Analysis

  • max time kernel
    156s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2023, 14:09

General

  • Target

    74803c97b5e6054b511e635cbfd39141.exe

  • Size

    460KB

  • MD5

    74803c97b5e6054b511e635cbfd39141

  • SHA1

    416bf634b6783737e54c11d82fcd48533a3307de

  • SHA256

    5be35a8bdb8e5f368f3a4637b23cfc7434fc422af605b87d36c01ff6c9bf76b6

  • SHA512

    36ba2d1e751ead945c2c49a5f921f8e407f556c190cbe38ff6f4841536587cc47336f252adfb410eb678349305586fd6047e7c2fb3698c503452d15fd3832968

  • SSDEEP

    12288:OlSt6oIHNOhU5O5TYo4XqTig5GSR9CClDDL:OlSt69HNx6T/5xT

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 52 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\74803c97b5e6054b511e635cbfd39141.exe
    "C:\Users\Admin\AppData\Local\Temp\74803c97b5e6054b511e635cbfd39141.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4380
    • C:\Users\Admin\iBdqphzke5.exe
      C:\Users\Admin\iBdqphzke5.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3936
      • C:\Users\Admin\nuozaa.exe
        "C:\Users\Admin\nuozaa.exe"
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4492
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del iBdqphzke5.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1308
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:4640
    • C:\Users\Admin\astat.exe
      C:\Users\Admin\astat.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1404
      • C:\Users\Admin\astat.exe
        "C:\Users\Admin\astat.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:4028
    • C:\Users\Admin\dstat.exe
      C:\Users\Admin\dstat.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2548
    • C:\Users\Admin\fstat.exe
      C:\Users\Admin\fstat.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
          PID:3548
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del 74803c97b5e6054b511e635cbfd39141.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4588
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:2188

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\astat.exe

      Filesize

      60KB

      MD5

      87c6498966e3f85fac743c89050aa312

      SHA1

      05c165c34cbfa14e4925c33ace81992b0f50a2b5

      SHA256

      30c8328585e41968aff773da16cedbe590dcefd293c7fa74a69c557ecbf2c3c5

      SHA512

      740f7159ee78f73e57c92e583b8c4f97c5dd49b68b9c321da976d7e318819daa28e8dfc76e95e1e3ccee643dc464324c40b481d1849863e287d826adb577b420

    • C:\Users\Admin\dstat.exe

      Filesize

      36KB

      MD5

      b6da847084e39e0cecf175c32c91b4bb

      SHA1

      fbfd9494fabed5220cdf01866ff088fe7adc535b

      SHA256

      065781e8a55cf59cb926d5950e0039e19b50b1e081023404fbff4d7a32fc9cbe

      SHA512

      59d372ea36904cd48c99f2f34740c22004b35c5e5dada2417813b0463292af19e4aa5ba4552cc443da373e40ba03a1f7906019a567806806f5972c202a31d9d2

    • C:\Users\Admin\fstat.exe

      Filesize

      271KB

      MD5

      34353cf7e1d1b10bcbbcae0745110535

      SHA1

      2fb471681daac6f6d66477b7772025da4f58c508

      SHA256

      b2d7a66e2d10d8943e48d6f3ad75237ff379e82ab0101a620406c4569be1d959

      SHA512

      7404f82abfabd21d6f2a88b55f6f0ff886bb0a1f16a9d45c6883d74daa26451f862a10a78646c549c3a3264ba4bd9fb44949d470493af895973dd05a0ec311e6

    • C:\Users\Admin\iBdqphzke5.exe

      Filesize

      244KB

      MD5

      a4cdb62cf4866a17e742e7e9cc73d237

      SHA1

      30d94f8e872455ac569949ac4c768d0a0cdfbba7

      SHA256

      c741d649bf5b72fbe97470820ce994ce29b153baae14af10c3a2a9adc3098b32

      SHA512

      c4447f95565d3e5dc0ef7712382325280bedf127ac682f85f4043b586afb4188633f2c73277595eb31fe45d992107492f42c82a71f448286a9cb8fac4bfb3671

    • C:\Users\Admin\nuozaa.exe

      Filesize

      244KB

      MD5

      3b283e702627be95ff64c83d2d6b4723

      SHA1

      28a801d2a954582d0d18a57628b1bb8da327fb93

      SHA256

      8fa76c9c541fc0306e4e928db6008b420ef5c1c2ff685a6fce367a4a92204d37

      SHA512

      97ba26eccd90a92b94f49b0ad67e8032cecf62e2d23c6b995ec0fad67f15c935fb5892fee5429c2df92a9988de1211a2537b9db2c6807e7d71ab425ae3ceacd3

    • memory/2692-79-0x0000000002840000-0x0000000002886000-memory.dmp

      Filesize

      280KB

    • memory/2692-76-0x00000000024F0000-0x00000000024F1000-memory.dmp

      Filesize

      4KB

    • memory/2692-77-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

    • memory/2692-78-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

    • memory/2692-80-0x0000000002D10000-0x0000000002D11000-memory.dmp

      Filesize

      4KB

    • memory/2692-81-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

    • memory/2692-82-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

    • memory/2692-83-0x0000000002840000-0x0000000002886000-memory.dmp

      Filesize

      280KB

    • memory/4028-23-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

    • memory/4028-22-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

    • memory/4028-20-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

    • memory/4028-17-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB