6b604235eafe60490fce7854ae5391b2e0e3157e9db42262a92e4573c8b4e657

Analysis

max time kernel
151s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2024, 04:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5803d10dba05acbc6c83bdc63a991933.exe
Size

321KB
MD5

5803d10dba05acbc6c83bdc63a991933
SHA1

1fda4366dac7efc1b2604a08871a418a0be47f21
SHA256

6b604235eafe60490fce7854ae5391b2e0e3157e9db42262a92e4573c8b4e657
SHA512

f65e1d16bd849c32689c3d5857bdc63315ce0df64c913569cf2ba894eddc3d256561b00992338b8cdf58116be2f820f716263f8b3461104f54142229660eea98
SSDEEP

6144:36YajbofxCvXQhHLwiVwkI4aZoOg43LiyIlm0kz2taotsoeOXXKx:xWPu8ibI4aSOg4O1taotsoeOXXKx

Score

7^/10

persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	rinst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	5803d10dba05acbc6c83bdc63a991933.exe

Executes dropped EXE 3 IoCs

pid	Process
3208	rinst.exe
3860	Lagger.exe
1664	spk.exe

Loads dropped DLL 3 IoCs

pid	Process
1664	spk.exe
3860	Lagger.exe
4720	5803d10dba05acbc6c83bdc63a991933.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000600000002314c-14.dat	upx
behavioral2/memory/3208-18-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/files/0x000600000002314b-21.dat	upx
behavioral2/memory/3860-29-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/files/0x0006000000023150-33.dat	upx
behavioral2/memory/1664-34-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral2/memory/3208-36-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/memory/3860-48-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/1664-49-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral2/memory/1664-51-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral2/memory/1664-52-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral2/memory/1664-54-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral2/memory/1664-56-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral2/memory/1664-58-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral2/memory/1664-60-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral2/memory/1664-62-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral2/memory/1664-64-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral2/memory/1664-66-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral2/memory/1664-68-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral2/memory/1664-70-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral2/memory/1664-72-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral2/memory/1664-74-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral2/memory/1664-76-0x0000000000400000-0x0000000000483000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spk = "C:\\Windows\\SysWOW64\\spk.exe"	spk.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\pk.bin	rinst.exe
File created	C:\Windows\SysWOW64\spk.exe	rinst.exe
File created	C:\Windows\SysWOW64\spkhk.dll	rinst.exe
File created	C:\Windows\SysWOW64\inst.dat	rinst.exe
File created	C:\Windows\SysWOW64\rinst.exe	rinst.exe
File opened for modification	C:\Windows\SysWOW64\pk.bin	spk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1664	spk.exe
1664	spk.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe
1664	spk.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 3208	4720	5803d10dba05acbc6c83bdc63a991933.exe	91
PID 4720 wrote to memory of 3208	4720	5803d10dba05acbc6c83bdc63a991933.exe	91
PID 4720 wrote to memory of 3208	4720	5803d10dba05acbc6c83bdc63a991933.exe	91
PID 3208 wrote to memory of 3860	3208	rinst.exe	92
PID 3208 wrote to memory of 3860	3208	rinst.exe	92
PID 3208 wrote to memory of 3860	3208	rinst.exe	92
PID 3208 wrote to memory of 1664	3208	rinst.exe	93
PID 3208 wrote to memory of 1664	3208	rinst.exe	93
PID 3208 wrote to memory of 1664	3208	rinst.exe	93

C:\Users\Admin\AppData\Local\Temp\5803d10dba05acbc6c83bdc63a991933.exe
"C:\Users\Admin\AppData\Local\Temp\5803d10dba05acbc6c83bdc63a991933.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3208
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Lagger.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Lagger.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3860
- - C:\Windows\SysWOW64\spk.exe
    C:\Windows\system32\spk.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Lagger.exe

Filesize
36KB

MD5
3a77583b727102f607a09887b8ec63f8

SHA1
b0c49f6ec5804d2901b4cb2153d9a792b2313ff6

SHA256
a998e6006c6a2b8115c237df5e372c161d5bb5520f33706c8aa8b9cdad1811ca

SHA512
d55c44bb119cbedc99546d5d2b1da9b53cc1feff1ff74327f2badb698b165465f95a0e569e9d069375061a965aa2eb96ed7ca3e52e24364d0c2a9e6625f902c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat

Filesize
964B

MD5
6e8a97a13a5354287695a8c3557444a4

SHA1
3549d293aaef82428edc4e6c7ff3a92119286722

SHA256
ba78732a606c9b738bcaeba437f185fe89111d7da2f476b87094d516b415ef3e

SHA512
814f5fa13e8cdf215c4d3a07b566fa4b9fcb95dd7ccb480ea0e515b9ca2e297e77a581d9980c0817ed5b3106613204b58deda46adccfd138f0a91768a827bade

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin

Filesize
3KB

MD5
321f3d62e732b5af058577db2963ae78

SHA1
7fd4546ffdacd2c3672623ae460019c74b86d5a2

SHA256
f5c9b6f55bd437cd94e340f7b01e1a3a4f03321f73b7d7bb4a9821db6ca0de40

SHA512
1660ff45166d476336c4c662850579e773c38764feb2d68a9898a60a9849611cd7cc7d28d07bb1b7d169307a683831b38b2f3624bab27a3036779ace5509f030

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
7KB

MD5
24f3e464fef5452377b580f3c087304d

SHA1
9ce0c9babc8b2a23d31aa24aad5fef8a763b3484

SHA256
0abb07381e293e021b8d2e185feffdc9a66addf503561ad71576b1ee924d8d6a

SHA512
45caa8ce639e9248821c72268db83a43c6de7b1be3eec4823e19ff4f31b5da5f8c353854bba392980391cbdb69acbe0c546e531e7950dcd8fdbfd67ae74d458e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\spk.exe

Filesize
213KB

MD5
a392b38b05fda8a4c43283eb6a78fcc1

SHA1
ed9b6ed983bd6706e5af7833c7a42f389970aebe

SHA256
112b017583aa7f61ed5c651c304bb6d22948dcd93f2d1a09d648c76bc4c6a492

SHA512
c4969978d8bec385ba5614ee6ca92b0e427ea7a766d296ee7a5bd3f739cdda17876ab9f87089e98359b5e81b804d68c13800008853ab9fec4f093c8e85155d93

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\spkhk.dll

Filesize
19KB

MD5
22193f3140cf0ad1adf6461c00e337c4

SHA1
29e2746738a4c82b05291ed0f7b306c02660f2fb

SHA256
f78c156a8a76fb11c479fcbe94a7a599812c34ce71ddea5ed4d0cc9c8f42a690

SHA512
9b05d3e91dacd93355adfb92271e67535f1fd7e7211f9c2c7bf1c1030aab235447b16a5e6f01659812f353bce56ec0bd610a9bc960b8a6ae81577c93c5a26170

Download Submit
C:\Windows\SysWOW64\pk.bin

Filesize
3KB

MD5
d2df04d0189de76ab5922edaa7122e4d

SHA1
70cf07378dc4aa1eeeb5fefd25df14e97166f8fb

SHA256
91d3affb4ce756b39f3a3a7c32ddda60f235773bf8f9f1b3dfc228ad10666128

SHA512
0c348f587e5d15885995e994e85d357e8e444ad815b369b845bf9aa8333be5ab040565d3948011794c9c444e717b0b93531c3ec13ecab7588220d1aca8fbb7a8

Download Submit
C:\Windows\SysWOW64\spk.exe

Filesize
213KB

MD5
d0572ddefa42687cf903a123500faf20

SHA1
f154692f339a4d4d24257e57afdb85d2466c88c7

SHA256
d506c74a96796a530f974a7e2337707e9da18f201e12f2539ecf12f4dd098221

SHA512
e594b07f5d1a9b03f9878db333aa85fae79e9b9e840c093b23c97840b25a062969deb5baa312dabd979c32a363c6a37c7fbe661135b7766fc0e26ad9cf1296f5

Download Submit
C:\Windows\SysWOW64\spkhk.dll

Filesize
19KB

MD5
09e08e10336e8652ae19ade8f18c3893

SHA1
7bdb749cbb45a1532d00ef08426a667dc11b7d0b

SHA256
72a81a5179271a1f7a7da748ef5e2b53edc955efff690126f50856dd2befc65b

SHA512
248b10a00890dd7624446749263adac9c6674b25b433b10153fdd47e018734bd97705e50aba1813759ba622242e4f1a840038e6028dfd46c89319f9f2b7b7752

Download Submit
memory/1664-58-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1664-66-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1664-34-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1664-76-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1664-74-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1664-72-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1664-70-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1664-49-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1664-51-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1664-52-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1664-54-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1664-56-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1664-68-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1664-60-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1664-62-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1664-64-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3208-36-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3208-18-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3860-48-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3860-29-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4720-47-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4720-45-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads