6335f77d66c1a6790accc1330930d13f048a81fb6fa319be4921c98cd4843385

Analysis

max time kernel
19s
max time network
20s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64a45bfbf3c98c2d0cf68db310d43fe3.exe
Size

430KB
MD5

64a45bfbf3c98c2d0cf68db310d43fe3
SHA1

184f39f1596a4ad0a2367e12c347597c105fb1a1
SHA256

6335f77d66c1a6790accc1330930d13f048a81fb6fa319be4921c98cd4843385
SHA512

a586ae1075f54e73d72af80dc4ce5f7bba0bfc41ac9b8e516f06a52c0b3b864ca0101cd873614a9d690ed6468c958f3ef90cac28848cc38649b5a7efb2cfb980
SSDEEP

6144:2bNjfc5iaO4ZQAQ7F/jAErjLf9GZv79RsK2crmv4sFKy9ulo11UVmsQsiR/f5s0X:UfcvxZijA43f98gQDy9hKxQsC/G8

Score

7^/10

bootkit evasion persistence trojan upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	64a45bfbf3c98c2d0cf68db310d43fe3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	1EuroP.exe

Executes dropped EXE 7 IoCs

pid	Process
464	cb.exe
2484	1EuroP.exe
4848	IR.exe
3372	2IC.exe
1632	3E4U - Bucks.exe
1028	6tbp.exe
4416	jpposh.exe

Loads dropped DLL 1 IoCs

pid	Process
3000	rundll32.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1632-70-0x00000000005F0000-0x0000000000620000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cregov = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\msowley.dll\",Startup"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\9t4hv84 = "C:\\Users\\Admin\\AppData\\Roaming\\jpposh.exe"	IR.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IR.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\physicaldrive0	2IC.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2072	sc.exe
1536	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4548	1632	WerFault.exe	96

Runs net.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3372	2IC.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4848	IR.exe
4848	IR.exe
4848	IR.exe
1028	6tbp.exe
3000	rundll32.exe
4416	jpposh.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 464	3104	64a45bfbf3c98c2d0cf68db310d43fe3.exe	89
PID 3104 wrote to memory of 464	3104	64a45bfbf3c98c2d0cf68db310d43fe3.exe	89
PID 3104 wrote to memory of 464	3104	64a45bfbf3c98c2d0cf68db310d43fe3.exe	89
PID 3104 wrote to memory of 2484	3104	64a45bfbf3c98c2d0cf68db310d43fe3.exe	93
PID 3104 wrote to memory of 2484	3104	64a45bfbf3c98c2d0cf68db310d43fe3.exe	93
PID 3104 wrote to memory of 2484	3104	64a45bfbf3c98c2d0cf68db310d43fe3.exe	93
PID 3104 wrote to memory of 4848	3104	64a45bfbf3c98c2d0cf68db310d43fe3.exe	94
PID 3104 wrote to memory of 4848	3104	64a45bfbf3c98c2d0cf68db310d43fe3.exe	94
PID 3104 wrote to memory of 4848	3104	64a45bfbf3c98c2d0cf68db310d43fe3.exe	94
PID 3104 wrote to memory of 3372	3104	64a45bfbf3c98c2d0cf68db310d43fe3.exe	95
PID 3104 wrote to memory of 3372	3104	64a45bfbf3c98c2d0cf68db310d43fe3.exe	95
PID 3104 wrote to memory of 3372	3104	64a45bfbf3c98c2d0cf68db310d43fe3.exe	95
PID 3104 wrote to memory of 1632	3104	64a45bfbf3c98c2d0cf68db310d43fe3.exe	96
PID 3104 wrote to memory of 1632	3104	64a45bfbf3c98c2d0cf68db310d43fe3.exe	96
PID 3104 wrote to memory of 1632	3104	64a45bfbf3c98c2d0cf68db310d43fe3.exe	96
PID 3104 wrote to memory of 1028	3104	64a45bfbf3c98c2d0cf68db310d43fe3.exe	97
PID 3104 wrote to memory of 1028	3104	64a45bfbf3c98c2d0cf68db310d43fe3.exe	97
PID 3104 wrote to memory of 1028	3104	64a45bfbf3c98c2d0cf68db310d43fe3.exe	97
PID 1028 wrote to memory of 3000	1028	6tbp.exe	98
PID 1028 wrote to memory of 3000	1028	6tbp.exe	98
PID 1028 wrote to memory of 3000	1028	6tbp.exe	98
PID 2484 wrote to memory of 3368	2484	1EuroP.exe	103
PID 2484 wrote to memory of 3368	2484	1EuroP.exe	103
PID 2484 wrote to memory of 3368	2484	1EuroP.exe	103
PID 4848 wrote to memory of 3688	4848	IR.exe	106
PID 4848 wrote to memory of 3688	4848	IR.exe	106
PID 4848 wrote to memory of 3688	4848	IR.exe	106
PID 4848 wrote to memory of 1536	4848	IR.exe	107
PID 4848 wrote to memory of 1536	4848	IR.exe	107
PID 4848 wrote to memory of 1536	4848	IR.exe	107
PID 4848 wrote to memory of 4592	4848	IR.exe	113
PID 4848 wrote to memory of 4592	4848	IR.exe	113
PID 4848 wrote to memory of 4592	4848	IR.exe	113
PID 4848 wrote to memory of 2072	4848	IR.exe	112
PID 4848 wrote to memory of 2072	4848	IR.exe	112
PID 4848 wrote to memory of 2072	4848	IR.exe	112
PID 4848 wrote to memory of 4416	4848	IR.exe	108
PID 4848 wrote to memory of 4416	4848	IR.exe	108
PID 4848 wrote to memory of 4416	4848	IR.exe	108

