0f761a060c842a652d54b7314db73fd650ae5b65b042ac59d03f9f8b867c35b8

Analysis

max time kernel
162s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

100866ba17da997902f151c321545421.exe
Size

27KB
MD5

100866ba17da997902f151c321545421
SHA1

f9a7525b5db9f9eebe61569069be9ecc5741f781
SHA256

0f761a060c842a652d54b7314db73fd650ae5b65b042ac59d03f9f8b867c35b8
SHA512

3d9a2d565e4d74f0e00993fda030b1768b88e95e1d3d92f0354c0f0861c728c2f6c374318040d24710784dc65e957aecfc2d12437b0a9aaf6c6127b960c6671d
SSDEEP

768:HiZun3CCvBYghyWyAd6DxgjP3zxeEX44jjte:Hz+gh9y1xY3zxNX4upe

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	100866ba17da997902f151c321545421.exe

Loads dropped DLL 1 IoCs

pid	Process
2248	rundll32.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1012-0-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/1012-1-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/1012-3-0x0000000000400000-0x0000000000413000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xpsp0res.dll	100866ba17da997902f151c321545421.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3112	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1652	2248	WerFault.exe	97

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1012	100866ba17da997902f151c321545421.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1012 wrote to memory of 2296	1012	100866ba17da997902f151c321545421.exe	95
PID 1012 wrote to memory of 2296	1012	100866ba17da997902f151c321545421.exe	95
PID 1012 wrote to memory of 2296	1012	100866ba17da997902f151c321545421.exe	95
PID 2296 wrote to memory of 2248	2296	cmd.exe	97
PID 2296 wrote to memory of 2248	2296	cmd.exe	97
PID 2296 wrote to memory of 2248	2296	cmd.exe	97
PID 1012 wrote to memory of 1308	1012	100866ba17da997902f151c321545421.exe	99
PID 1012 wrote to memory of 1308	1012	100866ba17da997902f151c321545421.exe	99
PID 1012 wrote to memory of 1308	1012	100866ba17da997902f151c321545421.exe	99
PID 1012 wrote to memory of 4856	1012	100866ba17da997902f151c321545421.exe	101
PID 1012 wrote to memory of 4856	1012	100866ba17da997902f151c321545421.exe	101
PID 1012 wrote to memory of 4856	1012	100866ba17da997902f151c321545421.exe	101
PID 1308 wrote to memory of 3112	1308	cmd.exe	102
PID 1308 wrote to memory of 3112	1308	cmd.exe	102
PID 1308 wrote to memory of 3112	1308	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\100866ba17da997902f151c321545421.exe
"C:\Users\Admin\AppData\Local\Temp\100866ba17da997902f151c321545421.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c rundll32 xpsp0res.dll,RundllInstall IPRIP
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 xpsp0res.dll,RundllInstall IPRIP
    3⤵
    - Loads dropped DLL
    PID:2248
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 632
      4⤵
      Program crash
      PID:1652
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start iprip 'cmd /k whoami' 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Windows\SysWOW64\sc.exe
    sc start iprip 'cmd /k whoami' 1
    3⤵
    - Launches sc.exe
    PID:3112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\100866~1.EXE > nul
  2⤵
  PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2248 -ip 2248
1⤵
PID:3308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xpsp0res.dll

Filesize
44KB

MD5
dd393f5b7b35a3aaf6af0c997f3c7ecb

SHA1
a6431c9e7b03b96e979e2cdbbcfd282bbf9e574e

SHA256
5515e4d7a30c611984f6128fb7d1b56e940fc4a1e6b8dca664d8b08375cfa75d

SHA512
371e99cee85f635d41028bc7de1d81e2d9778670f7f46c161289039ec95d225bb25a968599e0c978e9ea1ce91b1e7ae41cf0fcf8d7d90253266afa91d17a1e3e

Download Submit
memory/1012-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1012-1-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1012-3-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download