ab62b4c70c1555383d7ba77ea0421a5d9c38baeedd9b46e0cbdecca033580708

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2024 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f2ff530e022aa423b1d41f0ca3b59e1.exe
Size

720KB
MD5

3f2ff530e022aa423b1d41f0ca3b59e1
SHA1

80bc6f791d867776f69eb42f9683d27711074b40
SHA256

ab62b4c70c1555383d7ba77ea0421a5d9c38baeedd9b46e0cbdecca033580708
SHA512

f033e00011850024d59cf9e08a5deceaa6adae6a7516371521bcd18196462097ba55fc7166b7fb31d31764d5db233076edacceafbf7e7574d466c5e6db19779c
SSDEEP

12288:pwmdF0kCOTksRBMsXVVDEn7Df8cfPTV39t1QXl2d1q82vRRzZUax9SvgByHAx:pxNTksRBMxn7D8cf53mYoR7Uwxcgx

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	3f2ff530e022aa423b1d41f0ca3b59e1.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1284-0-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/1284-25-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x000600000002323c-121.dat	upx
behavioral2/files/0x000600000002323e-133.dat	upx
behavioral2/files/0x000600000002323b-127.dat	upx
behavioral2/files/0x000600000002323d-124.dat	upx

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\SrchSTS.exe	cmd.exe
File created	C:\Windows\SysWOW64\dumphive.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\dumphive.exe	cmd.exe
File created	C:\Windows\SysWOW64\swxcacls.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Process.exe	cmd.exe
File created	C:\Windows\SysWOW64\swreg.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\swreg.exe	cmd.exe
File created	C:\Windows\SysWOW64\swsc.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\swsc.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\SrchSTS.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\swxcacls.exe	cmd.exe
File created	C:\Windows\SysWOW64\Process.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkntfs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 1632	1284	3f2ff530e022aa423b1d41f0ca3b59e1.exe	44
PID 1284 wrote to memory of 1632	1284	3f2ff530e022aa423b1d41f0ca3b59e1.exe	44
PID 1284 wrote to memory of 1632	1284	3f2ff530e022aa423b1d41f0ca3b59e1.exe	44
PID 1632 wrote to memory of 3288	1632	cmd.exe	43
PID 1632 wrote to memory of 3288	1632	cmd.exe	43
PID 1632 wrote to memory of 3288	1632	cmd.exe	43
PID 1632 wrote to memory of 1992	1632	cmd.exe	42
PID 1632 wrote to memory of 1992	1632	cmd.exe	42
PID 1632 wrote to memory of 1992	1632	cmd.exe	42
PID 1632 wrote to memory of 3260	1632	cmd.exe	41
PID 1632 wrote to memory of 3260	1632	cmd.exe	41
PID 1632 wrote to memory of 3260	1632	cmd.exe	41
PID 1632 wrote to memory of 3380	1632	cmd.exe	40
PID 1632 wrote to memory of 3380	1632	cmd.exe	40
PID 1632 wrote to memory of 3380	1632	cmd.exe	40
PID 1632 wrote to memory of 4504	1632	cmd.exe	27
PID 1632 wrote to memory of 4504	1632	cmd.exe	27
PID 1632 wrote to memory of 4504	1632	cmd.exe	27
PID 1632 wrote to memory of 3300	1632	cmd.exe	39
PID 1632 wrote to memory of 3300	1632	cmd.exe	39
PID 1632 wrote to memory of 3300	1632	cmd.exe	39
PID 1632 wrote to memory of 1404	1632	cmd.exe	38
PID 1632 wrote to memory of 1404	1632	cmd.exe	38
PID 1632 wrote to memory of 1404	1632	cmd.exe	38
PID 1632 wrote to memory of 2188	1632	cmd.exe	37
PID 1632 wrote to memory of 2188	1632	cmd.exe	37
PID 1632 wrote to memory of 2188	1632	cmd.exe	37
PID 1632 wrote to memory of 1092	1632	cmd.exe	36
PID 1632 wrote to memory of 1092	1632	cmd.exe	36
PID 1632 wrote to memory of 1092	1632	cmd.exe	36
PID 1632 wrote to memory of 3632	1632	cmd.exe	35
PID 1632 wrote to memory of 3632	1632	cmd.exe	35
PID 1632 wrote to memory of 3632	1632	cmd.exe	35
PID 1632 wrote to memory of 5068	1632	cmd.exe	34
PID 1632 wrote to memory of 5068	1632	cmd.exe	34
PID 1632 wrote to memory of 5068	1632	cmd.exe	34
PID 1632 wrote to memory of 2784	1632	cmd.exe	31
PID 1632 wrote to memory of 2784	1632	cmd.exe	31
PID 1632 wrote to memory of 2784	1632	cmd.exe	31
PID 1632 wrote to memory of 4800	1632	cmd.exe	29
PID 1632 wrote to memory of 4800	1632	cmd.exe	29
PID 1632 wrote to memory of 4800	1632	cmd.exe	29
PID 1632 wrote to memory of 4924	1632	cmd.exe	28
PID 1632 wrote to memory of 4924	1632	cmd.exe	28
PID 1632 wrote to memory of 4924	1632	cmd.exe	28
PID 1632 wrote to memory of 3464	1632	cmd.exe	30
PID 1632 wrote to memory of 3464	1632	cmd.exe	30
PID 1632 wrote to memory of 3464	1632	cmd.exe	30
PID 1632 wrote to memory of 4348	1632	cmd.exe	32
PID 1632 wrote to memory of 4348	1632	cmd.exe	32
PID 1632 wrote to memory of 4348	1632	cmd.exe	32
PID 1632 wrote to memory of 4116	1632	cmd.exe	33
PID 1632 wrote to memory of 4116	1632	cmd.exe	33
PID 1632 wrote to memory of 4116	1632	cmd.exe	33
PID 1632 wrote to memory of 4100	1632	cmd.exe	49
PID 1632 wrote to memory of 4100	1632	cmd.exe	49
PID 1632 wrote to memory of 4100	1632	cmd.exe	49
PID 1632 wrote to memory of 3960	1632	cmd.exe	46
PID 1632 wrote to memory of 3960	1632	cmd.exe	46
PID 1632 wrote to memory of 3960	1632	cmd.exe	46
PID 1632 wrote to memory of 672	1632	cmd.exe	48
PID 1632 wrote to memory of 672	1632	cmd.exe	48
PID 1632 wrote to memory of 672	1632	cmd.exe	48
PID 1632 wrote to memory of 3248	1632	cmd.exe	47

