd05cecc77f46d988628652c7d5ea8c25176d7c5b137321d9410c9c955aea1728a314a13f437e1de07c6148f631f72728dd36c4da0a8147074485035f1d9c49e

Download Submit
C:\windows\BEAKR.exe

Filesize
208KB

MD5
d40a05a7348c89d0962c5c0e4300148f

SHA1
1317d82bd4a7824d5ac0d58b7b4b26fb907aadac

SHA256
2e3cd64e9c9ff198cb57dbd68d19b642c3dd74cea91daef71de20be978ba46ee

SHA512
67ee56961077de7cbdfea73ff86abe1d2fd612cba1845bd422cef9908a331252cf37fd0f383c32bdf23be7ab5f1b659f16663ae5420fa3978dc89890dc7635d7

Download Submit
C:\windows\BEAKR.exe.bat

Filesize
56B

MD5
6e3e6ed36e68e724e056b984275cc623

SHA1
511521ae53349817c105ed53f09f270f86da0b32

SHA256
7c8779d05fac7837bc29b52fc98d17ac7c001c0189ea19082b1c030be3573bca

SHA512
21ed3a1fa9010b2eb90c59bd3e4bd5b87974b47800bf79382c438d5c17ca475c1f5ff170d123fdc61f777a5a0c72b4c01b833ab37109445cdb4ef6d154d7d8e3

Download Submit
C:\windows\SysWOW64\ITUY.exe

Filesize
208KB

MD5
648e7f51d6cda0a0a80286f872ff8e3f

SHA1
f09b2c0afecbe691931cf56fcd4999ee20da9d54

SHA256
3449df94fc550de1bb673cdd0a7d339e26ebfe085a93f63485082d8c60e65bb6

SHA512
501c2b8f97f01d533547994e0f3b2a2f26929c214f002fc69c3a195dfdffb7d47f870523a7dc8c59cabe500f85394a9e9d520a69d37b5145f6afe7517cd44d63

Download Submit
C:\windows\SysWOW64\ITUY.exe.bat

Filesize
72B

MD5
4e8c83841523b4fd2536fc59b20eecf3

SHA1
c943f4306f6c5c4d78f7ec2b070154ba7334ec26

SHA256
f4e5b502655a971e205c94f63d7b43cd8d269c028287fffb5130c54940936f53

SHA512
46f6ffab03a531c5fa4fa29c39c35b53b6483ceb704c847a3650ced3a1a8de5aad30d7ff25a84e2d084989a61f20fba149661c3010ee8e37d76bce87d21a8cf6

Download Submit
C:\windows\system\YDBSXXL.exe

Filesize
208KB

MD5
4ae6132a305b376675b7b85044b804dd

SHA1
6c867640569706030ac44d3d937c3f9bcb469b59

SHA256
82a5c0ab949603d32b549e32cd71974c57923e9d62a3f14cc4c5607cb277e81a

SHA512
bd05cecc77f46d988628652c7d5ea8c25176d7c5b137321d9410c9c955aea1728a314a13f437e1de07c6148f631f72728dd36c4da0a8147074485035f1d9c49e

Download Submit
C:\windows\system\YDBSXXL.exe.bat

Filesize
74B

MD5
2e550f4e90550ed40c27e51068b07697

SHA1
e00220495111bfda85f5c062ae1578bb5840365b

SHA256
8f3335562e9c6dacda85c404e5585990123f3ffb425693274813e74a6cb2d361

SHA512
07bfe72c6a3bd51c3769689cea510f38fa6836b2e11412e0ebd75d159b1e29ae0151f4a5edc8aed88631ab672c43a17c5301df0be7d55ce168b881f8ada6fcc6

Download Submit
memory/644-22-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/644-35-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/796-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/796-37-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2432-32-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2432-34-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4940-10-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4940-38-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download