046a1ab07d00310dfdbb8390f614bf3cd90aad379c5c713fc62889ea72792335

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2024 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71b2f3c40cf873641f39dde41d160c6a.exe
Size

608KB
MD5

71b2f3c40cf873641f39dde41d160c6a
SHA1

ca0aa9c6e5be1fba93ca3a5da3ed01584f3c9495
SHA256

046a1ab07d00310dfdbb8390f614bf3cd90aad379c5c713fc62889ea72792335
SHA512

1ed5e3b99974e434494d952e65df913dd6dfd599fd08161a024489e8efed78c04facaa91473124b8179f6db97c58186e0b962840f2ba511bf74f9083994fa87e
SSDEEP

12288:72KXHc77k5zsOn91Sbj+1+rG1Bhdk6b4LsXbqFVZguy1ukVLoGERBo2:72KXeCz7I+1GMdkVTcv1VVKt

Score

8^/10

evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

240609876.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation 240609876.exe
Executes dropped EXE 3 IoCs

Processes:

240609875.exe240609876.exelnUMnIoxFh.exe

pid process

1128 240609875.exe
1032 240609876.exe
3720 lnUMnIoxFh.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

2740 rundll32.exe
4444 rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	240609876.exe

pid	process
1128	240609875.exe
1032	240609876.exe
3720	lnUMnIoxFh.exe

pid	process
2740	rundll32.exe
4444	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

rundll32.exe240609876.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fyokame = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\dencrcs.dll\",Startup"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lnUMnIoxFh.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lnUMnIoxFh.exe"	240609876.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

240609876.exelnUMnIoxFh.exerundll32.exe

pid	process
1032	240609876.exe
1032	240609876.exe
1032	240609876.exe
1032	240609876.exe
3720	lnUMnIoxFh.exe
3720	lnUMnIoxFh.exe
3720	lnUMnIoxFh.exe
3720	lnUMnIoxFh.exe
3720	lnUMnIoxFh.exe
3720	lnUMnIoxFh.exe
3720	lnUMnIoxFh.exe
3720	lnUMnIoxFh.exe
2740	rundll32.exe
2740	rundll32.exe
3720	lnUMnIoxFh.exe
3720	lnUMnIoxFh.exe
3720	lnUMnIoxFh.exe
3720	lnUMnIoxFh.exe
2740	rundll32.exe
2740	rundll32.exe
3720	lnUMnIoxFh.exe
3720	lnUMnIoxFh.exe
2740	rundll32.exe
2740	rundll32.exe
3720	lnUMnIoxFh.exe
3720	lnUMnIoxFh.exe
2740	rundll32.exe
2740	rundll32.exe
3720	lnUMnIoxFh.exe
3720	lnUMnIoxFh.exe
3720	lnUMnIoxFh.exe
3720	lnUMnIoxFh.exe
2740	rundll32.exe
2740	rundll32.exe
3720	lnUMnIoxFh.exe
3720	lnUMnIoxFh.exe
2740	rundll32.exe
2740	rundll32.exe
3720	lnUMnIoxFh.exe
3720	lnUMnIoxFh.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

240609876.exelnUMnIoxFh.exe

pid process

1032 240609876.exe
3720 lnUMnIoxFh.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

71b2f3c40cf873641f39dde41d160c6a.exe240609875.exe240609876.exelnUMnIoxFh.exerundll32.exe

description	pid	process	target process
PID 3748 wrote to memory of 1128	3748	71b2f3c40cf873641f39dde41d160c6a.exe	240609875.exe
PID 3748 wrote to memory of 1128	3748	71b2f3c40cf873641f39dde41d160c6a.exe	240609875.exe
PID 3748 wrote to memory of 1128	3748	71b2f3c40cf873641f39dde41d160c6a.exe	240609875.exe
PID 3748 wrote to memory of 1032	3748	71b2f3c40cf873641f39dde41d160c6a.exe	240609876.exe
PID 3748 wrote to memory of 1032	3748	71b2f3c40cf873641f39dde41d160c6a.exe	240609876.exe
PID 3748 wrote to memory of 1032	3748	71b2f3c40cf873641f39dde41d160c6a.exe	240609876.exe
PID 1128 wrote to memory of 2740	1128	240609875.exe	rundll32.exe
PID 1128 wrote to memory of 2740	1128	240609875.exe	rundll32.exe
PID 1128 wrote to memory of 2740	1128	240609875.exe	rundll32.exe
PID 1032 wrote to memory of 3720	1032	240609876.exe	lnUMnIoxFh.exe
PID 1032 wrote to memory of 3720	1032	240609876.exe	lnUMnIoxFh.exe
PID 1032 wrote to memory of 3720	1032	240609876.exe	lnUMnIoxFh.exe
PID 3720 wrote to memory of 3560	3720	lnUMnIoxFh.exe	Explorer.EXE
PID 3720 wrote to memory of 3560	3720	lnUMnIoxFh.exe	Explorer.EXE
PID 2740 wrote to memory of 4444	2740	rundll32.exe	rundll32.exe
PID 2740 wrote to memory of 4444	2740	rundll32.exe	rundll32.exe
PID 2740 wrote to memory of 4444	2740	rundll32.exe	rundll32.exe
PID 3720 wrote to memory of 3560	3720	lnUMnIoxFh.exe	Explorer.EXE
PID 3720 wrote to memory of 3560	3720	lnUMnIoxFh.exe	Explorer.EXE
PID 3720 wrote to memory of 3560	3720	lnUMnIoxFh.exe	Explorer.EXE
PID 3720 wrote to memory of 3560	3720	lnUMnIoxFh.exe	Explorer.EXE
PID 3720 wrote to memory of 3560	3720	lnUMnIoxFh.exe	Explorer.EXE
PID 3720 wrote to memory of 3560	3720	lnUMnIoxFh.exe	Explorer.EXE
PID 3720 wrote to memory of 3560	3720	lnUMnIoxFh.exe	Explorer.EXE
PID 3720 wrote to memory of 3560	3720	lnUMnIoxFh.exe	Explorer.EXE

