5b43a30d7ddbb0357a29e6592a84e3fd3d82369f97d324b12dde28b806f69bf1

Analysis

max time kernel
163s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/01/2024, 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3db45d73a819ddadeb2b2967e16bfead.exe
Size

1014KB
MD5

3db45d73a819ddadeb2b2967e16bfead
SHA1

0ed78d4d84e59020b1a7eb88799fb04290820be7
SHA256

5b43a30d7ddbb0357a29e6592a84e3fd3d82369f97d324b12dde28b806f69bf1
SHA512

4ca7d268b938af3d93c5183d470fbce7d75cba85833c1b3e95b1ff5f863cc5fe991be8fb811f3b2ba6bc3e258f4d1488104df70bdc5ef972ac5a4ae41a75cc76
SSDEEP

12288:ZGYq6z7lPngsxhwrZ4vZyf5RFlYlBXSR6jJimvyAcAbK0p8FdoS:0H+BYsx6ruvCTCBXSYjcmNcAC

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	3db45d73a819ddadeb2b2967e16bfead.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	UpdateOffice.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	UpdateOffice.exe

Executes dropped EXE 2 IoCs

pid	Process
4336	UpdateOffice.exe
4068	UpdateOffice.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2164-0-0x0000000000400000-0x00000000004FF000-memory.dmp	upx
behavioral2/memory/2164-2-0x0000000000400000-0x00000000004FF000-memory.dmp	upx
behavioral2/files/0x000400000001e7e6-8.dat	upx
behavioral2/memory/4336-14-0x0000000000400000-0x00000000004FF000-memory.dmp	upx
behavioral2/memory/2164-17-0x0000000000400000-0x00000000004FF000-memory.dmp	upx
behavioral2/memory/4068-19-0x0000000000400000-0x00000000004FF000-memory.dmp	upx
behavioral2/memory/4336-21-0x0000000000400000-0x00000000004FF000-memory.dmp	upx
behavioral2/memory/4068-333-0x0000000000400000-0x00000000004FF000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
3772	PING.EXE
2624	PING.EXE
432	PING.EXE
1556	PING.EXE

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2444	2164	3db45d73a819ddadeb2b2967e16bfead.exe	95
PID 2164 wrote to memory of 2444	2164	3db45d73a819ddadeb2b2967e16bfead.exe	95
PID 2164 wrote to memory of 2444	2164	3db45d73a819ddadeb2b2967e16bfead.exe	95
PID 2444 wrote to memory of 4336	2444	cmd.exe	97
PID 2444 wrote to memory of 4336	2444	cmd.exe	97
PID 2444 wrote to memory of 4336	2444	cmd.exe	97
PID 4336 wrote to memory of 4068	4336	UpdateOffice.exe	98
PID 4336 wrote to memory of 4068	4336	UpdateOffice.exe	98
PID 4336 wrote to memory of 4068	4336	UpdateOffice.exe	98
PID 4068 wrote to memory of 1700	4068	UpdateOffice.exe	103
PID 4068 wrote to memory of 1700	4068	UpdateOffice.exe	103
PID 4068 wrote to memory of 1700	4068	UpdateOffice.exe	103
PID 1700 wrote to memory of 3772	1700	cmd.exe	106
PID 1700 wrote to memory of 3772	1700	cmd.exe	106
PID 1700 wrote to memory of 3772	1700	cmd.exe	106
PID 4068 wrote to memory of 1556	4068	UpdateOffice.exe	111
PID 4068 wrote to memory of 1556	4068	UpdateOffice.exe	111
PID 4068 wrote to memory of 1556	4068	UpdateOffice.exe	111
PID 1556 wrote to memory of 2624	1556	cmd.exe	113
PID 1556 wrote to memory of 2624	1556	cmd.exe	113
PID 1556 wrote to memory of 2624	1556	cmd.exe	113
PID 4068 wrote to memory of 4852	4068	UpdateOffice.exe	114
PID 4068 wrote to memory of 4852	4068	UpdateOffice.exe	114
PID 4068 wrote to memory of 4852	4068	UpdateOffice.exe	114
PID 4852 wrote to memory of 432	4852	cmd.exe	116
PID 4852 wrote to memory of 432	4852	cmd.exe	116
PID 4852 wrote to memory of 432	4852	cmd.exe	116
PID 4068 wrote to memory of 5024	4068	UpdateOffice.exe	120
PID 4068 wrote to memory of 5024	4068	UpdateOffice.exe	120
PID 4068 wrote to memory of 5024	4068	UpdateOffice.exe	120
PID 5024 wrote to memory of 1556	5024	cmd.exe	122
PID 5024 wrote to memory of 1556	5024	cmd.exe	122
PID 5024 wrote to memory of 1556	5024	cmd.exe	122