C:\Users\Admin\AppData\Local\Temp\64a45bfbf3c98c2d0cf68db310d43fe3.exe
"C:\Users\Admin\AppData\Local\Temp\64a45bfbf3c98c2d0cf68db310d43fe3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Users\Admin\AppData\Local\Temp\nse4596.tmp\cb.exe
  "C:\Users\Admin\AppData\Local\Temp\nse4596.tmp\cb.exe"
  2⤵
  - Executes dropped EXE
  PID:464
- C:\Users\Admin\AppData\Local\Temp\nse4596.tmp\1EuroP.exe
  "C:\Users\Admin\AppData\Local\Temp\nse4596.tmp\1EuroP.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Imb..bat" > nul 2> nul
    3⤵
    PID:3368
- C:\Users\Admin\AppData\Local\Temp\nse4596.tmp\IR.exe
  "C:\Users\Admin\AppData\Local\Temp\nse4596.tmp\IR.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\SysWOW64\net.exe
    net.exe stop "Security Center"
    3⤵
    PID:3688
- - C:\Windows\SysWOW64\sc.exe
    sc config wscsvc start= DISABLED
    3⤵
    - Launches sc.exe
    PID:1536
- - C:\Users\Admin\AppData\Roaming\jpposh.exe
    C:\Users\Admin\AppData\Roaming\jpposh.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4416
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= DISABLED
    3⤵
    - Launches sc.exe
    PID:2072
- - C:\Windows\SysWOW64\net.exe
    net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:4592
- - C:\Windows\SysWOW64\Rundll32.exe
    Rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Roaming\mdinstall.inf
    3⤵
    PID:992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\yq4yr18ww.bat
    3⤵
    PID:3780
- C:\Users\Admin\AppData\Local\Temp\nse4596.tmp\2IC.exe
  "C:\Users\Admin\AppData\Local\Temp\nse4596.tmp\2IC.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of AdjustPrivilegeToken
  PID:3372
- C:\Users\Admin\AppData\Local\Temp\nse4596.tmp\3E4U - Bucks.exe
  "C:\Users\Admin\AppData\Local\Temp\nse4596.tmp\3E4U - Bucks.exe"
  2⤵
  - Executes dropped EXE
  PID:1632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 516
    3⤵
    - Program crash
    PID:4548
- C:\Users\Admin\AppData\Local\Temp\nse4596.tmp\6tbp.exe
  "C:\Users\Admin\AppData\Local\Temp\nse4596.tmp\6tbp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\msowley.dll",Startup
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1632 -ip 1632
1⤵
PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Imb..bat

Filesize
182B

MD5
493b680bc996155f2d10f140892f02cc

SHA1
c39dcbe6421a8bc6b1e2909c5a435f7fb6bf3f9f

SHA256
a15a42e76f245b5ecd3bcd886d5d1dc2b9c1e1502dcbb74a6f161733ef23263c

SHA512
2e312e0487f133fb044fdb25a3c07e9591dc970f1126babf93e6cd397b1e3f09e0c795c4f0f426678e781b61a20d32911cc40718e72789b4f6566f7ea5713af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse4596.tmp\1EuroP.exe

Filesize
161KB

MD5
a929b9e5c88fa243f0709bc26d756bef

SHA1
4c7fbbd380e9b19a62045f0c7d0de9a0322fa152

SHA256
8f4015797e74c3f09e5e1b82ea82b0f7f4b04cf200279832c1f21b3194867cfc

SHA512
b5ae59f4c35e5b5072f0bd1b96a6b9b2b09a4b02966bb9bc3fb0c6b690222dcce2f4500ee71616dfc14a20eaad03494c689e5dd79a4df26c45437b5c864737e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse4596.tmp\2IC.exe

Filesize
190KB

MD5
0f0a92b16bdd824a92013881683553fe

SHA1
12d381bc6aeec8f5fe1c7fb41b3d27af6882fbfd

SHA256
7b2f3151e04927c137d209118d9d4c4d0787f048095321e16ad1f4e85f1ce351

SHA512
2ede90d90a8accaeb0bc96dcc6fb7195bc8ad20dfca8f8cf055b1805c9d141fbe14f94d28f341d052fddb02c75a300eebc3e6ee16de788d7d89716ce23b86822

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse4596.tmp\3E4U - Bucks.exe

Filesize
27KB

MD5
5f6c6b5e491ac60e088adba6dd5791c2

SHA1
292f4b81b3eee53877c672faf540aceeb2fc881f

SHA256
b010d2d5cdee46b1b97b88aa48968ffd34f6e3e382b250c98f2e1a89c950e018

SHA512
59c15d1a3f8d14eb441bb6e187cd91eaa13114afa1d8220aa7d08e259ee28af6bab92258b624d9824944b1776f916b6b551f3c3be982262d28b5330c7ba28252

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse4596.tmp\6tbp.exe

Filesize
112KB

MD5
252e9d457bdf7a4d3172ebd5ff205902

SHA1
1edc4c12e8cbfa6a435bb7511b05764ec9baa09c

SHA256
5e097c8103bcfcfaf83b8a177f8cd444aec9dfd2e4cd8fabfa0e781f2daad5ba

SHA512
368f16541f53cfdfce36e57bf1c9941207e2219f4a14bc925973afde1abf69cf5e08ed7605fd197eee221a8d60155338c67fce8b8dbd9213ab4700bfb6e4a726

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse4596.tmp\IR.exe

Filesize
172KB

MD5
4660d509fe0974dfc49f5666e6b08b25

SHA1
5322df2465114b49faece691ab938a92b482125b

SHA256
babc4ca756de5e0e12747cc57fd32e4d2ff84418e988f14144b64f9838e3c10f

SHA512
f17ab832543efd0b32ab38ffab3af74a36019961a5cf2277255772d06d69c35fcf2821a365b51f1bab2961802a8ee6eaa6e77ab0dcbef151218eaa900f693833

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse4596.tmp\cb.exe

Filesize
3KB

MD5
46e07fd3a40760fda18cf6b4fc691742

SHA1
53ee1a754bf5e94fa88a6ab8bb6120b4011afcfa

SHA256
bd7ca609d2fb63e14d08acab1091579c23e298b4fa2ac1e8d2daaff94fc107be

SHA512
ce13f6527cbd13002dca00b71ab38ab12e3f3f7138ada0780ad3f40e7c49946c018a00782ec957b1fd123fb439aabc0d9b3660829dabf10ddcebba08d6e2fbbd

Download Submit
C:\Users\Admin\AppData\Local\msowley.dll

Filesize
104KB

MD5
8754af6520746f4a216c2e672098d03f

SHA1
632e9699879f560b19424d003bf0f9d707fda501

SHA256
e570e7c36d9bd31fc683aa36a83aa54f7cda9ed75c77d9027f3b27a31ffe586c

SHA512
5e8c8ec1f13ea72f60131f82df5e46f7129b3f1c0d7602546b350b41c133a0f875db218461d000fe7572cb4290aa985be059e46a363f7d9f7a9fa76cc5498221

Download Submit
C:\Users\Admin\AppData\Local\msowley.dll

Filesize
112KB

MD5
6d135e306b69d1e38a23674d13ce73dc

SHA1
aeb53ff4c74466905890c97b84145cbb7a855420

SHA256
8bf8fa5f794aaef7db785daa5f72e36ee593a679ca82729bab7fd8cdafa954d1

SHA512
0ab94350e484bb984eed44bbc8c97ee62c635782de978d49e5e7b5ca754947983aa60afc1b907e29c7089ba16d5704470e49b5ce778fde99261b0a3f0cca42aa

Download Submit
memory/1028-77-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/1028-74-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/1028-73-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/1028-95-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/1028-93-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/1632-70-0x00000000005F0000-0x0000000000620000-memory.dmp

Filesize
192KB

Download
memory/1632-69-0x0000000002580000-0x0000000002CA0000-memory.dmp

Filesize
7.1MB

Download
memory/2484-51-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2484-83-0x00000000022D0000-0x00000000022E0000-memory.dmp

Filesize
64KB

Download
memory/2484-85-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2484-49-0x0000000000A60000-0x0000000000A7A000-memory.dmp

Filesize
104KB

Download
memory/3000-82-0x00000000022D0000-0x00000000022E0000-memory.dmp

Filesize
64KB

Download
memory/3000-81-0x00000000022D0000-0x00000000022E0000-memory.dmp

Filesize
64KB

Download
memory/3000-80-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/3000-94-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/3372-88-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3372-89-0x0000000000520000-0x0000000000568000-memory.dmp

Filesize
288KB

Download
memory/3372-90-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3372-91-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads