d5fb752731beb3f76e340e2a6ddee812235ff30f2019eac8516bfe63efcd98ed

Analysis

max time kernel
165s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 12:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

17fc6cb22716bb540b2abbc3bf5997ba.exe
Size

76KB
MD5

17fc6cb22716bb540b2abbc3bf5997ba
SHA1

2e447b7bfb6014c417936a046a1e9982ab36b996
SHA256

d5fb752731beb3f76e340e2a6ddee812235ff30f2019eac8516bfe63efcd98ed
SHA512

00722f631746e357b182e90d809f8cd95a1a46f044414174f396b2721fe8285037c0800f46781ae6d92471d77cdadab11ac3e007809055c998338321f9c97a53
SSDEEP

768:00p23m9um2Mc8CCR8gD1P8TYw9y3RbqOaAfDyktBZYzIDoXZ1FtM9oWsp24dCRj0:bsm2BCoYwUcOxYsDi3SYCpDnQHc7co2

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	17fc6cb22716bb540b2abbc3bf5997ba.exe

Executes dropped EXE 2 IoCs

pid	Process
2012	LIAR3.EXE
4432	LIAR3.EXE

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4432-15-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/4432-20-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/4432-21-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/4432-22-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/4432-23-0x0000000000400000-0x000000000044A000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2012 set thread context of 4432	2012	LIAR3.EXE	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 2012	5068	17fc6cb22716bb540b2abbc3bf5997ba.exe	95
PID 5068 wrote to memory of 2012	5068	17fc6cb22716bb540b2abbc3bf5997ba.exe	95
PID 5068 wrote to memory of 2012	5068	17fc6cb22716bb540b2abbc3bf5997ba.exe	95
PID 2012 wrote to memory of 4432	2012	LIAR3.EXE	96
PID 2012 wrote to memory of 4432	2012	LIAR3.EXE	96
PID 2012 wrote to memory of 4432	2012	LIAR3.EXE	96
PID 2012 wrote to memory of 4432	2012	LIAR3.EXE	96
PID 2012 wrote to memory of 4432	2012	LIAR3.EXE	96

C:\Users\Admin\AppData\Local\Temp\17fc6cb22716bb540b2abbc3bf5997ba.exe
"C:\Users\Admin\AppData\Local\Temp\17fc6cb22716bb540b2abbc3bf5997ba.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Users\Admin\AppData\Local\Temp\LIAR3.EXE
  "C:\Users\Admin\AppData\Local\Temp\LIAR3.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Users\Admin\AppData\Local\Temp\LIAR3.EXE
    C:\Users\Admin\AppData\Local\Temp\LIAR3.EXE
    3⤵
    - Executes dropped EXE
    PID:4432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LIAR3.EXE

Filesize
68KB

MD5
53f4b4803eeb8424ec3dbd9980922914

SHA1
e4b69391c65947959205a60a74f9e8550e5571a7

SHA256
89e4d3d96e5537a04ebc984833cf5de3ce8784e8e375d74f054537ac04f030e1

SHA512
9555582c71dd3aa7ccd5cf8f779c02f317db032c4b75ea54aff25ea7585469c14923922dfab4c7cd6f2790b00d0aa11325450ccaa671f86ae65756fc8f6c9f3e

Download Submit
memory/2012-18-0x0000000013140000-0x0000000013158000-memory.dmp

Filesize
96KB

Download
memory/4432-15-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4432-20-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4432-21-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4432-22-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4432-23-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/5068-1-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5068-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download