Overview

overview

7

Static

static

7

344ec240e9...45.exe

windows7-x64

7

344ec240e9...45.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-12-2023 18:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    344ec240e92c10cd118756f32f6e8a45.exe

  • Size

    14KB

  • MD5

    344ec240e92c10cd118756f32f6e8a45

  • SHA1

    23a2f55d3fdea9c25ba28d5f4f8315388ce2602f

  • SHA256

    17efa12c19fb9dd9c6d3a362d496a9ec8e46edc5a6d40400f81e9369964e940e

  • SHA512

    8278d38f65c76b351220b9504b2b8c41ee0f4453cbbb8a0faad2c91ee0fda6cd4b5d39bf2c5e03b6fa563277ccea9b13a446fb43fba313d02f85a8de2ac0d247

  • SSDEEP

    384:Sssn7bCcz/74aNJawcudoD7UjlvceM4mhJ:7sn7b9/NnbcuyD7Ut8J

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\344ec240e92c10cd118756f32f6e8a45.exe
    "C:\Users\Admin\AppData\Local\Temp\344ec240e92c10cd118756f32f6e8a45.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3616
    • C:\Users\Admin\AppData\Local\Temp\4D35.tmp\b2e.exe
      "C:\Users\Admin\AppData\Local\Temp\4D35.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\4D35.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\344ec240e92c10cd118756f32f6e8a45.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3544
  • C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4E2F.tmp\batfile.bat" "
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ads.regiedepub.com/cgi-bin/advert/getads?x_dp_id=433
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1924
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,8232554712133050980,14144654669873970052,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
        3⤵
          PID:5092
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8232554712133050980,14144654669873970052,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
          3⤵
            PID:5008
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8232554712133050980,14144654669873970052,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
            3⤵
              PID:3732
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,8232554712133050980,14144654669873970052,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:2900
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,8232554712133050980,14144654669873970052,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
              3⤵
                PID:2728
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,8232554712133050980,14144654669873970052,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8
                3⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:1440
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,8232554712133050980,14144654669873970052,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8
                3⤵
                  PID:4628
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8232554712133050980,14144654669873970052,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
                  3⤵
                    PID:1668
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8232554712133050980,14144654669873970052,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4236 /prefetch:1
                    3⤵
                      PID:2684
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8232554712133050980,14144654669873970052,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
                      3⤵
                        PID:3488
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8232554712133050980,14144654669873970052,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
                        3⤵
                          PID:3648
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8232554712133050980,14144654669873970052,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
                          3⤵
                            PID:4808
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,8232554712133050980,14144654669873970052,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2776 /prefetch:2
                            3⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:856
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbb24f46f8,0x7ffbb24f4708,0x7ffbb24f4718
                        1⤵
                          PID:5080
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:3284
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:664
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "
                              1⤵
                                PID:4348
                              • C:\Windows\System32\sihclient.exe
                                C:\Windows\System32\sihclient.exe /cv EqNy3KSPkEW9+v45y1ktMw.0.1
                                1⤵
                                  PID:2684

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                  Filesize

                                  152B

                                  MD5

                                  1386433ecc349475d39fb1e4f9e149a0

                                  SHA1

                                  f04f71ac77cb30f1d04fd16d42852322a8b2680f

                                  SHA256

                                  a7c79320a37d3516823f533e0ca73ed54fc4cdade9999b9827d06ea9f8916bbc

                                  SHA512

                                  fcd5449c58ead25955d01739929c42ffc89b9007bc2c8779c05271f2d053be66e05414c410738c35572ef31811aff908e7fe3dd7a9cef33c27acb308a420280e

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4600867d-07c8-494e-9a8a-cf6254c738ff.tmp
                                  Filesize

                                  6KB

                                  MD5

                                  4463b796ffa79b1420095145deb673c6

                                  SHA1

                                  f4aded6adf32689280ac4418c0427e321d772d15

                                  SHA256

                                  bb301a6dbe93cc5959ea92fa971f735424d90a076512fa05c1fe121ede1477ec

                                  SHA512

                                  7c897c3da83239469066a7bdcaf24e05871b88cecc5fd1701f985f1b0f094fb686f352040981cfcf841f3715f3928a577b964f772370ad58f92a987ddc18d093

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                  Filesize

                                  120B

                                  MD5

                                  bd4cc1d2e2fb7154526053b4ab2a8b13

                                  SHA1

                                  42002a1871b68f4eb8a7f2be22c3ca4c10d96b38

                                  SHA256

                                  ac921e619d7e49d4eeffdf022aaeb42f7beb7d225c24d0684591a7c7896dabc6

                                  SHA512

                                  91354a2ade0bb8bd3755426c295305281631af4be453bc9649d38bad0bd09857f135414c9a1aebe16e4a19f50b14400cb9774fcb55e0bde8e48f6b02aafbbb30

