4a273105d0d2f071ff747b87d7890cd255ca366025bec4bda0b68bc7e3283314

Analysis

max time kernel
169s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a5027348187535ea6e51bbe3e6762d2.exe
Size

2.0MB
MD5

3a5027348187535ea6e51bbe3e6762d2
SHA1

9c4c62d970110a71881e4a4e24c621032bb81075
SHA256

4a273105d0d2f071ff747b87d7890cd255ca366025bec4bda0b68bc7e3283314
SHA512

7c0456e72335359b667ec691fdee22b8b54b8b1d0b658dd5a40db10fe81b447f0509bfdf4fbfd5e9ddb9ef0bd3314dc7be05a48bb068883cd30f15f1fc29ddc4
SSDEEP

49152:QyLIQso24XPTUHCBF6dDLmJjnA8YZ9KpecU29IbCZeX:XLI5o2QUhaJsPQecbgxX

Score

7^/10

persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	3a5027348187535ea6e51bbe3e6762d2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	3a5027348187535ea6e51bbe3e6762d2.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5020-0-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5036-6-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5020-7-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4712-8-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x000200000001e7e1-10.dat	upx
behavioral2/memory/3944-11-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5036-23-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4712-27-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3944-28-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	3a5027348187535ea6e51bbe3e6762d2.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	3a5027348187535ea6e51bbe3e6762d2.exe
File opened (read-only)	\??\N:	3a5027348187535ea6e51bbe3e6762d2.exe
File opened (read-only)	\??\Q:	3a5027348187535ea6e51bbe3e6762d2.exe
File opened (read-only)	\??\Z:	3a5027348187535ea6e51bbe3e6762d2.exe
File opened (read-only)	\??\G:	3a5027348187535ea6e51bbe3e6762d2.exe
File opened (read-only)	\??\K:	3a5027348187535ea6e51bbe3e6762d2.exe
File opened (read-only)	\??\R:	3a5027348187535ea6e51bbe3e6762d2.exe
File opened (read-only)	\??\V:	3a5027348187535ea6e51bbe3e6762d2.exe
File opened (read-only)	\??\W:	3a5027348187535ea6e51bbe3e6762d2.exe
File opened (read-only)	\??\Y:	3a5027348187535ea6e51bbe3e6762d2.exe
File opened (read-only)	\??\J:	3a5027348187535ea6e51bbe3e6762d2.exe
File opened (read-only)	\??\E:	3a5027348187535ea6e51bbe3e6762d2.exe
File opened (read-only)	\??\I:	3a5027348187535ea6e51bbe3e6762d2.exe
File opened (read-only)	\??\L:	3a5027348187535ea6e51bbe3e6762d2.exe
File opened (read-only)	\??\P:	3a5027348187535ea6e51bbe3e6762d2.exe
File opened (read-only)	\??\S:	3a5027348187535ea6e51bbe3e6762d2.exe
File opened (read-only)	\??\T:	3a5027348187535ea6e51bbe3e6762d2.exe
File opened (read-only)	\??\U:	3a5027348187535ea6e51bbe3e6762d2.exe
File opened (read-only)	\??\A:	3a5027348187535ea6e51bbe3e6762d2.exe
File opened (read-only)	\??\M:	3a5027348187535ea6e51bbe3e6762d2.exe
File opened (read-only)	\??\O:	3a5027348187535ea6e51bbe3e6762d2.exe
File opened (read-only)	\??\X:	3a5027348187535ea6e51bbe3e6762d2.exe
File opened (read-only)	\??\B:	3a5027348187535ea6e51bbe3e6762d2.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\indian gang bang sperm public ash .zip.exe	3a5027348187535ea6e51bbe3e6762d2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\nude bukkake hidden hole bondage .mpeg.exe	3a5027348187535ea6e51bbe3e6762d2.exe
File created	C:\Program Files\Common Files\microsoft shared\trambling masturbation hole .avi.exe	3a5027348187535ea6e51bbe3e6762d2.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\american cumshot hardcore uncut hole 50+ .mpg.exe	3a5027348187535ea6e51bbe3e6762d2.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\indian action lesbian girls hole .zip.exe	3a5027348187535ea6e51bbe3e6762d2.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\tyrkish fetish bukkake uncut .zip.exe	3a5027348187535ea6e51bbe3e6762d2.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\horse lesbian .mpg.exe	3a5027348187535ea6e51bbe3e6762d2.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\swedish beastiality gay catfight .zip.exe	3a5027348187535ea6e51bbe3e6762d2.exe