C:\Users\Admin\AppData\Local\Temp\3db45d73a819ddadeb2b2967e16bfead.exe
"C:\Users\Admin\AppData\Local\Temp\3db45d73a819ddadeb2b2967e16bfead.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\PRINTE~1\100.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\UpBackup\UpdateOffice.exe
    C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\UpBackup\UpdateOffice.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4336
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\UpdateOffice.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\UpdateOffice.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4068
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\pangtip.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1700
      - C:\Windows\SysWOW64\PING.EXE
        
        ping www.majakil.in
        6⤵
        Runs ping.exe
        
        PID:3772
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\pangtip.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1556
      - C:\Windows\SysWOW64\PING.EXE
        
        ping www.majakil.in
        6⤵
        Runs ping.exe
        
        PID:2624
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\pangtip.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4852
      - C:\Windows\SysWOW64\PING.EXE
        
        ping www.majakil.in
        6⤵
        Runs ping.exe
        
        PID:432
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\pangtip.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5024
      - C:\Windows\SysWOW64\PING.EXE
        
        ping www.majakil.in
        6⤵
        Runs ping.exe
        
        PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\PRINTE~1\100.bat

Filesize
389B

MD5
655fa5cc0d70e812418b181ffdb126d3

SHA1
6c0dedb7e45a0c6abe958af877e298d7646c6b74

SHA256
02a5f19f2197b26eed1c40a802986f05ea9cb06eacf425cb8c7916ad9de6ffad

SHA512
8fd8a1a5c47c3022817ece2423413cc5c5167472b72d15a1257c631b3201d69725aac4438bf8fd4977072fa02bd55de8ec92270b44f9e261049590eae830d6a4

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\PRINTE~1\UPDATE~1.EXE.pkxm

Filesize
87B

MD5
d211d6552340acb37dac80bdb968384b

SHA1
f331d54bfa937956426c9b69027d6b9766b474f7

SHA256
5ab9b205c4e3e52faa21b61e299e41a7aa4b5324604b1ed4622cd3eef7806603

SHA512
848fa2c4f35ba0b79db2e3a66d2641b2a319d71dfc58294e7e7c3c26133aaecfb790444527c132b2e41af20233af65b9c4e47598bcb168c42330cef73e3ec1f7

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\PRINTE~1\UpdateOffice.exe

Filesize
1014KB

MD5
3db45d73a819ddadeb2b2967e16bfead

SHA1
0ed78d4d84e59020b1a7eb88799fb04290820be7

SHA256
5b43a30d7ddbb0357a29e6592a84e3fd3d82369f97d324b12dde28b806f69bf1

SHA512
4ca7d268b938af3d93c5183d470fbce7d75cba85833c1b3e95b1ff5f863cc5fe991be8fb811f3b2ba6bc3e258f4d1488104df70bdc5ef972ac5a4ae41a75cc76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\fLsiuXhd3B.PRI

Filesize
239B

MD5
dd47b39cd1cf82cd17f2200ace068535

SHA1
91954c113ac50934735490db75dca416a1dd1d00

SHA256
8318510881eed5a6efb0aff018e049e27c276a57d3cb266626994f2ea247ac73

SHA512
578377f01fc2b9b8036f782459b1f938270fbe5e7310b54eeca33a37279e8bd33f4038a6ccb2bb272222bc78abef73c12fd817ef8438b5811e333640af3be131

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\pangtip.bat

Filesize
95B

MD5
e0269d57c870eb781220d0b7366bbfc5

SHA1
e2969a44523f9d4ba03cd46d9740f28eddecedd6

SHA256
cfe7ac6175017509af1a755ae08753a62c5f2ddf32a798dc067a095835deba9b

SHA512
a796a2cc4aa62255efa40c221f44948903548f4abc432213f6e5569091b3293120ce57dc709e8f2b613b8e91886a64c96f84dfce21e2199159426c1b3d0b5576

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\uGlNSB7szU.dll

Filesize
242B

MD5
63d7622c24d1da4030993ac8b988ea97

SHA1
f9c9cb1d1255b7fe6bd76b83f9237b0cc2023f53

SHA256
eb282aca259144b0102a807b0e511b6a36b02c7f85f87b865c31aeb9dc04d632

SHA512
f8d77aff61c33521063a6a30058ac8b34e7db5bfda26330f155635e4c72f31e06d5e5aadf4ba3679bd7d831593568af0a0c24fca629fc31ce5fd593694354c98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\~gU0Q2n6tj1itmuoao9JX.TMP

Filesize
96B

MD5
260143bcdba8890e6b11ac82526ed7f4

SHA1
7a75c1db570fe6470efc4ea0976681f7c6549689

SHA256
633951a8d3b95adb9ab35630b14e95fe98080a6d8c65c2c442530beb8b205b3b

SHA512
f351c0dff3c4ab1680fed3601663d72b3c3094191306f2913e24bdfe75980d6b73462da052b619c7720c80bace277de2852912f31f32d113b7da28289622a13c

Download Submit
memory/2164-17-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2164-0-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2164-15-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/2164-2-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2164-1-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/4068-19-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/4068-20-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/4068-333-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/4068-334-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/4336-16-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/4336-21-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/4336-14-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download