f31534824d32484e6cb12c5510024fcd08f4a1e85ec768f0a6d2e03471e803af

Analysis

max time kernel
164s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f31534824d32484e6cb12c5510024fcd08f4a1e85ec768f0a6d2e03471e803af.exe
Size

8.1MB
MD5

dae051fd4ab62bb74035eb67b4607e68
SHA1

ec1a59a5bfb51398913e5cdde04e55f3252058c4
SHA256

f31534824d32484e6cb12c5510024fcd08f4a1e85ec768f0a6d2e03471e803af
SHA512

6e5c96b6b1ef296edc1997b136f4ffedb56bc531c429f576d6fd92d5dd71dcce7c661dafc89362b565fb036f60c9e205aa9c12b7c46cc4726e9415854f8b041c
SSDEEP

196608:YJ0fN/+MCkHI/wEHZqxYj5bwOE1Kj3UvIzU:wS/fKNNj5y1Kj34T

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	f31534824d32484e6cb12c5510024fcd08f4a1e85ec768f0a6d2e03471e803af.exe

Executes dropped EXE 1 IoCs

pid	Process
4144	ant_vpn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2560	f31534824d32484e6cb12c5510024fcd08f4a1e85ec768f0a6d2e03471e803af.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2560	f31534824d32484e6cb12c5510024fcd08f4a1e85ec768f0a6d2e03471e803af.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 4144	2560	f31534824d32484e6cb12c5510024fcd08f4a1e85ec768f0a6d2e03471e803af.exe	91
PID 2560 wrote to memory of 4144	2560	f31534824d32484e6cb12c5510024fcd08f4a1e85ec768f0a6d2e03471e803af.exe	91

C:\Users\Admin\AppData\Local\Temp\f31534824d32484e6cb12c5510024fcd08f4a1e85ec768f0a6d2e03471e803af.exe
"C:\Users\Admin\AppData\Local\Temp\f31534824d32484e6cb12c5510024fcd08f4a1e85ec768f0a6d2e03471e803af.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Users\Admin\AppData\Roaming\uzpGS66vI2gwJomstSpxUw\win-x64_Protected\ant_vpn.exe
  "C:\Users\Admin\AppData\Roaming\uzpGS66vI2gwJomstSpxUw\win-x64_Protected\ant_vpn.exe"
  2⤵
  - Executes dropped EXE
  PID:4144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\uzpGS66vI2gwJomstSpxUw\win-x64_Protected\Cloudtoid.Framework.dll

Filesize
61KB

MD5
28560b17bc4b919edfddce9b19cdf6a5

SHA1
17d83871bcff77d9c3384433bd72dfd446d82d41

SHA256
e0bbd808a1f9aad936301bfe5dfe26eee496caf056b4f388cb01b96995aebefb

SHA512
a5ec0209957cc814d50e91c632380fa42de8d9f34900d6038188aea4e2e48d6769bc83077dc9755f01fceebb29ff67a4a0035dccbad952f6815d37d2fdfc2ef0

Download Submit
C:\Users\Admin\AppData\Roaming\uzpGS66vI2gwJomstSpxUw\win-x64_Protected\Cloudtoid.Interprocess.dll

Filesize
25KB

MD5
629cb87fecf1ed35136e9fadffb91b3f

SHA1
d98dd56c1fd031933e2d12e4442741151e4361bf

SHA256
906d2d74f7dcc836565763f6bf2f729e91f4e44d16e2432a0bb19551ccad0fdb

SHA512
b5acccd35baa64c6a1a11c16607f09c5e5e27c862c0a98de935ee768dcfb71987de4cf23cbb561a7eaea9ac813db81124dd47c6f167391482f1ce0ce150eb4bf

Download Submit
C:\Users\Admin\AppData\Roaming\uzpGS66vI2gwJomstSpxUw\win-x64_Protected\CommunityToolkit.Mvvm.dll

