245c6a4457f5ef8edb6c90c79881c9bef8eb8877999da32fa85e08a3b73807a4

Analysis

max time kernel
136s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 05:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

094484d195cf080f7a48cb1628a8b83f.exe
Size

175KB
MD5

094484d195cf080f7a48cb1628a8b83f
SHA1

113edfaeba0429577f4c06e1e5a46c21371ca394
SHA256

245c6a4457f5ef8edb6c90c79881c9bef8eb8877999da32fa85e08a3b73807a4
SHA512

9551bb96bdd39af3f2dd372be6c777c181485fba94718f52cd6f931ff914227f9080878e97bfaccec28a9d2dfd3bc8426d08aa95c5529ad3aa9b540f56ed4a63
SSDEEP

3072:wYaQjKnr+mWBmfIOrDcJaJFbT/hZeOOdUJqANgesO0bq:wYaQ8rpWB+IOrxFbNZeOOduNdsO3

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	094484d195cf080f7a48cb1628a8b83f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	update32.exe

Executes dropped EXE 1 IoCs

pid	Process
1048	update32.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\insvc32.exe	094484d195cf080f7a48cb1628a8b83f.exe
File opened for modification	C:\Windows\SysWOW64\insvc32.exe	094484d195cf080f7a48cb1628a8b83f.exe
File created	C:\Windows\SysWOW64\soaction32.dll	094484d195cf080f7a48cb1628a8b83f.exe
File opened for modification	C:\Windows\SysWOW64\soaction32.dll	094484d195cf080f7a48cb1628a8b83f.exe
File created	C:\Windows\SysWOW64\maxsvc32.dll	094484d195cf080f7a48cb1628a8b83f.exe
File opened for modification	C:\Windows\SysWOW64\maxsvc32.dll	094484d195cf080f7a48cb1628a8b83f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5024	094484d195cf080f7a48cb1628a8b83f.exe
5024	094484d195cf080f7a48cb1628a8b83f.exe
5024	094484d195cf080f7a48cb1628a8b83f.exe
5024	094484d195cf080f7a48cb1628a8b83f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5024	094484d195cf080f7a48cb1628a8b83f.exe
Token: SeDebugPrivilege	1048	update32.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 616	5024	094484d195cf080f7a48cb1628a8b83f.exe	7
PID 5024 wrote to memory of 1048	5024	094484d195cf080f7a48cb1628a8b83f.exe	91
PID 5024 wrote to memory of 1048	5024	094484d195cf080f7a48cb1628a8b83f.exe	91
PID 5024 wrote to memory of 1048	5024	094484d195cf080f7a48cb1628a8b83f.exe	91
PID 5024 wrote to memory of 844	5024	094484d195cf080f7a48cb1628a8b83f.exe	93
PID 5024 wrote to memory of 844	5024	094484d195cf080f7a48cb1628a8b83f.exe	93
PID 5024 wrote to memory of 844	5024	094484d195cf080f7a48cb1628a8b83f.exe	93
PID 1048 wrote to memory of 2312	1048	update32.exe	95
PID 1048 wrote to memory of 2312	1048	update32.exe	95
PID 1048 wrote to memory of 2312	1048	update32.exe	95

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616

C:\Users\Admin\AppData\Local\Temp\094484d195cf080f7a48cb1628a8b83f.exe
"C:\Users\Admin\AppData\Local\Temp\094484d195cf080f7a48cb1628a8b83f.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Users\Admin\AppData\Local\Temp\update32.exe
  "C:\Users\Admin\AppData\Local\Temp\update32.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_unins_u32.bat" "
    3⤵
    PID:2312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_unins_mxz.bat" "
  2⤵
  PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_unins_mxz.bat

Filesize
368B

MD5
23ea4c2aa7858da601eeb5002f9d5d50

SHA1
3739b9446f803dc217b557f57af8185e463d380a

SHA256
1b9be9fe6eef0fb77dc673ce294275da963a93866ee0d7f33c231b3b694d9aea

SHA512
15501bb4b8edfa6104edfbba80914b85801cf3290065035b0eef5e2cd39c7dc90cc3fd473427938dc59d11f2ac9ff9d9213488701393ea986ae8a202a1554d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_unins_u32.bat

Filesize
188B

MD5
2c7320344b59eaafc488717a9e8dac7e

SHA1
7cf56b082438ffd9371bc23277ef32fa006e5e3c

SHA256
5d9a36bca8f9f21180c9f33875a339b07414f0cb2d5aed2d43240f82da2f4ea2

SHA512
f7536383656a57b045e58f8781b98e8e1c8f9b83ef0abf579fd3796c0e0f708a6f2aff2b40db16ddde44c7db424f53830fdd57bd36e2aa810dfa031650076b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\update32.exe

Filesize
40KB

MD5
261c97e888a34ed09c2b36680a93b21f

SHA1
a76741edd8a83f8a9256423e1b04998d3b4693a6

SHA256
194a4ab3acc79736ec61ba1e6f28b3b453e8bfdf0a90afa8faaf5664c321e3fa

SHA512
c633e26fee64f5b3b2e2b6dd2680e5006ef551b1f3ead89e8f3e597aa74ea2e4f4f4fd4d950a1a1de8ecdb9ca8475c30cc037a8d8bef4c1d09fb851e083762ba

Download Submit