8e2e630a5c2db04ebfe5bf38bd4521036bd46ce61d80218a9e966e01723c61e7

Analysis

max time kernel
142s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08/01/2024, 21:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4c86557942337f53a8daa62410618f05.exe
Size

701KB
MD5

4c86557942337f53a8daa62410618f05
SHA1

b083906d7cdefb878d8b920519d3db45b7f1b7e1
SHA256

8e2e630a5c2db04ebfe5bf38bd4521036bd46ce61d80218a9e966e01723c61e7
SHA512

e23af7463e8c35583fc916e4f2a48e8de1658910aa02c08dd0b7e8b5ca7adb5c7027a0c20305005ec16c2dfb4b771b87eb2c915110f6b136a076e1cb2b7a89bc
SSDEEP

12288:mAmCPIqDEXTzxO4t1+cv/RBlQ91p52xA3l7WGp/xnRaSoYCo6aOOpuTtUdiHE7tX:mAFFDERO4tccHRBSb2xmiGpnfCo1Iaof

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	4c86557942337f53a8daa62410618f05.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3500	b2e.exe
4540	VTC.EXE

Loads dropped DLL 6 IoCs

pid	Process
4540	VTC.EXE
4540	VTC.EXE
4540	VTC.EXE
4540	VTC.EXE
4540	VTC.EXE
4540	VTC.EXE

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3784-0-0x0000000000400000-0x000000000061B000-memory.dmp	upx
behavioral2/memory/3784-9-0x0000000000400000-0x000000000061B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3604	ipconfig.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3784 wrote to memory of 3500	3784	4c86557942337f53a8daa62410618f05.exe	91
PID 3784 wrote to memory of 3500	3784	4c86557942337f53a8daa62410618f05.exe	91
PID 3784 wrote to memory of 3500	3784	4c86557942337f53a8daa62410618f05.exe	91
PID 3500 wrote to memory of 1812	3500	b2e.exe	93
PID 3500 wrote to memory of 1812	3500	b2e.exe	93
PID 3500 wrote to memory of 1812	3500	b2e.exe	93
PID 1812 wrote to memory of 3204	1812	cmd.exe	95
PID 1812 wrote to memory of 3204	1812	cmd.exe	95
PID 1812 wrote to memory of 3204	1812	cmd.exe	95
PID 3204 wrote to memory of 3604	3204	cmd.exe	99
PID 3204 wrote to memory of 3604	3204	cmd.exe	99
PID 3204 wrote to memory of 3604	3204	cmd.exe	99
PID 3204 wrote to memory of 1408	3204	cmd.exe	98
PID 3204 wrote to memory of 1408	3204	cmd.exe	98
PID 3204 wrote to memory of 1408	3204	cmd.exe	98
PID 1812 wrote to memory of 2784	1812	cmd.exe	97
PID 1812 wrote to memory of 2784	1812	cmd.exe	97
PID 1812 wrote to memory of 2784	1812	cmd.exe	97
PID 1812 wrote to memory of 4540	1812	cmd.exe	96
PID 1812 wrote to memory of 4540	1812	cmd.exe	96
PID 1812 wrote to memory of 4540	1812	cmd.exe	96
PID 3500 wrote to memory of 4448	3500	b2e.exe	102
PID 3500 wrote to memory of 4448	3500	b2e.exe	102
PID 3500 wrote to memory of 4448	3500	b2e.exe	102

C:\Users\Admin\AppData\Local\Temp\4c86557942337f53a8daa62410618f05.exe
"C:\Users\Admin\AppData\Local\Temp\4c86557942337f53a8daa62410618f05.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3784
- C:\Users\Admin\AppData\Local\Temp\9635.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9635.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9635.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\4c86557942337f53a8daa62410618f05.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A122.tmp\batfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ipconfig | find "IPv4 Address"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3204
    - - C:\Windows\SysWOW64\find.exe
        
        find "IPv4 Address"
        5⤵
        
        PID:1408
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig
        5⤵
        Gathers network information
        
        PID:3604
  - - C:\Users\Admin\AppData\Local\Temp\VTC.EXE
      vtc -pass VoipSwitchCompany -tunnel_server_ip_address ready2call.info:1805 -window 0 -dummy_sip_signalling_ip_address 10.127.0.187:6310
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c echo IPv4 Address. . . . . . . . . . . : 10.127.0.187
      4⤵
      PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "
    3⤵
    PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9635.tmp\b2e.exe