Filesize
113KB

MD5
5d012436faf1e4ae6aefc65c2486330c

SHA1
41dcef11e35821327bac6fce436e4f012051f2ea

SHA256
7a4935022e2ddb167518c7fd2894bfb872b2fe55db097865ea6ce06d94f48ee7

SHA512
07999ea9d38f6ba9af305fedaee9fc71a824f36c03e5e881cf7fff673b8718e7167b484fe1d88aed71624baeac4dc3de476cc7607b6c6023848ebaac3e40b337

Download Submit
C:\Users\Admin\AppData\Roaming\uzpGS66vI2gwJomstSpxUw\win-x64_Protected\DeviceId.Windows.Wmi.dll

Filesize
9KB

MD5
3e6143c4d834a17926a9b1bd070d9c95

SHA1
a90aec0197c821e5ad7c00b05298c6cf9aac6abc

SHA256
9c2850ea4b6ac0b7b752552daa5826a1b89f105f63a53d892dc1d157b3322955

SHA512
516af2b09b081609e9b3a7a3d4a0a87f1eb3105d592b62132c4eee7c7954a459a4ae043b39f51cf99da87c178d97ed9bfc9e91a2d43e88ef88a8e2af76276681

Download Submit
C:\Users\Admin\AppData\Roaming\uzpGS66vI2gwJomstSpxUw\win-x64_Protected\DeviceId.Windows.dll

Filesize
6KB

MD5
0203913c80b1d0768ee814ca204b8ca8

SHA1
9b2afec240775c0ec0269da481998d1920e462ed

SHA256
e4a33335d420e9608729264f6467444588ba649d5cc578fbaa84eca352633b11

SHA512
a2215a68007ba310d516d139c7050693154b6b8f07a4078babbd62180c0b4534ca5de011c65d0f57894454fa229ae5c3909ec3aa5e763204b49b5d124c653f6f

Download Submit
C:\Users\Admin\AppData\Roaming\uzpGS66vI2gwJomstSpxUw\win-x64_Protected\DeviceId.dll

Filesize
20KB

MD5
ce16f0b8d0fa6441e0e662ff6b763d3b

SHA1
05547bb5b4b7e040ab093ed3038196d2184ed5f4

SHA256
a711805f77d0f883e57beb36362249f260c7737268f65f0812bf69f2db720225

SHA512
1316e2070451fc6f2753520970d1c68487fb9b9e5a8a7ee3d8c9d046d0f165b53526d9b3de90c0a2eda5ded9267f0699b6f13c9342f3cfbe259d8cc42b651430

Download Submit
C:\Users\Admin\AppData\Roaming\uzpGS66vI2gwJomstSpxUw\win-x64_Protected\Enums.NET.dll

Filesize
125KB

MD5
6cd1fdee39c95f109b78228a6be40e3e

SHA1
2b91d3e09e8596add4cbdada9bbf5a2a448e5738

SHA256
26f6049505d11a4648bbb675f8d08a2fdc06a3b96b7ccfa6c5fe25f35dd6c0cd

SHA512
2bb20aa900c6ba25b6a0eac0f1309621ac244da6dd09a334184e3375ac091226a2daab8da84d6af6486dbc5829b2d9238ca084a0aa338cfe9e54d71dea8eaa2a

Download Submit
C:\Users\Admin\AppData\Roaming\uzpGS66vI2gwJomstSpxUw\win-x64_Protected\MaterialDesignColors.dll

Filesize
296KB

MD5
6070d2f982e115825fa959bcce076736

SHA1
7dc275af8286f343b2d4a7ddd5bb1b0100e2452b

SHA256
c5445ad0a687fa61bda02cd45baac1cfbbad31b6b56529eb9cf47510bae84625

SHA512
7a65dccaf2c4c2ca83b21ac5580b738fb69e3033908515a267a6028c6996ee06e4bf34502cfb3e5c5432d53d12a161bc9445c417d7cd251c1c25792f5a324a2f

Download Submit
C:\Users\Admin\AppData\Roaming\uzpGS66vI2gwJomstSpxUw\win-x64_Protected\MaterialDesignThemes.Wpf.dll

