8804ed95b878f48682648fcbe9abab838f58448650c69e9ca28a2df30b96c5f1

Analysis

max time kernel
226s
max time network
218s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2023, 19:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7bce2dcf2b621dd0ef74f640c66efb80_exe32.exe
Size

208KB
MD5

7bce2dcf2b621dd0ef74f640c66efb80
SHA1

2878a3d1b155288f1fbf5d4ded04fef5019d422b
SHA256

8804ed95b878f48682648fcbe9abab838f58448650c69e9ca28a2df30b96c5f1
SHA512

b65f3f5959cdc7a083f1a0e25187d2cefe5bc8c2dd06ce16144cbb37faeeaf1dfcb1bb033453d853999c49cdc8261cea7dfa157fccb45a4ceb66a49ef9bbd9e4
SSDEEP

3072:R+RDFU5h+NUgad++AY4XP2wue6feP9PNHkLCT0hQeYjvqKZba4NLthEjQT6j:ReF0Ld++jdRfeP5NQhQRvraQEj1

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	XHIAX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	SQXYEI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	7bce2dcf2b621dd0ef74f640c66efb80_exe32.exe

Executes dropped EXE 3 IoCs

pid	Process
3384	XHIAX.exe
4508	SQXYEI.exe
2868	OUSI.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\XHIAX.exe	7bce2dcf2b621dd0ef74f640c66efb80_exe32.exe
File opened for modification	C:\windows\SysWOW64\XHIAX.exe	7bce2dcf2b621dd0ef74f640c66efb80_exe32.exe
File created	C:\windows\SysWOW64\XHIAX.exe.bat	7bce2dcf2b621dd0ef74f640c66efb80_exe32.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\windows\SQXYEI.exe	XHIAX.exe
File opened for modification	C:\windows\SQXYEI.exe	XHIAX.exe
File created	C:\windows\SQXYEI.exe.bat	XHIAX.exe
File created	C:\windows\OUSI.exe	SQXYEI.exe
File opened for modification	C:\windows\OUSI.exe	SQXYEI.exe
File created	C:\windows\OUSI.exe.bat	SQXYEI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4400	4060	WerFault.exe	80
412	3384	WerFault.exe	87
1624	4508	WerFault.exe	93
4468	2868	WerFault.exe	98

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4060	7bce2dcf2b621dd0ef74f640c66efb80_exe32.exe
4060	7bce2dcf2b621dd0ef74f640c66efb80_exe32.exe
3384	XHIAX.exe
3384	XHIAX.exe
4508	SQXYEI.exe
4508	SQXYEI.exe
2868	OUSI.exe
2868	OUSI.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4060	7bce2dcf2b621dd0ef74f640c66efb80_exe32.exe
4060	7bce2dcf2b621dd0ef74f640c66efb80_exe32.exe
3384	XHIAX.exe
3384	XHIAX.exe
4508	SQXYEI.exe
4508	SQXYEI.exe
2868	OUSI.exe
2868	OUSI.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 2960	4060	7bce2dcf2b621dd0ef74f640c66efb80_exe32.exe	83
PID 4060 wrote to memory of 2960	4060	7bce2dcf2b621dd0ef74f640c66efb80_exe32.exe	83
PID 4060 wrote to memory of 2960	4060	7bce2dcf2b621dd0ef74f640c66efb80_exe32.exe	83
PID 2960 wrote to memory of 3384	2960	cmd.exe	87
PID 2960 wrote to memory of 3384	2960	cmd.exe	87
PID 2960 wrote to memory of 3384	2960	cmd.exe	87
PID 3384 wrote to memory of 3624	3384	XHIAX.exe	89
PID 3384 wrote to memory of 3624	3384	XHIAX.exe	89
PID 3384 wrote to memory of 3624	3384	XHIAX.exe	89
PID 3624 wrote to memory of 4508	3624	cmd.exe	93
PID 3624 wrote to memory of 4508	3624	cmd.exe	93
PID 3624 wrote to memory of 4508	3624	cmd.exe	93
PID 4508 wrote to memory of 3708	4508	SQXYEI.exe	95
PID 4508 wrote to memory of 3708	4508	SQXYEI.exe	95
PID 4508 wrote to memory of 3708	4508	SQXYEI.exe	95
PID 3708 wrote to memory of 2868	3708	cmd.exe	98
PID 3708 wrote to memory of 2868	3708	cmd.exe	98
PID 3708 wrote to memory of 2868	3708	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\7bce2dcf2b621dd0ef74f640c66efb80_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\7bce2dcf2b621dd0ef74f640c66efb80_exe32.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XHIAX.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\windows\SysWOW64\XHIAX.exe
    C:\windows\system32\XHIAX.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3384
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\SQXYEI.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3624
    - - C:\windows\SQXYEI.exe
        
        C:\windows\SQXYEI.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4508
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OUSI.exe.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\windows\OUSI.exe
        
        C:\windows\OUSI.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 844
        8⤵
        Program crash
        
        PID:4468
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 960
        6⤵
        Program crash
        
        PID:1624
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 960
      4⤵
      Program crash
      PID:412
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 984
  2⤵
  - Program crash
  PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4060 -ip 4060
1⤵
PID:2584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3384 -ip 3384
1⤵
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4508 -ip 4508
1⤵
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2868 -ip 2868
1⤵
PID:3852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\OUSI.exe