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                  Filesize

                                  1KB

                                  MD5

                                  6d1f41d58c75ac5484d83faf176d409d

                                  SHA1

                                  d1eadd13949498cb551b419f07e78e05ab4ab636

                                  SHA256

                                  2c4ecd99347f49d02e7529aa5f217bd50079bec6ef8a3a0006f6ccc7ac89c8e9

                                  SHA512

                                  7f97298036883d955f9a3029187034d98da18490d2b186cdd2573dca016ed01291a8987ed8b93f5dc361f010ee47f2593ca0cfd40b1f529e4fdbcf1548de97c9

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                  Filesize

                                  5KB

                                  MD5

                                  58e4df2fa43a318e3a7f31d628099593

                                  SHA1

                                  542563ccb9c0e8b5389408a79531fed601bc5d80

                                  SHA256

                                  46fb7d63a40c5a35ed7896882bfe882d30ee760a081a2f18769bb086f21e0452

                                  SHA512

                                  b8e0d2340a91b002bc16bfda7b2d1cbfae6f62ce837e835155a50ea0da4db33287a50e2ad5a70e169b690b8c5195590c5cc7b93b89987a869ab11b77c4efeafe

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
                                  Filesize

                                  24KB

                                  MD5

                                  e664066e3aa135f185ed1c194b9fa1f8

                                  SHA1

                                  358ff3c6ad0580b8ae1e5ef2a89a4e597c2efdc5

                                  SHA256

                                  86e595be48dbc768a52d7ea62116036c024093e1302aced8c29dd6a2d9935617

                                  SHA512

                                  58710818b5f664006a5aa418da6c8cd3f709c2265bc161f81b9dfe6cdb8304fabaa4ce9deba419fe4281623feeeaa0321f481ae5855d347c6d8cf95968ee905e

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                  Filesize

                                  16B

                                  MD5

                                  6752a1d65b201c13b62ea44016eb221f

                                  SHA1

                                  58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                  SHA256

                                  0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                  SHA512

                                  9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                  Filesize

                                  11KB

                                  MD5

                                  11398cadf7552e311f09c4b9468f835c

                                  SHA1

                                  36d098dd0e6298bed738c81d3a2f8e010ee05735

                                  SHA256

                                  e143e570eefc40ad5bf8f25a93c26489fae2bcfca0ff489ed09c237327b6c6da

                                  SHA512

                                  c8e13e9c1d61c5d4d62d0ff30968e21d26abc6559ac72b5f7133e1324aca740a7bf9f294f1db4141915cd828c41e40eebe707b40b573902c20b7c13402ad785b

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\4D35.tmp\b2e.exe
                                  Filesize

                                  8KB

                                  MD5

                                  2c74234eacda6e3fb5644e6284c205e5

                                  SHA1

                                  758bdcec55755ebb001a5fa6258868e6dd3cf74d

                                  SHA256

                                  4b1d9d0a406edcb5e99d88d7e59882fbd6650f6518aa1c6d2134dac3ad914006

                                  SHA512

                                  c3e1bd7e496174a5da5a33db22a48616452aad1b2f5607ebc0ffd4511da5afa1634b713ea2f488864342b4f451e87f6c1fd25d3bea4ac7bfc382b138049f3992

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\4E2F.tmp\batfile.bat
                                  Filesize

                                  78B

                                  MD5

                                  9305a3bac8644db5711135490bdce8ad

                                  SHA1

                                  7a9581d064602ff34a35b67266239be55f044493

                                  SHA256

                                  0c83a05ba8846d0ada490131bd1067bd5d97c3f0ff1214a6d23f24f12835669b

                                  SHA512

                                  879a0338464da3eba1ccaea7d947dd54aeec0f1456446c626dea4c60c436d3795fa6eb77a1eba97c50c2b7401701bce3894b9ff815dc44701fe16bcf58f96f14

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\selfdel0.bat
                                  Filesize

                                  158B

                                  MD5

                                  e245324ec5b97664970ec2386cd5e11f

                                  SHA1

                                  333d73762c4bc06428cf6ffb378d9de2defa1153

                                  SHA256

                                  fed624f605e170c4cb7d9181b7ffea31bd3acdf38b8730db1598eb3ab75d0c24

                                  SHA512

                                  bde97e0acfaecfb31f62d81db3f5522cb9981536ba64704bf7c22311eb9bf92d39ef1f87789f3054ae5777f2918c04af10bacf611f9baeaafcde8d9ab9baccc6

                                  Download Submit

                                • memory/3544-11-0x0000000000400000-0x0000000000405000-memory.dmp

                                  Filesize

                                  20KB

                                  Download

                                • memory/3544-24-0x0000000000400000-0x0000000000405000-memory.dmp

                                  Filesize

                                  20KB

                                  Download

                                • memory/3616-0-0x0000000000400000-0x000000000040B000-memory.dmp

                                  Filesize

                                  44KB

                                  Download

                                • memory/3616-9-0x0000000000400000-0x000000000040B000-memory.dmp

                                  Filesize

                                  44KB

                                  Download