File created	C:\Program Files\dotnet\shared\russian action trambling catfight .zip.exe	3a5027348187535ea6e51bbe3e6762d2.exe
File created	C:\Program Files\Microsoft Office\root\Templates\lesbian voyeur hole shower (Melissa).zip.exe	3a5027348187535ea6e51bbe3e6762d2.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\russian horse lesbian uncut feet hotel .mpeg.exe	3a5027348187535ea6e51bbe3e6762d2.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\mssrv.exe	3a5027348187535ea6e51bbe3e6762d2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5020	3a5027348187535ea6e51bbe3e6762d2.exe
5020	3a5027348187535ea6e51bbe3e6762d2.exe
5036	3a5027348187535ea6e51bbe3e6762d2.exe
5036	3a5027348187535ea6e51bbe3e6762d2.exe
5020	3a5027348187535ea6e51bbe3e6762d2.exe
5020	3a5027348187535ea6e51bbe3e6762d2.exe
4712	3a5027348187535ea6e51bbe3e6762d2.exe
4712	3a5027348187535ea6e51bbe3e6762d2.exe
5020	3a5027348187535ea6e51bbe3e6762d2.exe
5020	3a5027348187535ea6e51bbe3e6762d2.exe
3944	3a5027348187535ea6e51bbe3e6762d2.exe
3944	3a5027348187535ea6e51bbe3e6762d2.exe
5036	3a5027348187535ea6e51bbe3e6762d2.exe
5036	3a5027348187535ea6e51bbe3e6762d2.exe
4712	3a5027348187535ea6e51bbe3e6762d2.exe
4712	3a5027348187535ea6e51bbe3e6762d2.exe
5020	3a5027348187535ea6e51bbe3e6762d2.exe
5020	3a5027348187535ea6e51bbe3e6762d2.exe
3944	3a5027348187535ea6e51bbe3e6762d2.exe
3944	3a5027348187535ea6e51bbe3e6762d2.exe
5036	3a5027348187535ea6e51bbe3e6762d2.exe
5036	3a5027348187535ea6e51bbe3e6762d2.exe
4712	3a5027348187535ea6e51bbe3e6762d2.exe
4712	3a5027348187535ea6e51bbe3e6762d2.exe
5020	3a5027348187535ea6e51bbe3e6762d2.exe
5020	3a5027348187535ea6e51bbe3e6762d2.exe
3944	3a5027348187535ea6e51bbe3e6762d2.exe
3944	3a5027348187535ea6e51bbe3e6762d2.exe
5036	3a5027348187535ea6e51bbe3e6762d2.exe
5036	3a5027348187535ea6e51bbe3e6762d2.exe
4712	3a5027348187535ea6e51bbe3e6762d2.exe
4712	3a5027348187535ea6e51bbe3e6762d2.exe
5020	3a5027348187535ea6e51bbe3e6762d2.exe
5020	3a5027348187535ea6e51bbe3e6762d2.exe
3944	3a5027348187535ea6e51bbe3e6762d2.exe
3944	3a5027348187535ea6e51bbe3e6762d2.exe
5036	3a5027348187535ea6e51bbe3e6762d2.exe
5036	3a5027348187535ea6e51bbe3e6762d2.exe
4712	3a5027348187535ea6e51bbe3e6762d2.exe
4712	3a5027348187535ea6e51bbe3e6762d2.exe
5020	3a5027348187535ea6e51bbe3e6762d2.exe
5020	3a5027348187535ea6e51bbe3e6762d2.exe
3944	3a5027348187535ea6e51bbe3e6762d2.exe
3944	3a5027348187535ea6e51bbe3e6762d2.exe
5036	3a5027348187535ea6e51bbe3e6762d2.exe
5036	3a5027348187535ea6e51bbe3e6762d2.exe
4712	3a5027348187535ea6e51bbe3e6762d2.exe
4712	3a5027348187535ea6e51bbe3e6762d2.exe
5020	3a5027348187535ea6e51bbe3e6762d2.exe
5020	3a5027348187535ea6e51bbe3e6762d2.exe
3944	3a5027348187535ea6e51bbe3e6762d2.exe
3944	3a5027348187535ea6e51bbe3e6762d2.exe
5036	3a5027348187535ea6e51bbe3e6762d2.exe
5036	3a5027348187535ea6e51bbe3e6762d2.exe
4712	3a5027348187535ea6e51bbe3e6762d2.exe
4712	3a5027348187535ea6e51bbe3e6762d2.exe
5020	3a5027348187535ea6e51bbe3e6762d2.exe
5020	3a5027348187535ea6e51bbe3e6762d2.exe
3944	3a5027348187535ea6e51bbe3e6762d2.exe
3944	3a5027348187535ea6e51bbe3e6762d2.exe
5036	3a5027348187535ea6e51bbe3e6762d2.exe
5036	3a5027348187535ea6e51bbe3e6762d2.exe
4712	3a5027348187535ea6e51bbe3e6762d2.exe
4712	3a5027348187535ea6e51bbe3e6762d2.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 5036	5020	3a5027348187535ea6e51bbe3e6762d2.exe	92
PID 5020 wrote to memory of 5036	5020	3a5027348187535ea6e51bbe3e6762d2.exe	92
PID 5020 wrote to memory of 5036	5020	3a5027348187535ea6e51bbe3e6762d2.exe	92
PID 5020 wrote to memory of 4712	5020	3a5027348187535ea6e51bbe3e6762d2.exe	93
PID 5020 wrote to memory of 4712	5020	3a5027348187535ea6e51bbe3e6762d2.exe	93
PID 5020 wrote to memory of 4712	5020	3a5027348187535ea6e51bbe3e6762d2.exe	93
PID 5036 wrote to memory of 3944	5036	3a5027348187535ea6e51bbe3e6762d2.exe	94
PID 5036 wrote to memory of 3944	5036	3a5027348187535ea6e51bbe3e6762d2.exe	94
PID 5036 wrote to memory of 3944	5036	3a5027348187535ea6e51bbe3e6762d2.exe	94