Filesize
349KB

MD5
46666e64534c28021c3c5ffb82ffda77

SHA1
38619f603c6a59e3a3babd28c1722914ec56388c

SHA256
a969048e93e83963ec38594abd24b27337900f46b728cd9e77a1a9947235612b

SHA512
85870e75a7d1bfad184c41ef5d3f5b5272bcae01fcb555a8c4c7c9598edea87909f24e8d5eda9446687a00581d867dc366b59e6351bada4aca1967736311a63e

Download Submit
C:\Users\Admin\AppData\Roaming\uzpGS66vI2gwJomstSpxUw\win-x64_Protected\MessagePack.dll

Filesize
300KB

MD5
5381a45f719c3c3525ebe80af6d83c53

SHA1
60d73536e06258907012056effd18e9a985bedd1

SHA256
3add79408d3e2a3879f83855cd7854a437e46ddc6800ea5048cf344487fb9127

SHA512
c9dc292da75c42a4dc17a3dfad482683f04367b01fc1a9d140439c3770a4dce7aed5adb88b1c54bab27d9b758138fe0031ed7c9992b1bc8976ae23f1f254292f

Download Submit
C:\Users\Admin\AppData\Roaming\uzpGS66vI2gwJomstSpxUw\win-x64_Protected\Microsoft.Extensions.Logging.Abstractions.dll

Filesize
61KB

MD5
27ff815ea3ff2ba1f4fc747c8b6365b0

SHA1
e234aa65a9fcc3384f44535ab8cf81a79c929caa

SHA256
4de2bbf0b5b599e7c8fc0a3bb8570ae93061823c7d1d43129b79ea06c502ea92

SHA512
095dcffc12a89fd75f2e7a9d1bb69426e598c080d65a0e20311de8e44076378ee9ff337d8e5fb0f1d57b0c3333620bb043b18a423b5f2a626a9805c05ce9aa9e

Download Submit
C:\Users\Admin\AppData\Roaming\uzpGS66vI2gwJomstSpxUw\win-x64_Protected\Microsoft.Xaml.Behaviors.dll

Filesize
141KB

MD5
72f8adb8af71cf55ae3fa13afc72e877

SHA1
620b3c526997ae0d07171f14555ed22d58ee3639

SHA256
8f782ad7adfdeeaa933183065aa7a0be9387abce6038e912455e78527b04adca

SHA512
c0d73400b9e55952c1a70b844bdf3fecdd8fc55e3a9920c7f9a30e8def372422dadb2bb716570769037bae98d930c6bd50226f3ba3c255b823edbd67bc429c63

Download Submit
C:\Users\Admin\AppData\Roaming\uzpGS66vI2gwJomstSpxUw\win-x64_Protected\Newtonsoft.Json.dll

Filesize
695KB

MD5
86a83a63f12b55fd3718cfbfb577d7dc

SHA1
3df82ebba50086de83aee27c63255e80f2d73f3b

SHA256
4816c4276f575e4d85b80633a0df2eadf29496fe00bdc33cd7843e61373bde0e

SHA512
ae0eac0477e4b6375b5266297e6503c9206e6327ecb476d3f54022daef92c015b6f33bc9a5423533d869f200ac71793aba14f197bd358a0fdd3129e2c00bec10

Download Submit
C:\Users\Admin\AppData\Roaming\uzpGS66vI2gwJomstSpxUw\win-x64_Protected\OneOf.dll

Filesize
99KB

MD5
79eae1deb676e9eb7176c40c6c36ad3a

SHA1
dd903325e69938992b8cb365b8d64b678e7855f9

SHA256
3f4daf46040dad992ed1cd5268bdeb12b51968e6132eeac62d069b900dca754e

SHA512
d93ab681f123578ae9e23af8b4ec19c5651c7b8ec5ebfd7f931e6b4b86eba543bee1dd51f3a89da2f4e1a24980032206bf7cb52bf1f8d4cb40d48796215e1cb0

Download Submit
C:\Users\Admin\AppData\Roaming\uzpGS66vI2gwJomstSpxUw\win-x64_Protected\RestSharp.dll