Filesize
208KB

MD5
f43c8216676c37fcf26aab70aae161ed

SHA1
50f25c82e0b8012f686de4ba685713a7569221e6

SHA256
f1e024b16dc82d760d39e8850f3a9f17c16e2ccc9e7a4c853a67a25ec9bcb67e

SHA512
c7039eaca5bbba281a45233afdad1d26ce66cd76b361d0a5a62908262fcd6817e628ef77aa7548a47b048061c08f98dc2608a712d7a7b3d345831bfac4f56436

Download Submit
C:\Windows\SQXYEI.exe

Filesize
208KB

MD5
5b151583f8f0fbb98fafb1565a69967e

SHA1
7f9e22eb1c0943a1bce1d8285ed4e6c5b4226c0b

SHA256
fe5674f7d12b1acb9d5f2811c5c036a960a7cd62a326b4cdb09c8aa3e0ae2f6c

SHA512
1e197292f2684cf4d7d75758add1619329398d6132fbab570edfe7ebf28615b7ce55d7025665f5096e81b7babe68a8915e40fe69db913adc748e73ca6d062935

Download Submit
C:\Windows\SQXYEI.exe

Filesize
208KB

MD5
e9d85dd8828927bfb3838d67f0acddfc

SHA1
fe7facbfb4958c94fbb7b5d431ef2b3da5cb6b81

SHA256
0b9c66ff1e361a0a220e1176c40c17a80ab4b389414fe6f2ee31d331d9fde10e

SHA512
818f5aafada3715a0500b9cdd9aea6e101ef39553ba6172dcfbcb12972da4914ec52489a2a4cfdde5224963dc15bc501f65322f5e8c826c303e4f3b63cba100c

Download Submit
C:\Windows\SysWOW64\XHIAX.exe

Filesize
208KB

MD5
8c78d9a0c6caca284aec05d43da50332

SHA1
14763f4376f64a20cd079e249759cbb8fec7c1d1

SHA256
14060b25f00539fe5008bf595d83a9c2f75a0a45b26a7f0e6605891919ff85b7

SHA512
bfb9f094ac155c39d511ed41cbaa748481ee2093e8879f515dd6abced4ba0474a67b59429060ab76ed2885c2b24ecd9ef220f1f4f5b191267933ffeb5f8b7c50

Download Submit
C:\windows\OUSI.exe

Filesize
208KB

MD5
f43c8216676c37fcf26aab70aae161ed

SHA1
50f25c82e0b8012f686de4ba685713a7569221e6

SHA256
f1e024b16dc82d760d39e8850f3a9f17c16e2ccc9e7a4c853a67a25ec9bcb67e

SHA512
c7039eaca5bbba281a45233afdad1d26ce66cd76b361d0a5a62908262fcd6817e628ef77aa7548a47b048061c08f98dc2608a712d7a7b3d345831bfac4f56436

Download Submit
C:\windows\OUSI.exe.bat

Filesize
54B

MD5
bdbfe06f5f881eea9fc8dcaa639cb0a1

SHA1
81877501f39b78e96a52b7cd8227530401e3a8e9

SHA256
54e3c4b3af25f20373a1b014f838998f66dd433bff24dd3e3143da4e80809b60

SHA512
711771f882d5f1d23d27f755326c4bd233fc3e065993fd79a22cac20af7b606c9009664fd785c06e1d86b9ec4b0218623dbbf69c94b07142d21908addd044ade

Download Submit
C:\windows\SQXYEI.exe

Filesize
208KB

MD5
e9d85dd8828927bfb3838d67f0acddfc

SHA1
fe7facbfb4958c94fbb7b5d431ef2b3da5cb6b81

SHA256
0b9c66ff1e361a0a220e1176c40c17a80ab4b389414fe6f2ee31d331d9fde10e

SHA512
818f5aafada3715a0500b9cdd9aea6e101ef39553ba6172dcfbcb12972da4914ec52489a2a4cfdde5224963dc15bc501f65322f5e8c826c303e4f3b63cba100c

Download Submit
C:\windows\SQXYEI.exe.bat

Filesize
58B

MD5
07209b519389285aac2abe2d1ecd5f30

SHA1
c5582cdeab2d3331ba8c706a125335f1b7ebb047

SHA256
45acb3086beecc61a6bdf85d0d528ea1ce8bf9e1da024a841a84663ac9860280

SHA512
3571a85eda77ab9bf043d70780d559314172ff5f668c53475f537e9727489f70f4aa1caf18964bcd74a6980bf81863a41b7780b23c58dcbab7ce505c2f3a0884

Download Submit
C:\windows\SysWOW64\XHIAX.exe

Filesize
208KB

MD5
8c78d9a0c6caca284aec05d43da50332

SHA1
14763f4376f64a20cd079e249759cbb8fec7c1d1

SHA256
14060b25f00539fe5008bf595d83a9c2f75a0a45b26a7f0e6605891919ff85b7

SHA512
bfb9f094ac155c39d511ed41cbaa748481ee2093e8879f515dd6abced4ba0474a67b59429060ab76ed2885c2b24ecd9ef220f1f4f5b191267933ffeb5f8b7c50

Download Submit
C:\windows\SysWOW64\XHIAX.exe.bat

Filesize
74B

MD5
f5fa152f89e89facaba1108845f12de0

SHA1
ad13d41da037574d2c01e4f12568db565214db73

SHA256
d53bfd9f2d3cbe0a919d62e3f37e41936406202f1985edcd50e9f3def3599c3c

SHA512
233ac79bb2da56204b838f9f0eaf17f154f18f3b276b78d362359f5d8411499883f5652ceafecab9b150642cf36bedb05ae164511b4f10d6935db95cf86bfcd7

Download Submit
memory/2868-32-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2868-35-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3384-10-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3384-34-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4060-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4060-36-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4508-21-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4508-37-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download