C:\Users\Admin\AppData\Local\Temp\3f2ff530e022aa423b1d41f0ca3b59e1.exe
"C:\Users\Admin\AppData\Local\Temp\3f2ff530e022aa423b1d41f0ca3b59e1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c cd SmitfraudFix && SmitfraudFix.cmd
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\SysWOW64\find.exe
    find /i "NTFS"
    3⤵
    PID:3960
- - C:\Windows\SysWOW64\find.exe
    find /i "FAT32"
    3⤵
    PID:3248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type tmp.txt "
    3⤵
    PID:672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type tmp.txt "
    3⤵
    PID:4100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" VER"
1⤵
PID:4504

C:\Windows\SysWOW64\find.exe
find "Version 6.0"
1⤵
PID:4924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" VER"
1⤵
PID:4800

C:\Windows\SysWOW64\cscript.exe
cscript //I //nologo GetPaths.vbs
1⤵
PID:3464

C:\Windows\SysWOW64\find.exe
find "Version 5.2.3790"
1⤵
PID:2784

C:\Windows\SysWOW64\chkntfs.exe
chkntfs C:
1⤵
- Enumerates system info in registry
PID:4348

C:\Windows\SysWOW64\find.exe
find /V "C:"
1⤵
PID:4116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" VER"
1⤵
PID:5068

C:\Windows\SysWOW64\find.exe
find "Windows 2000"
1⤵
PID:3632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" VER"
1⤵
PID:1092

C:\Windows\SysWOW64\find.exe
find "Windows XP"
1⤵
PID:2188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" VER"
1⤵
PID:1404

C:\Windows\SysWOW64\find.exe
find "Windows Millennium"
1⤵
PID:3300

C:\Windows\SysWOW64\find.exe
find "Windows 98"
1⤵
PID:3380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" VER"
1⤵
PID:3260

C:\Windows\SysWOW64\find.exe
find "Windows 95"
1⤵
PID:1992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" VER"
1⤵
PID:3288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SmitfraudFix\GetPaths.vbs

Filesize
2KB

MD5
59c575913028340cb6328455fbc53276

SHA1
8ba2bc9ee342fb5992e24eb6434b75b253fa24b2

SHA256
d340a5091a3c9ec8b559e51aea1f46478acbc6c1ad805341263b4eace6f4479a

SHA512
e9984a76b0272e7d90ccb2382679305f9b869f73e6a27728be903a4f053e1c025ca1263f7484b53beff70b5838ec3bf088106411f8f3ea9c8e1af3b193db1435

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmitfraudFix\Process.exe

Filesize
52KB

MD5
7397f6ee4a9601a123b645c0cd428017

SHA1
890368473ecbc404dcd42ff0c6c38397102f59c0

SHA256
5aaf73ef89f0efab963abb170bc9b7cd7d4d5bd7a691cd83137b4cc39cd120de

SHA512
8c9f85b64d8c1c43a11e654609d357fffdada311422cc02e5efbf1243b4d35fc20f4a58b1a663f85717d8a626c3db8f59af62d7044ed02974cd3d2b107f08784