C:\Users\Admin\AppData\Local\Temp\3a5027348187535ea6e51bbe3e6762d2.exe
"C:\Users\Admin\AppData\Local\Temp\3a5027348187535ea6e51bbe3e6762d2.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Users\Admin\AppData\Local\Temp\3a5027348187535ea6e51bbe3e6762d2.exe
  "C:\Users\Admin\AppData\Local\Temp\3a5027348187535ea6e51bbe3e6762d2.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Users\Admin\AppData\Local\Temp\3a5027348187535ea6e51bbe3e6762d2.exe
    "C:\Users\Admin\AppData\Local\Temp\3a5027348187535ea6e51bbe3e6762d2.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3944
- C:\Users\Admin\AppData\Local\Temp\3a5027348187535ea6e51bbe3e6762d2.exe
  "C:\Users\Admin\AppData\Local\Temp\3a5027348187535ea6e51bbe3e6762d2.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\american cumshot hardcore uncut hole 50+ .mpg.exe

Filesize
375KB

MD5
d652a7bab54957b0e05d0924cdfd87e0

SHA1
54d56f2ef0bbcffaa5654ca86e7ceda3ae345e76

SHA256
0f1cb7eaaca41778f6a36ac99c4c226ca302dbe0837280ac395e995101fb21c9

SHA512
81880f09aab11464b4eb42b8485f4bde2648d7d917f9f574f1d5862773608057a12243b6051206d1c7b3545dfbe6fd3939ec1773331b14469519ef064fefe896

Download Submit
memory/3944-11-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3944-28-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4712-8-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4712-27-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5020-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5020-7-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5036-6-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5036-23-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download