Filesize
155KB

MD5
0f35a148008cea4aa8f69673a208e850

SHA1
96a813336ecf61af7519962da8bdab33cc215a1b

SHA256
34a86740252ff0e259dfc006aab903b223aba8712b25d3ee179322633fe82880

SHA512
64973fd4e536b4543d287b1b6a403aac3979afbe9d956ba1007913666febd74c6e5f909cac08b0d6a96c023f8f011ffab05bb0d16eaaedf0ba48025e8f33d10c

Download Submit
C:\Users\Admin\AppData\Roaming\uzpGS66vI2gwJomstSpxUw\win-x64_Protected\Throw.dll

Filesize
43KB

MD5
f6b27f89df8e2d2371493915201fcc66

SHA1
68c37aef00f5ba6a1a567801c53be846e7db3ae3

SHA256
1fec0207047bd06a03237c6931a4cbafda4e6b91720c2cbc1845d6e067f07492

SHA512
ef83b5b87e23e4e0aaf798c259c17452a7b286dcbe63866ff65cc22815be8b44b4854630be237530c821853322d95dc6790c1af61c250227229d0bdc6a959954

Download Submit
C:\Users\Admin\AppData\Roaming\uzpGS66vI2gwJomstSpxUw\win-x64_Protected\ZXing.Windows.Compatibility.dll

Filesize
33KB

MD5
9c991883349f457efb2922cb9c6363e4

SHA1
eb91ee573780ca9f634ddfd12889d3dcd19a7e9e

SHA256
a6e5f4769f6ca69799f6c218c7d08acfa22d001f804dcaf320d7bcc24ede576b

SHA512
6c0e3cf852eac05de5df0dd9915aceeb7d8f1bfec1cd20917aa013a39989b095d99839b231973647f137baf9dc51a12e1f8ebbe7843a1c1930d6f9585edafa95

Download Submit
C:\Users\Admin\AppData\Roaming\uzpGS66vI2gwJomstSpxUw\win-x64_Protected\ant_vpn.deps.json

Filesize
25KB

MD5
fde6e14711ca051d9ce8e6521b186e3e

SHA1
e299d42f375488b9707fb850e380f35acbdc028a

SHA256
ed45fa203075d7254467f62979f836cf623020da647633a6c31ad6f8fa984cad

SHA512
278acb1ee609d18ec2f907a807d8e477bbc4a6268b7bfa22eb2681c77e6f7ef6b2a3a3d1770bdc872cf9f2a27ddc2a113a1ef4def1a3e0e2f64d866e3bec1e3b

Download Submit
C:\Users\Admin\AppData\Roaming\uzpGS66vI2gwJomstSpxUw\win-x64_Protected\ant_vpn.dll

Filesize
2.3MB

MD5
28927e538bb8360bc4a75bbf8d5688b3

SHA1
368799a921cde1d998ac7bbf45f5f0e9699c5c18

SHA256
1fe6c6ca602fc6a304a3a0b280ef7d16cf34915a0b98278f47c120dc10715b8c

SHA512
498b50666e2a0a57f7c45feb3a404b3ab0c3f3753c6bed6c5b9b244b53e98998aa773bacd8a9185a3010accef6d4eb0881eaa921baa57735fee6f668c393c30c

Download Submit
C:\Users\Admin\AppData\Roaming\uzpGS66vI2gwJomstSpxUw\win-x64_Protected\ant_vpn.exe

Filesize
212KB

MD5
923bb6a27839247fde665b46fe70b878

SHA1
6930c235350ae86f34b696c1b96981cfecd57739

SHA256
1663607c09219041da9b84bdaa58722d6229704b1ee0b2b8ced869ea58ae2890

SHA512
15afde33238b90dde07c33526467a8d91449afa7b16b877d47880aae91d8df9a2f1460a2f676d7878c655577c864cdcfb16f30a50f34fa3cda4b6771e9a61709

Download Submit
C:\Users\Admin\AppData\Roaming\uzpGS66vI2gwJomstSpxUw\win-x64_Protected\ant_vpn.runtimeconfig.json

