e18bd3ad83dd5123a029364e452291303b1b66bbcc9bf1d60d63989a55ffa3ab

Analysis

max time kernel
10s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04799f559840e95554ebd1499c5ac01f.exe
Size

71KB
MD5

04799f559840e95554ebd1499c5ac01f
SHA1

02e52dcc7be027563c34a8d12e2499235623e1cf
SHA256

e18bd3ad83dd5123a029364e452291303b1b66bbcc9bf1d60d63989a55ffa3ab
SHA512

3d1fa9de9c8ad0a6fd52adb517a658f4bade08f9bf04b8a901adc6217eed66ec6bceb0e52f617e83bc8c79e156e1956b9e8a809246f920640c6e6ad43763d314
SSDEEP

1536:pTIbNMomAKd93GIMZEVC0LKkEEa3qYnuq3r9+6:JIbN/KL2IM2VC0/Unuu9D

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	04799f559840e95554ebd1499c5ac01f.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\LiveMeeting\rarExts32.dat	04799f559840e95554ebd1499c5ac01f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 3776	4440	04799f559840e95554ebd1499c5ac01f.exe	96
PID 4440 wrote to memory of 3776	4440	04799f559840e95554ebd1499c5ac01f.exe	96
PID 4440 wrote to memory of 3776	4440	04799f559840e95554ebd1499c5ac01f.exe	96
PID 4440 wrote to memory of 1732	4440	04799f559840e95554ebd1499c5ac01f.exe	97
PID 4440 wrote to memory of 1732	4440	04799f559840e95554ebd1499c5ac01f.exe	97
PID 4440 wrote to memory of 1732	4440	04799f559840e95554ebd1499c5ac01f.exe	97
PID 4440 wrote to memory of 4504	4440	04799f559840e95554ebd1499c5ac01f.exe	101
PID 4440 wrote to memory of 4504	4440	04799f559840e95554ebd1499c5ac01f.exe	101
PID 4440 wrote to memory of 4504	4440	04799f559840e95554ebd1499c5ac01f.exe	101

C:\Users\Admin\AppData\Local\Temp\04799f559840e95554ebd1499c5ac01f.exe
"C:\Users\Admin\AppData\Local\Temp\04799f559840e95554ebd1499c5ac01f.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_xz_file.bat" "
  2⤵
  PID:3776
- - C:\Users\Admin\AppData\Local\Temp\xzz8751.tmp
    C:\Users\Admin\AppData\Local\Temp\xzz8751.tmp
    3⤵
    PID:540
  - - C:\Windows\SysWOW64\clientex.exe
      "C:\Windows\system32\clientex.exe"
      4⤵
      PID:4068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
  2⤵
  PID:1732
- - C:\Users\Admin\AppData\Local\Temp\inl76E5.tmp
    C:\Users\Admin\AppData\Local\Temp\inl76E5.tmp ojj-gmlpo.tmp
    3⤵
    PID:3632
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl76E5.tmp > nul
      4⤵
      PID:1376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_deskurl_cab.bat" "
  2⤵
  PID:1480
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\desktop_url.cab" -F:*.* "C:\Users\Admin\Desktop"
    3⤵
    PID:2228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
  2⤵
  PID:4504
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
    3⤵
    PID:3944
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://tc.92mh.com/
  2⤵
  PID:4220
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4220 CREDAT:17410 /prefetch:2
    3⤵
    PID:4360
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\04799F~1.EXE > nul
  2⤵
  PID:3824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M4T5ISGA\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\inl76E5.tmp

Filesize
1.7MB

MD5
6363dd8dd5f399c1e92e55ca38f47943

SHA1
e8894f2bed42bf562def494d6c28a12add8f409b

SHA256
31c3811138b0c65423040b0f0d529d4f18c69517fb7f5669c2fc09d2da4cc21d

SHA512
905b421e694870050d2db3e24fc2f00990247bdd694f4ae91228af764c0824d2696f6fca38392903f39bd2ba05b24d54e80ffbd6123507e12507b0dd44634e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\inl76E5.tmp

Filesize
1.4MB

MD5
24757346e634c070fc4cbedff17e5b69

SHA1
f9b00bcda947783ed882444b8ede3050df43b555

SHA256
be49af5990521c230b7b03c82fa3e87ccd43c8523e2f21580c24b6f3afa7f909

SHA512
e1e380b265acba5e2beb268e758fae99544a2885213d09ed62a6cfc3aaa003995f09021197f1835f38befbadd859fc227a0bd42b12cf4b71fa0c76cb193c2aaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ojj-gmlpo.tmp