Filesize
86KB

MD5
63cf0d8db98cb6900704732b55d68ed6

SHA1
3d1fc9eef1cc349703cc0e336899d8517e9620a3

SHA256
dd5d49021d4d50bbb789564bd26ffc509c714206114b5a3380460e18555c6426

SHA512
4cb8905a4042b189496bf83e0a6f80100ac99d11384bbb9ceda98ae4488ede175bcbf180834d936b46f24b6d5dee32e05a76e23015859778d7b5e440ac201d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\9635.tmp\b2e.exe

Filesize
57KB

MD5
ecf393760ab8578581784680baa05386

SHA1
0491bd73abb58e91a71a045e3fffe8d73c753287

SHA256
5bc4feef7600afe63e188723a5ca79197c3cffbd944baf931d4648a686a646a2

SHA512
3ccad445476ee2a3c68d75d332dca50922423173831ebd19f855f82c8c81cec377c7f0eb912546344d7fd1da9408e9d42840ffa3d13a90816fd14ef608272820

Download Submit
C:\Users\Admin\AppData\Local\Temp\9635.tmp\b2e.exe

Filesize
147KB

MD5
5e4c3f91c134424ab4cd5e18a67fa238

SHA1
65fce23478e754be0944779f2037bb3671a907a7

SHA256
c12b7b07a00ab7444d777af39e64817a284e04d02a9312028f4726cfb06f82f5

SHA512
c257102967e93d97fd3c7b25c22a035360521fc3a3a4895b9fe4c99023a377297041e39f2d42f31311ae4cc8d2327c262d1c633bb4c3cb35ca817104a682a7ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\A122.tmp\batfile.bat

Filesize
384B

MD5
775ce5d8e56cc3162b02c937e99b761a

SHA1
03e320d128242879ea085d0615547283fa0976ce

SHA256
eb47fb2e643b38f36d4cd394a892d8e8c2e3944c7aac526df83348a4253d1b66

SHA512
57cf397c07bfca5f1c31b0f13e88d0d824429cfcd0614532897173bacd14ab292133e372214576977bfe541d1d764a525e00e0f11f84212fab152c0f325dbfe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ATL71.DLL

Filesize
87KB

MD5
8f2097e8b174f38178570c611464935f

SHA1
86476819229f4bf00f32e5f0969e19c5b61d1b2a

SHA256
3f25e7b097b65eaf82a6d5b58646dff38ca19347664f40c2b8a409b9d6939457

SHA512
85f60b00b4d2e7d5047d4d0f1b834c23073797fcaea0e14161baac9a7ec719d79782a17ba6aa8da55b933c89b3d94c89696da194c3cf7170c746c8bab7e38904

Download Submit
C:\Users\Admin\AppData\Local\Temp\ATL71.DLL

Filesize
59KB

MD5
d2d37dfaf232ef99d15fce0f4465e3da

SHA1
14bc11392c4a4d3fbeffe9711ed9acc109ee3643

SHA256
1c247e23aab2b4614554f8587836dfca4a9082d14483b35142d5ebccac09ced2

SHA512
e35d36f6b27cacffbe0e3effe1336db5dd6c4844f9f9bdd96b6136585911b38346a44fc2d8c44a23793a782e57ece70283af4491de68ab72a13635fbb52f9402

Download Submit
C:\Users\Admin\AppData\Local\Temp\DBGHELP.DLL

Filesize
5KB

MD5
58976176ecd0d2f0ee88a089d14ab1b9

SHA1
0f42ff6f6a7322abb28362b7a5656833310c97df

SHA256
47a3e13e1af723694198efd966f6dcbab6d7812bbf4bc5bc439d6b9915431ba4

SHA512
33385e880c0322ea2f10164eedcb2b034152b881ad9019cd1805da4b76e673f81612d09771a619216928b688bcbbe5c9c98dd7b2726b9e8b3a8a98fb293784e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSVCP71.DLL

Filesize
6KB

MD5
1e66c1d0741375feca400c752fcc91af

SHA1
730dd357eb405972cb4b39862e21c60374fe77cf

SHA256
1790f7fb4f57c0e65829c073e9de3c0775e13fd14b901ec6dfbd10babb26bc83

SHA512
1c185ad6f974a919e94b93273c78c7f01bffec09dcf6d4334d7c24b1ad360004ce237e4a7df953544e87f18cf459b51fc70e527d3d796ac86eb92b3b2f663c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSVCP71.dll

Filesize
5KB

MD5
961dafec50a0a466035e48c9bec5bbfc

SHA1
c38ba9e903417699bf4f7f1d00f1fde3ac3987be

SHA256
5d62873725c5ece88f52103db5f69dc2e1632d4ef66f3c7d78a441e9e0166735

SHA512
16e8c39afdeabcdea70f2c4cbb1fb5a1f7aa73f52fc26dcf42fc966aa0b1e3c2de5e2ad8c87e34eac7b76d2d48a5414f410a4ca0e4e9dbb3cab22bd5f253846e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSVCR71.DLL