Filesize
372B

MD5
d94cf983fba9ab1bb8a6cb3ad4a48f50

SHA1
04855d8b7a76b7ec74633043ef9986d4500ca63c

SHA256
1eca0f0c70070aa83bb609e4b749b26dcb4409784326032726394722224a098a

SHA512
09a9667d4f4622817116c8bc27d3d481d5d160380a2e19b8944bdd1271a83f718415ce5e6d66e82e36819e575ec1b55f19c45213e0013b877b8d61e6feb9d998

Download Submit
C:\Users\Admin\AppData\Roaming\uzpGS66vI2gwJomstSpxUw\win-x64_Protected\en-US\ant_vpn.resources.dll

Filesize
12KB

MD5
c5eff5d73687ef1ea484ccef5d71ddf2

SHA1
313ffe5db26bdf4da30cd3f86f014c2a04661c7c

SHA256
d7aa34118537a5557140618d7f916ba8a9fdd4e200b0d3edca7eaef6d556794a

SHA512
5ff42b0e486e14ac92d94a4c39596e97b1239c15cf276cba4fd6b54f00b227106d5fa6604236c8cbc009a0cb8e1e9f696da3b05cab0942b695be065e7a78b875

Download Submit
C:\Users\Admin\AppData\Roaming\uzpGS66vI2gwJomstSpxUw\win-x64_Protected\runtimes\win\lib\net6.0\System.Management.dll

Filesize
284KB

MD5
83cda4cc597e6a0b2ebbd1b8f41e94d3

SHA1
10415fa323a21d412eb36e583a98385088065d61

SHA256
aa474c96b9fd17cb3580d89bb8eb716cb1407c89026b5e8180402666eeeb766a

SHA512
ff7d869d416e3c47c082b8bd2d6907bbbe457d17d093cd84f66d42b978d143c088e008388041b440b01f7d82e373dde9b1b5c1acfd9553f98a63fa579d7ec8d2

Download Submit
C:\Users\Admin\AppData\Roaming\uzpGS66vI2gwJomstSpxUw\win-x64_Protected\zxing.dll

Filesize
471KB

MD5
ad1056aa7cc43bafa616b20fba79600e

SHA1
66b06419de5f4437bd4999f5b76d3cf7b5a32169

SHA256
4e645fea88f265f9dc1dbc644f8254fb2922ef36faf06ed9d2a342df89e482fb

SHA512
6dcf6b37d52c495a1881391b2ac242db1ab7b0f1b2c8423f2444c9792f5f5da727f455f29a831bb2ddf4276446d8dc5f0d430d8cf32b53378117a832ee7b67f0

Download Submit
memory/2560-0-0x00007FFE36FF0000-0x00007FFE374EE000-memory.dmp

Filesize
5.0MB

Download
memory/2560-56-0x00007FFE36FF0000-0x00007FFE374EE000-memory.dmp

Filesize
5.0MB

Download
memory/4144-57-0x00007FFE36FF0000-0x00007FFE374EE000-memory.dmp

Filesize
5.0MB

Download
memory/4144-73-0x0000019DE4920000-0x0000019DE4DD8000-memory.dmp

Filesize
4.7MB

Download
memory/4144-51-0x00007FFE36FF0000-0x00007FFE374EE000-memory.dmp

Filesize
5.0MB

Download
memory/4144-63-0x0000019DE4920000-0x0000019DE4DD8000-memory.dmp

Filesize
4.7MB

Download
memory/4144-76-0x0000019DE4920000-0x0000019DE4DD8000-memory.dmp

Filesize
4.7MB

Download
memory/4144-77-0x0000019DE4920000-0x0000019DE4DD8000-memory.dmp

Filesize
4.7MB

Download
memory/4144-78-0x0000019DE4920000-0x0000019DE4DD8000-memory.dmp

Filesize
4.7MB

Download
memory/4144-83-0x0000019DE4920000-0x0000019DE4DD8000-memory.dmp

Filesize
4.7MB

Download
memory/4144-84-0x0000019DE4920000-0x0000019DE4DD8000-memory.dmp

Filesize
4.7MB

Download
memory/4144-85-0x0000019DE4920000-0x0000019DE4DD8000-memory.dmp

Filesize
4.7MB

Download