Filesize
827B

MD5
8402f7f8b94dc53aa00d2dcc5e4e2266

SHA1
f59d5b7933ce97060c300d4904acab7bcbebe1eb

SHA256
e90f33a4378ffe38d85cb23b85815014f0d1a7f9c187fe57fd5a50420a42ede5

SHA512
65526c76aaeefe8ea882721b47d609ceeea6b35fa5387ef95584b9ab1f7901c30748566d1c796dceb91b5e51563f187d256f83f4de7ae0e6099e48d84d7f7470

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat

Filesize
59B

MD5
2106375698a09706cb5b0976d5e11973

SHA1
de40ac99c02481062d8c3e6b9d25e34218337e47

SHA256
84ec157253c5a5db50ff023f0244174efab983983cb43c979016a4fa884863a6

SHA512
5dacc892b8b98d7d2f0dc41a37779f72b3cd13d346b304d6eecc162bc3bcaa2bf3ceaab7dd8cae595ba2c4cbdd7e3ba0be8599f772859877ff6d584444d0be99

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_xz_file.bat

Filesize
45B

MD5
1398307d0ea95d2a3d0e11fd8aeba4ce

SHA1
7a50ea035832fac3426aabb8e0ea5112bdd5b8bf

SHA256
d3c336da0a5e20acac5c882cc4caea7be8ad6402fa80476ac9fea7dfbf317c69

SHA512
8785b46506bf857f1bbc691bdbf886bbaeca6d8fb0cf18c1850eb6b4ce21690c8e07ee26c71047514ed27b1eb89cddfc0c830044c36b30a89867d07fb4064e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext_deskurl_cab.bat

Filesize
94B

MD5
d5fc3a9ec15a6302543438928c29e284

SHA1
fd4199e543f683a8830a88f8ac0d0f001952b506

SHA256
b2160315eb2f3bcb2e7601e0ce7fbb4ed72094b891d3db3b5119b07eeccc568d

SHA512
4d0378480f1e7d5bee5cf8f8cd3495745c05408785ab687b92be739cd64c077f0e3ee26d6d96e27eb6e2c3dec5f39a2766c45854dc2d6a5b6defc672aeafa0f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat

Filesize
98B

MD5
8663de6fce9208b795dc913d1a6a3f5b

SHA1
882193f208cf012eaf22eeaa4fef3b67e7c67c15

SHA256
2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

SHA512
9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

Download Submit
C:\Users\Admin\AppData\Local\Temp\xzz8751.tmp

Filesize
2.3MB

MD5
85bc9688ee183a2963a20f1f6566b59b

SHA1
b9e83500b931f4455432c17a8a8efc3eda4f065d

SHA256
7581c4a53e9ec2bde96851a92ccb19813c42405e976d3946e2418401e025d8f0

SHA512
a7ef46046bdfaf518319530b8312221fe52063793078fea52d5231d6046a635ebedc1bea40b5f9e34dbcd497261a669e3dcc1c44562c7a3b4a0d9e49572d0131

Download Submit
C:\Users\Admin\AppData\Local\Temp\xzz8751.tmp

Filesize
2.6MB

MD5
9d564242c1de95ab5260529d2bb98a6d

SHA1
ccb2c0b527ee88f0552bb54b2ae02e7529e21eda

SHA256
eac763b686111eea415862395c39121b3df1fca4a809ab0d524ddbede7b8f362

SHA512
e01c22efc686fbd0073b082fbaa47fc79248355f5bd1eef9b6c15ed9d4f96d2528be9a2d29f540c3ad97f1d7a017a19dda1eb9b94497f5c9987e26f4d2b63b2b

Download Submit
C:\Users\Admin\Favorites\°ËØÔÉ«Í¼.url

Filesize
154B

MD5
8d681a59ea75e91f730bd9ce3c42e514

SHA1
9d426029daeebf03c9053761e0e5a9f447f98e9c

SHA256
afd3d42faa66d6703a32f2f5b41e0d679dd8210aacb284d1e46854207087cac7

SHA512
ffece212187fb127e98a612a59e7f2df7e9ebc6fee600644e2eef80d62fcc7d411ffba435b48981c4d75ba0ca34f85ff57091f4098104651710220a28a13ba8d

Download Submit
C:\Users\Admin\Favorites\°Ù¹ÈµçÓ°.url

Filesize
155B

MD5
5a17106c27138df10448c2c3be95f399

SHA1
56acc2ed4fea4171127a13dcdee08bdd39d674d6

SHA256
c544ab13bd785ea3d5792873dedb102e87ea9a3b28fb1283be2eaac363ce360c

SHA512
1d8839f36323dfb4458745dbf31a98bc676121db3e4ccda59ca8e177437c85a5811125119fbfa3b5bcde6c2fbf25ae910109e785e276c32fbfebe6437aea8198