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmitfraudFix\SetPaths.bat

Filesize
350B

MD5
3f19b715686abfb0f2b0019631e4f790

SHA1
5ef320067b92d063e0b55d3d2eeda3c6276e2fae

SHA256
05547662cb090e49aae1718b8c59fe51aebf57db7d12b58a450005a670f1597c

SHA512
20a0f8cc6147de9b2c4f818993925cf2b080f4db058b9bb204694656baa5b934a88fe0b2541c7a07c46d6ea32cf39e8b4618fc9cfc10ae5f1d850eabf5040035

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmitfraudFix\SmitfraudFix.cmd

Filesize
411KB

MD5
cfaba92bbca33c8853835c35a9c64e2d

SHA1
0bbac8b1e761eafac9f9f620aa5d3b12b8543ffb

SHA256
0c741ae3aada03f0526cf532f5c5fbf5e1601d07bfe8ce2d0856757fc79fb4e6

SHA512
6865c49840cde5b1f85adba9e2c0788a9566288eb951dc93dba3e8e82f50fd58dcf552b789536122ecf90138a0c17e96466bde3be3bd1bd3b8f12e8c1f5fd08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmitfraudFix\SrchSTS.exe

Filesize
94KB

MD5
922f03981fcf785f2325b6aa22ea73a4

SHA1
1b43f22b9b3abd80e45df9deb4573e931f845cdf

SHA256
b7ed32c9ed2dcf6f7308b2fe325d06c329a4b9d218e6125b7164749df0ed6195

SHA512
8ff83b97de0f8822571a5269ae924e703bf0624ddddaae6e9249eee612fee09ed64ec6065795f70b0c88ccb2c733a55b73f5e122d5b997812e6a38ebfcce0985

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmitfraudFix\dumphive.exe

Filesize
50KB

MD5
21868b2d22c726d94d98f15825d4134b

SHA1
b8ecd21f17fdd3845e0eb3c52496a1353a856523

SHA256
4a0202e069e3c1029ecb1f72639a7e35ccca28e1a81a7ca08d5f9206b4dc9363

SHA512
a9de3cab356ed8db4ebd2e85dcc750cd5407bc2ba71485ebf0caca030997a73e60b0006922d1e1cec434ca41e2b4dfcf98a0703098eaa5182f1b68860601a460

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmitfraudFix\swreg.exe

Filesize
132KB

MD5
e417d888fdde9a2290c369c82a7aec3e

SHA1
54a6acf7ed038afc6a632ccd568c17fc31eac00e

SHA256
668232d0976e87f30bcfe1a52b17c96702eef3028fe05ef6263596ff9c80279b

SHA512
6b5c490537adc038ff0e1fc60ef566e93a1b3aebc39b60bef1a9f01ff4fd3e9e842f84310ae67c3556ab1fb12d8e80324c723b6b37ee45926937694b3f349ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmitfraudFix\swsc.exe

Filesize
40KB

MD5
c16b1595e3c2ffc875ef28bf66ec557f

SHA1
4da6d047e81fd13e0cfa4e390b85d35f9a136887

SHA256
6842347ad8ace0a204827a39084b1d78c224db9a20f8d9c10c09808cda85dc70

SHA512
148b650d1ccf97ed962d265e483e5000060c1bd4ec37aa542a2af8a2398a54dc86d51e51363beedec51d58d118434b21fa59ed32c3ba1c402e1b5587b3545bd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmitfraudFix\swxcacls.exe

Filesize
77KB

MD5
ef5dc4cf7c39cfb4653859878c14d86c

SHA1
82ab38d121c5d6ccce79d0e63bf51604cd3c9fd6

SHA256
dd9784c35e6e1d0e12b7b8c1fd9b9b287848eacb541d736f5d850ba286bd3f47

SHA512
a8b74ccb30fccd7ea3e9749ad31039b771491bc2e0cfcfa6ea01a4a48f25e6eed8f7d32b99ffc4be517f425c3e4183ad25466cee55f7b34d0448c78394ffa4cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmitfraudFix\tmp.txt

Filesize
38B

MD5
373f3c9db458420f57eca4ad06fa5392

SHA1
7b25146bfc867b77ee455bf07cce61fb1c505ab3

SHA256
58608d8c6f07e333357178ef8730e294f4639f80033239a84113b66044e32e56

SHA512
372f4b47435b70da860f400cf48132c4ed1f75b9c8b31c66fb515cd47602c7247db32ae2303ee202c0609dad6c1e3cbd4f66c162294b0d1e1715d11360b75f15

Download Submit
memory/1284-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1284-25-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads