2cc2025a77f77428dc0145b9c1d27a0ba00944dacfefed830796c9d1ea37d5c6

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2023, 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2cc2025a77f77428dc0145b9c1d27a0ba00944dacfefed830796c9d1ea37d5c6.exe
Size

1.1MB
MD5

b3f66a6ba3251b95cdaaa4adbd7595c5
SHA1

ed2881d16575dad2da816772b3c269aabd54c50c
SHA256

2cc2025a77f77428dc0145b9c1d27a0ba00944dacfefed830796c9d1ea37d5c6
SHA512

914b8029ea5521c7ba993ef5088980913eb1d44f5f00deb8268d05d0da580d6d3c163eba2f78ccfb37f451b5db7e96f6d4be9a4ddb86eceedf6bdd394f6efc56
SSDEEP

12288:ZEmC92VnpahSR7BwkASR49lkQHMIWnDp2f47z4PUUhyVb4yDKUgM03qcmT1Pd2K8:ZEF96C6BwkP2lsl8fEQemdM03zmT1Pe

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	2cc2025a77f77428dc0145b9c1d27a0ba00944dacfefed830796c9d1ea37d5c6.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1080-0-0x0000000000150000-0x000000000028C000-memory.dmp	upx
behavioral2/memory/1080-35-0x0000000000150000-0x000000000028C000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\DFDWizQpN.sys	MRINFO.EXE
File created	C:\Windows\System32\Windows.Internal.CapturePicker7AH9.sys	MRINFO.EXE
File created	C:\Windows\System32\devrtl2Ih.sys	MRINFO.EXE
File created	C:\Windows\System32\Windows.Graphics.PrintingKoj.sys	MRINFO.EXE

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowRedSystem83.log	MRINFO.EXE
File opened for modification	C:\Windows\WindowsShell31411.log	2cc2025a77f77428dc0145b9c1d27a0ba00944dacfefed830796c9d1ea37d5c6.exe
File opened for modification	C:\Windows\WindowSystemNewUpdate43.log	typeperf.exe
File opened for modification	C:\Windows\WindowsShell52877.log	typeperf.exe
File opened for modification	C:\Windows\WindowSystemNewUpdate718.log	typeperf.exe
File opened for modification	C:\Windows\WindowTerminalVaild45.log	typeperf.exe
File opened for modification	C:\Windows\WindowMicrosoftNET843.log	typeperf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
640	Process not Found
640	Process not Found
640	Process not Found
640	Process not Found

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1080	2cc2025a77f77428dc0145b9c1d27a0ba00944dacfefed830796c9d1ea37d5c6.exe
Token: SeDebugPrivilege	3960	typeperf.exe
Token: SeIncBasePriorityPrivilege	1080	2cc2025a77f77428dc0145b9c1d27a0ba00944dacfefed830796c9d1ea37d5c6.exe
Token: SeDebugPrivilege	3960	typeperf.exe
Token: SeDebugPrivilege	3960	typeperf.exe
Token: SeDebugPrivilege	3960	typeperf.exe
Token: SeDebugPrivilege	3960	typeperf.exe
Token: SeDebugPrivilege	3960	typeperf.exe
Token: SeDebugPrivilege	3960	typeperf.exe
Token: SeDebugPrivilege	4076	MRINFO.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 3960	1080	2cc2025a77f77428dc0145b9c1d27a0ba00944dacfefed830796c9d1ea37d5c6.exe	89
PID 1080 wrote to memory of 3960	1080	2cc2025a77f77428dc0145b9c1d27a0ba00944dacfefed830796c9d1ea37d5c6.exe	89
PID 1080 wrote to memory of 3960	1080	2cc2025a77f77428dc0145b9c1d27a0ba00944dacfefed830796c9d1ea37d5c6.exe	89
PID 1080 wrote to memory of 3960	1080	2cc2025a77f77428dc0145b9c1d27a0ba00944dacfefed830796c9d1ea37d5c6.exe	89
PID 1080 wrote to memory of 3960	1080	2cc2025a77f77428dc0145b9c1d27a0ba00944dacfefed830796c9d1ea37d5c6.exe	89
PID 1080 wrote to memory of 3960	1080	2cc2025a77f77428dc0145b9c1d27a0ba00944dacfefed830796c9d1ea37d5c6.exe	89
PID 1080 wrote to memory of 872	1080	2cc2025a77f77428dc0145b9c1d27a0ba00944dacfefed830796c9d1ea37d5c6.exe	100
PID 1080 wrote to memory of 872	1080	2cc2025a77f77428dc0145b9c1d27a0ba00944dacfefed830796c9d1ea37d5c6.exe	100
PID 1080 wrote to memory of 872	1080	2cc2025a77f77428dc0145b9c1d27a0ba00944dacfefed830796c9d1ea37d5c6.exe	100
PID 3960 wrote to memory of 3360	3960	typeperf.exe	115
PID 3960 wrote to memory of 3360	3960	typeperf.exe	115
PID 3960 wrote to memory of 3360	3960	typeperf.exe	115
PID 3960 wrote to memory of 3360	3960	typeperf.exe	115
PID 3960 wrote to memory of 3360	3960	typeperf.exe	115
PID 3960 wrote to memory of 3360	3960	typeperf.exe	115
PID 3360 wrote to memory of 4076	3360	user.exe	116
PID 3360 wrote to memory of 4076	3360	user.exe	116
PID 3360 wrote to memory of 4076	3360	user.exe	116
PID 3960 wrote to memory of 4076	3960	typeperf.exe	116
PID 3960 wrote to memory of 4076	3960	typeperf.exe	116
PID 3960 wrote to memory of 4076	3960	typeperf.exe	116

C:\Users\Admin\AppData\Local\Temp\2cc2025a77f77428dc0145b9c1d27a0ba00944dacfefed830796c9d1ea37d5c6.exe
"C:\Users\Admin\AppData\Local\Temp\2cc2025a77f77428dc0145b9c1d27a0ba00944dacfefed830796c9d1ea37d5c6.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\SysWOW64\typeperf.exe
  "C:\Windows\SysWOW64\typeperf.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Windows\SysWOW64\user.exe
    "C:\Windows\SysWOW64\user.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3360
  - - C:\Windows\SysWOW64\MRINFO.EXE
      "C:\Windows\SysWOW64\MRINFO.EXE"
      4⤵
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      PID:4076
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2CC202~1.EXE > nul
  2⤵
  PID:872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\WindowSystemNewUpdate43.log

Filesize
7KB

MD5
398bb65e6520fb9dc4177617f011e69e

SHA1
ab6d0762b8b2163ff9bbbbff45a487d4246d61ff

SHA256
fb6d8478334ae6ea72b799170188cad8573c9baf8a677e58f901f6a01993d5a8

SHA512
e9a3be84c461a96ee533a70304a71e95130b067cbe43fe2812d9d4158537d443f1c00e759c96ae3e48369fba47537f47d8d84533fe481e67f252bba6b2283ff2

Download Submit
memory/1080-35-0x0000000000150000-0x000000000028C000-memory.dmp

Filesize
1.2MB

Download
memory/1080-0-0x0000000000150000-0x000000000028C000-memory.dmp

Filesize
1.2MB

Download
memory/3360-173-0x0000000001420000-0x0000000001444000-memory.dmp

Filesize
144KB

Download
memory/3360-77-0x0000000001420000-0x0000000001444000-memory.dmp

Filesize
144KB

Download
memory/3360-69-0x00000000012C0000-0x00000000012DF000-memory.dmp

Filesize
124KB

Download
memory/3960-42-0x00000000035B0000-0x0000000003ACB000-memory.dmp

Filesize
5.1MB

Download
memory/3960-61-0x0000000003AD0000-0x0000000003BDF000-memory.dmp

Filesize
1.1MB

Download
memory/3960-21-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/3960-24-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/3960-25-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/3960-27-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/3960-28-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/3960-31-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/3960-32-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/3960-19-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/3960-37-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/3960-39-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/3960-40-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/3960-41-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/3960-17-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/3960-49-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/3960-52-0x0000000003AD0000-0x0000000003BDF000-memory.dmp

Filesize
1.1MB

Download
memory/3960-20-0x0000000000BF0000-0x0000000000C0B000-memory.dmp

Filesize
108KB

Download
memory/3960-64-0x0000000003AD0000-0x0000000003BDF000-memory.dmp

Filesize
1.1MB

Download
memory/3960-65-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/3960-66-0x0000000003AD0000-0x0000000003BDF000-memory.dmp

Filesize
1.1MB

Download
memory/3960-8-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/3960-68-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/3960-72-0x0000000003AD0000-0x0000000003BDF000-memory.dmp

Filesize
1.1MB

Download
memory/3960-70-0x0000000006790000-0x0000000006AF8000-memory.dmp

Filesize
3.4MB

Download
memory/3960-6-0x0000000000BF0000-0x0000000000C0B000-memory.dmp

Filesize
108KB

Download
memory/3960-82-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/3960-84-0x0000000006030000-0x0000000006068000-memory.dmp

Filesize
224KB

Download
memory/3960-143-0x0000000008B20000-0x0000000008E62000-memory.dmp

Filesize
3.3MB

Download
memory/3960-146-0x0000000008B20000-0x0000000008E62000-memory.dmp

Filesize
3.3MB

Download
memory/3960-3-0x0000000000BF0000-0x0000000000C0B000-memory.dmp

Filesize
108KB

Download
memory/3960-2-0x0000000000670000-0x000000000077D000-memory.dmp

Filesize
1.1MB

Download
memory/4076-181-0x0000000000040000-0x000000000005B000-memory.dmp

Filesize
108KB

Download
memory/4076-180-0x0000000000400000-0x0000000000A26000-memory.dmp

Filesize
6.1MB

Download
memory/4076-197-0x0000000010000000-0x0000000010619000-memory.dmp

Filesize
6.1MB

Download
memory/4076-199-0x0000000010000000-0x0000000010619000-memory.dmp

Filesize
6.1MB

Download