Download Submit
C:\Users\Admin\Favorites\´´ÒµÍ¶×ÊºÃÏîÄ¿.url

Filesize
156B

MD5
8a275b261afcc166671132b6f03831e4

SHA1
03ac21edc1de2df748ee3a301a6b3de989c423c3

SHA256
0296e167f4cfe36275cf1a705a6c56b30b15c0712ec5904b4ed3299f07beee8e

SHA512
269cf3d57201d9c390cef3a8e74d63036d300ff464d20b419324d4575c04e004655179ac29da5e3b2b52a5e2b6f37ecbf6e512fa0c2c5d5af0c5a359af51d739

Download Submit
C:\Users\Admin\Favorites\¿´¿´µçÓ°.url

Filesize
158B

MD5
d645085ab92574a2a17abd323415dde5

SHA1
49ebaa4499cacd9256f270f35f31684b7cd195b1

SHA256
41ef37f97f886f32ec9e4d9ebf58079442d8bc8b102e9487de2f3f7da36e8058

SHA512
a726352ef7725eb8f94609dc3b80b5314387416513e654487e6a0b96bab922412b15bfbc07f1643bc104543be7c4c8a1b1472374d8cfe7fa9a010d28a135d654

Download Submit
C:\Users\Admin\Favorites\ÃÀÅ®ÀÖÔ°.url

Filesize
157B

MD5
993f72a439a3301caeb969c7faa7a8b9

SHA1
176244349a0463cd0fc38cad426d89dc3b055311

SHA256
b7ea84a9d48f22c799c3c3b96f29f0ae7c1b274e6402d6fbadae31fc053f2140

SHA512
c373b12c16c65e966593990019b3a2fd96f703820976835c7ab3d042a997f617f49c1b5110e77833a18b3d2a2bef8fd3a97e77ea05dd7cdce9053840398320d8

Download Submit
C:\Windows\SysWOW64\clientex.exe

Filesize
204KB

MD5
2955ae322c3acc38fdbd2d2879604307

SHA1
301e34dec1428acce6890e958884574a0ae8c181

SHA256
2e698aeb166639e74f80520c5aee54fec4be3632429fa13992234e91dafcfd2b

SHA512
57f44f865584fb62ef5aa3460be45ba9c4f2b5eb3687be6d892b1af1b380e8a53614bd33e9028eb58e47f6336738da2a52a1596c19d50f07dbdd1560b6f7a078

Download Submit
C:\Windows\SysWOW64\clientex.exe

Filesize
989KB

MD5
e267afa657564af3767b0f201e1bb5cf

SHA1
aef9a7eb0daaad4494e88fef49bb5ae522798c1f

SHA256
a86756e34d9aa76c136823512f9075a3d9a9352b236b920aec98f505e3eb4ff8

SHA512
c25fcd36a9cca369f50453de9816836090a31d309237e629368ee6aa9902137aec7d202c7f160d4bbc94f3d09c997cdca4cb6e9e47cd096d056119da5ace83be

Download Submit
C:\Windows\SysWOW64\clientex.exe

Filesize
941KB

MD5
e5706ca03ea0473a77a66e10c66264e0

SHA1
96373dabafb68f1bc692e1ed151ea57469947bc1

SHA256
8934cd42da79ee54478ba89497c833b55a7c64c5596b908360e7940066348ffc

SHA512
c20bf042ffec132d96722762860f868980b10d48aa0a9e1ba07e698d82c983ea63bb69fdc289080feab844989dc6f1d440e0a5643643e057fab4f60c5acc85ab

Download Submit
\??\c:\users\admin\appdata\local\temp\desktop_url.cab

Filesize
443B

MD5
01f8b2509f3844f8c6e8e198555d3ffb

SHA1
55b531078457f8a5583180b018b178f5294f6fcf

SHA256
ab9b1350f19e5c3bcec4b6302ea996a20b07db71cc4f99d46d7b9314f208597e

SHA512
98b2e3198935d14a6730d9e1dd22dd9f1c6fc692d5052aef9cde84f6745bde36bec984ea7dca2ada001423416eb6c9eac670dada67fe19c9ccccda83c504bd5d

Download Submit
\??\c:\users\admin\appdata\local\temp\favorites_url.cab

Filesize
425B

MD5
da68bc3b7c3525670a04366bc55629f5

SHA1
15fda47ecfead7db8f7aee6ca7570138ba7f1b71

SHA256
73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

SHA512
6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

Download Submit
memory/540-83-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/540-103-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/540-67-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/540-65-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3632-82-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4068-105-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4068-99-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/4068-129-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/4440-58-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download