Filesize
51KB

MD5
132b3b5204a606c612fef5cb9f8808ce

SHA1
28df32ed7e41521af60a842d5f7bcf9c99bbdcf1

SHA256
b2381f478f7fe962aa67cb794b6171f1138ad58043bd0bb06cb16e41d0abfe35

SHA512
583a857863b676727d0cb34c09dbee082fce06b09576e4d7e976c10ec4580e986214e3ecdc2fcca73389869e498436ff968f9b664587449dacdd6d98e099adc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSVCR71.DLL

Filesize
91KB

MD5
fdb49b46e2c82745f9a3abcafde3f8c5

SHA1
522424cfb246cfb2a5d6b83fa616d256b8879fae

SHA256
ac70e7a822f4709dc9dbd6557d5986f93feb0cfadb8cf106e0f5da3260072156

SHA512
e7b0a54dbfa292f61f1eab4227d336f4d8eebfcabe7eb08a735e2b60390ef67f6140f05f0809b720598a9f2262b76a746e96e77eed9b7a6c02caa368cc112590

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSVCR71.dll

Filesize
283KB

MD5
54eb403b2ceeb204fb7c58643351cc1a

SHA1
269902cc1eb6583f9370092e35ec33cef18f7d0e

SHA256
fc346f573e8637d0d2412b3e9afd7f554ebfc92532bd629948e1380fed682dbf

SHA512
f05790e26acb385581dddedab5a774b6a32c1e73ce284f9a99c0ba43bd3c8d746dcc4491623a8881a79d42c30aa4f2233dccd39e87d0f6c5ba6978b843e66199

Download Submit
C:\Users\Admin\AppData\Local\Temp\VTC.EXE

Filesize
61KB

MD5
a30a1f6eab0e93bf6795728c3b7e890f

SHA1
d96811b7fb61c0cdbc41576ffbbc7d5c3632ad48

SHA256
d5383121f4e2924e720e2d38223ea811a76d8a0d60e7b9763aff43fb3801c82e

SHA512
6e4cae520d23c304c0a700d97309e94414764f2df867632581335f17d6c85668186264612ed1e6bc34d57e7abb36cf44319b4080e61f48164d02821aeaff49d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\VTC.EXE

Filesize
163KB

MD5
a5d9f45657779f3fdc717c5211093273

SHA1
ccc07ce493ded97558cd16a8f885d0263c4b2261

SHA256
0989e4fa65c2f1aab021a8dad78457a150f0f74f51e2707592d471638159f8b5

SHA512
a28a5967f142dc0cb32f33d386b1a7e26f48f7b18d25ecee9576d79914272a3a96e9847ca65a8cbbb6a0962be645594c658a13720ef0b8e77e0a3edeeb175469

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZLIB.DLL

Filesize
52KB

MD5
87eddceb9d22c129e386e652c5cda521

SHA1
0447ff30dfe7a5234624ea21a6947e88f6e80054

SHA256
792d768258eddaec86d9263e51ff64ee6f0bed2f28205f535ee150e94f8d6a2b

SHA512
83ae55dde165165b8001463cb3c4b3713ddc5108a68af5289055bdb10b2c10f1338e2eb6337703edc299e375f9c9f04e757d92eee535994ab61c841e2dff78ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
1KB

MD5
62b67d137f65915c7b370656c241ec84

SHA1
ece876569c1aea4c8e49257ed978343218b29178

SHA256
c50dd26f425cb4316e45cc1842dd0361727c4c2d2bc0cad258c1e9474a4b42ad

SHA512
4825851fad28a3a6b47a8c87b6ff677515fab8b33cba283ecf6a0853401d888b1c4af317e0563034784511b8ce59730a3b77f6d967299fdbec2fb39c3a23abab

Download Submit
C:\Users\Admin\AppData\Local\Temp\selfdel0.bat

Filesize
158B

MD5
8f81fd84c916482b8aa65c9836ed6bf2

SHA1
6030b9c8020550271e41bb86d57c4d79c8bee56f

SHA256
e9fa6d873721dc3705b461e480d6802816097c8bf2bc8564752fc7881a54f242

SHA512
e54ad10a74a40ce8755c49359641fe846d01e47499d929210a7fad409dceca056bd4a513dd376719d7379c8d6fc0d0f0f4c883f7d1bf8c18db87cddaf4c331a6

Download Submit
memory/3500-10-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3500-39-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3784-9-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/3784-0-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/4540-35-0x00000000005E0000-0x0000000000607000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads