bacf1ae72d809382dc9ceba302a3f1fc91542620767e9d34e5caab2a2619e133

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2024 05:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c476b47ecc73dbd3412c5d37676f6f9.exe
Size

2.5MB
MD5

5c476b47ecc73dbd3412c5d37676f6f9
SHA1

5c5bb58226cc903fb5b230d2fe0359f017dd1772
SHA256

bacf1ae72d809382dc9ceba302a3f1fc91542620767e9d34e5caab2a2619e133
SHA512

f713ee497720206a33880186fef7eec169911b258c052b7b9e0e4b3a9f259e0ed4ebf4f4249449b7068870ea167fb5558287c88136a9bdd6a1655e98fec76f1a
SSDEEP

49152:j0Ii8g9VPJlLQBkK8q3ws6krWiSERpTT8TnrKPMaU9R0Q02p+4:wIi8g9BMBLVWixrsTOvIJ

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	5c476b47ecc73dbd3412c5d37676f6f9.exe

Executes dropped EXE 1 IoCs

pid	Process
1488	TeamViewer_.exe

Loads dropped DLL 9 IoCs

pid	Process
1488	TeamViewer_.exe
1488	TeamViewer_.exe
1488	TeamViewer_.exe
1488	TeamViewer_.exe
1488	TeamViewer_.exe
1488	TeamViewer_.exe
1488	TeamViewer_.exe
1488	TeamViewer_.exe
1488	TeamViewer_.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2144-0-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000600000002322f-6.dat	upx
behavioral2/files/0x000600000002322f-8.dat	upx
behavioral2/memory/2144-11-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/1488-10-0x0000000000400000-0x0000000000449000-memory.dmp	upx
behavioral2/files/0x000600000002322f-9.dat	upx
behavioral2/memory/1488-231-0x0000000000400000-0x0000000000449000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 1488	2144	5c476b47ecc73dbd3412c5d37676f6f9.exe	24
PID 2144 wrote to memory of 1488	2144	5c476b47ecc73dbd3412c5d37676f6f9.exe	24
PID 2144 wrote to memory of 1488	2144	5c476b47ecc73dbd3412c5d37676f6f9.exe	24

C:\Users\Admin\AppData\Local\Temp\5c476b47ecc73dbd3412c5d37676f6f9.exe
"C:\Users\Admin\AppData\Local\Temp\5c476b47ecc73dbd3412c5d37676f6f9.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Users\Admin\temp\TeamViewer\Version5\TeamViewer_.exe
  "C:\Users\Admin\temp\TeamViewer\Version5\TeamViewer_.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsx4CF9.tmp\InstallOptions.dll

Filesize
14KB

MD5
0dc0cc7a6d9db685bf05a7e5f3ea4781

SHA1
5d8b6268eeec9d8d904bc9d988a4b588b392213f

SHA256
8e287326f1cdd5ef2dcd7a72537c68cbe4299ceb1f820707c5820f3aa6d8206c

SHA512
814dd17ebb434f4a3356f716c783ab7f569f9ee34ce5274fa50392526925f044798f8006198ac7afe3d1c2ca83a2ca8c472ca53fec5f12bbfbbe0707abacd6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx4CF9.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx4CF9.tmp\TvGetVersion.dll

Filesize
13KB

MD5
eb062eb8b2c498c03b1542ccde87ad90

SHA1
44432fa3d16baa6bd5243fab7187204d4c0a2166

SHA256
81888a1166ae594aef28084d00c5d59e899e8f0b6bc632f99df08fba3ad77c3b

SHA512
e21af0d46cb71ecbe764915fc9ef67ebbe3c0dd428b4816adb7e966aafb761aa72248a21392236bf4ce068be855e9a43f3ccf96db612edef3cb17e1a10afe4e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx4CF9.tmp\UserInfo.dll

Filesize
4KB

MD5
1e8e11f465afdabe97f529705786b368

SHA1
ea42bed65df6618c5f5648567d81f3935e70a2a0

SHA256
7d099352c82612ab27ddfd7310c1aa049b58128fb04ea6ea55816a40a6f6487b

SHA512
16566a8c1738e26962139aae893629098dc759e4ac87df3e8eb9819df4e0e422421836bb1e4240377e00fb2f4408ce40f40eee413d0f6dd2f3a4e27a52d49a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx4CF9.tmp\environment.ini

Filesize
661B

MD5
d49491c7ba7bd565e1b8ff473cd84c8e

SHA1
2522272cf01af17f8ace15a29759f7629ebdc94e

SHA256
0be1c22c6f540d98cd55d7f434f57aedffc67a19df4e4957f75eb034a7b3d9bb

SHA512
2207da44794bd8b8ed1161a0a1990d13824c91b651711d20fbd14769f898a95168884e217f24465b309901215961f3bcb287214b61c5ce2fbc020e8e21cb7b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx4CF9.tmp\host.ini

Filesize
975B

MD5
69a491a30f8fd22d3210847d54274a19

SHA1
7e19eb2b1424bb487708f91001d0a001e214ebb8

SHA256
49a8ab22496032d8286c7fa71d1e5fc3f13079572d45e4140d1b24be57202b53

SHA512
4ac8b38c91eb466cc31e8256cd7a59bf10ff088a3ff233510277be969134c7da2c784fb1254323c2a3e502d2daa98561c160d321a153914b65f97c6bec79207b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx4CF9.tmp\start.ini

Filesize
1005B

MD5
92487369ffa28032b646e3b48ccfbeb1

SHA1
d960fd243ce583aece2062dcab543718c87b2537

SHA256
72bd5bf129b8efca3f523a90828b504ddaf94d1179359cd8d6df6be89e98e981

SHA512
ba690028d8e2ec9d85d38f51739c75b36196d9a2e8d1a68a26df70d85e9a676094104102d25e65aa73c995d76c276e45e4865ce0ab9cdfd2e0d34d69f09aee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx4CF9.tmp\start.ini

Filesize
983B

MD5
cc38fe264db13629dbac09fb999f4f7f

SHA1
51db7d5f9fa53ae98856575b55c4d69ee0cfc6b0

SHA256
0ebbe20b46d7cb70a57c730bf65f73c219c03a0bcffc36fa7a4adefd2623141d

SHA512
fbb4ef383b4a4b18f0fac1dede037213ffd16f8bd9a98e4d326817953b2b2ce577f4a5696cddbbf4a84a595cf1dc85e4b0501cfb988eac909f698789e73033e5

Download Submit
C:\Users\Admin\temp\TeamViewer\Version5\TeamViewer_.exe

Filesize
626KB

MD5
f4070faeb74c8eda456282fdb77c9022

SHA1
cb04937f9959743aae7110045f20f9cbbeab948f

SHA256
c16d385cfbf783a6be690652985afe23987a0857a7d72fb30d8c3ee4d366f9c9

SHA512
458824cf3ddd7aa11c2f618bab5f286e43c018c4ab47b215c17f9243f66a6834bc40b670c41a1eb1ffcef206eb3f1997b877ec50b572f07cf27df3a863faf069

Download Submit
C:\Users\Admin\temp\TeamViewer\Version5\TeamViewer_.exe

Filesize
349KB

MD5
79aa55855ee1ef44293a811bcd9eadd6

SHA1
42b710c2ccc6cf0725998ecd3242f0a565f601ed

SHA256
d73fc7177fdf255594d36bff36080993a8b8f76cb22ff7e85c3b14bb5b4ff09b

SHA512
7c086a92eec28bacb658eb3c1591aeedb8a547c9a3354f82b94a32c937995c2d9431722a002d46f10cb3b55d61613bc38146a11c9da2253c3b31ed79d7c6110a

Download Submit
C:\Users\Admin\temp\TeamViewer\Version5\TeamViewer_.exe

Filesize
456KB

MD5
bb078be62937dae9a8198ba91de19eb6

SHA1
d9e533a715cf5fa6051ba50cfa5c532301d6f666

SHA256
efee9903db6f7b036ec9f1f08d03b41b9ca6d52dfa84611690e99408883b4df0

SHA512
2b2871aae8b733f864259ba1a9cfaed71078615abd32295dfa7a21bb6874f258400f847959ea13f2fef444c55fa9c08ef17d29c36924b7d9c3fa02ae48b9717f

Download Submit
memory/1488-10-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1488-231-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2144-11-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2144-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download