df7104bd49961e1ae6e3741221e0cb3b5a8744f945533060910a076fe1aadf66

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2023, 08:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IMP-MMO-0208.exe
Size

346KB
MD5

0d6f9bf68f8ddb1be846dfe11dafa819
SHA1

a7e4ab95599e17b43571bc21cd98e0b350dc2c59
SHA256

df7104bd49961e1ae6e3741221e0cb3b5a8744f945533060910a076fe1aadf66
SHA512

bce42022878f77a25342bad3228bf913ba69d1bad09c243f070b19abcf998f44eb37459fc969c657e5d3246923106d546bba16854055ad2180bec120dee7cadb
SSDEEP

6144:qBlL/e2xIR8lf98JrWKq/BViyyAt7lKmeiUC8zhoSSMidXI8sSVHkvD8:Q0EfirXqRgZiSS14lSBkQ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Control Panel\International\Geo\Nation	ymjhh.exe

Executes dropped EXE 2 IoCs

pid	Process
2196	ymjhh.exe
5040	ymjhh.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2196 set thread context of 5040	2196	ymjhh.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe
5040	ymjhh.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2196	ymjhh.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5040	ymjhh.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3608 wrote to memory of 2196	3608	IMP-MMO-0208.exe	84
PID 3608 wrote to memory of 2196	3608	IMP-MMO-0208.exe	84
PID 3608 wrote to memory of 2196	3608	IMP-MMO-0208.exe	84
PID 2196 wrote to memory of 5040	2196	ymjhh.exe	85
PID 2196 wrote to memory of 5040	2196	ymjhh.exe	85
PID 2196 wrote to memory of 5040	2196	ymjhh.exe	85
PID 2196 wrote to memory of 5040	2196	ymjhh.exe	85

C:\Users\Admin\AppData\Local\Temp\IMP-MMO-0208.exe
"C:\Users\Admin\AppData\Local\Temp\IMP-MMO-0208.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3608
- C:\Users\Admin\AppData\Local\Temp\ymjhh.exe
  "C:\Users\Admin\AppData\Local\Temp\ymjhh.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Users\Admin\AppData\Local\Temp\ymjhh.exe
    "C:\Users\Admin\AppData\Local\Temp\ymjhh.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yequkx.g

Filesize
231KB

MD5
9ad02f7fd59d92d047d76946cfcbe49a

SHA1
8f5a1a99438068f5cd1fdd11a86686cac4a2ff2d

SHA256
fdc4cbc5198c6a135353dcfb42581d94a668a8ab55174c1a1771128e88a2f740

SHA512
a29e1d30bec7592868de9138a24c1626fa0a322f335d330f0d7c6300f9c5ec66dc2b6a54084995ef7e73980db5b6fe7cfd1e7c53bdd8497b71a9a384f4a478b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymjhh.exe

Filesize
176KB

MD5
b56ca65f59748ae4066a5ae4989ada3e

SHA1
8954717bfc89a1b8e64b544fc679537206eec65b

SHA256
85206c57b0aeeb7a0ea61106b70e06b75052b003a5b061a00b7cf48b2cecae8e

SHA512
16f2f7aef1585bd9374af01110721ce3ae0b973d4c080032ef98dc1c008f6d493a94d58f6abc4728ec7bcf4f59022c7b9f9bb81d1a10f712a19cd369cf598b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymjhh.exe

Filesize
176KB

MD5
b56ca65f59748ae4066a5ae4989ada3e

SHA1
8954717bfc89a1b8e64b544fc679537206eec65b

SHA256
85206c57b0aeeb7a0ea61106b70e06b75052b003a5b061a00b7cf48b2cecae8e

SHA512
16f2f7aef1585bd9374af01110721ce3ae0b973d4c080032ef98dc1c008f6d493a94d58f6abc4728ec7bcf4f59022c7b9f9bb81d1a10f712a19cd369cf598b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymjhh.exe

Filesize
176KB

MD5
b56ca65f59748ae4066a5ae4989ada3e

SHA1
8954717bfc89a1b8e64b544fc679537206eec65b

SHA256
85206c57b0aeeb7a0ea61106b70e06b75052b003a5b061a00b7cf48b2cecae8e

SHA512
16f2f7aef1585bd9374af01110721ce3ae0b973d4c080032ef98dc1c008f6d493a94d58f6abc4728ec7bcf4f59022c7b9f9bb81d1a10f712a19cd369cf598b80

Download Submit
memory/2196-5-0x0000000000B40000-0x0000000000B42000-memory.dmp

Filesize
8KB

Download
memory/5040-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5040-9-0x00000000016C0000-0x0000000001A0A000-memory.dmp

Filesize
3.3MB

Download
memory/5040-10-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download