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

240609876.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	240609876.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	240609876.exe

C:\Users\Admin\AppData\Local\Temp\71b2f3c40cf873641f39dde41d160c6a.exe
"C:\Users\Admin\AppData\Local\Temp\71b2f3c40cf873641f39dde41d160c6a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3748

C:\Users\Admin\AppData\Local\240609875.exe
C:\Users\Admin\AppData\Local\240609875.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\dencrcs.dll",Startup
3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\dencrcs.dll",iep
4⤵
- Loads dropped DLL
PID:4444

C:\Users\Admin\AppData\Local\240609876.exe
C:\Users\Admin\AppData\Local\240609876.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1032

C:\Users\Admin\AppData\Local\Temp\lnUMnIoxFh.exe
"C:\Users\Admin\AppData\Local\Temp\lnUMnIoxFh.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3560

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\240609875.exe
Filesize
47KB

MD5
72efb4367c308091de41bae5f4609d5a

SHA1
e189e9b85c9cab64d2372271a890bf22ae65d66c

SHA256
b24969a114d5b8b0d2246e73501d620d61a492fe2894ec7e34a9542e3e7b2597

SHA512
02f51100c9cf5ac396f411973c62ac3920395bb47a82f70b8f4881f2778e215728c1ce218b2d128a46078563081b27ac4db13e833fee1f5e9a9594a57a9f430f

Download Submit
C:\Users\Admin\AppData\Local\240609875.exe
Filesize
12KB

MD5
91a85b15ee01ced34a05442759b5d3fc

SHA1
1b14d3c7e1707f330ee2b29c365ab2b5ef8d242c

SHA256
3dbde8b7d743e59da6e8992ef5dc55f42629273c32a0addf347642806ea0b302

SHA512
83ddc431c2bbb35cd35521ac19397feac32706834a777cdd2cdd98b6d3958022649243822ea6720b00dfb9b1819ce716dd52d9222f368b66589d769b10d07c78

Download Submit
C:\Users\Admin\AppData\Local\240609876.exe
Filesize
6KB

MD5
c7c3d606bc986cab8087aa5683b4ca9b

SHA1
0569215e4566fb4e441aa78372c62d107f10325a

SHA256
15241f2831bb9951219538d247cecc67340fee4a45d06d750dfaa699d5af5925

SHA512
edd3f75b1d49bda5572168b37c2f64ff9c2bea8ac0873c9432b306a55ee974176879a03fb221969298e48c5130b2f3e22623f37473269d38421258a90cbd8389

Download Submit
C:\Users\Admin\AppData\Local\240609876.exe
Filesize
459KB

MD5
80938190ace75411254ff102f397a02d

SHA1
ffea9db9ef85e1781c811b224a3abf708c05e2e4

SHA256
11983799b400aad459d846735c178d8d9a9cd9819a63b11eadf83e0c48ef51c7

SHA512
9c8dc6918efcc1684a5c2577b07584c65f4f33e223e3dbf5e63aa9c111a56ca1686e21363bb29831a28c7f7fb65d2263f5325a78cbde5097e6bd1eb9750210b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DOTQjGgjsJ.dll
Filesize
300KB

MD5
4050d2d7856f89e3f09b1b1792a9caec

SHA1
14bf254303227540dcee3905ce8e5b294bf67a28

SHA256
c3adee19e5347f23a4c3c0ea134bbcbf80411b468c5183aeb95be7206919acc9

SHA512
937505accdad98388b0027807dff603c78dfb481f1ba5bb78f3a4885ecfc4ebb60ff5261c175caccaa7d60a208d935378941260e29d3d7f8e9930f884ed89f8d

Download Submit
C:\Users\Admin\AppData\Local\dencrcs.dll
Filesize
88KB

MD5
6c99f1d251b1891ca95e1ffbada7ce7c

SHA1
6ae72d1ca54dc5ff28727703fb63482594c585ce

SHA256
2c6944dfcee1c10e5070e6e2432373f94b0f86ec48f31a642eeabc75bde1e87b

SHA512
1a474407816bb48e74fd27854cba86353b0d9cbb2f1ae53f358b40c9ae04e367bb18a5634172a74e7a922b867b610b7257d56fa1984ece7c6879d30914796af5

Download Submit
memory/1032-17-0x00000000021D0000-0x0000000002240000-memory.dmp

Filesize
448KB

Download
memory/1032-36-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/1032-18-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/1128-13-0x0000000002220000-0x0000000002230000-memory.dmp

Filesize
64KB

Download
memory/1128-40-0x0000000002220000-0x0000000002230000-memory.dmp

Filesize
64KB

Download
memory/1128-12-0x0000000002220000-0x0000000002230000-memory.dmp

Filesize
64KB

Download
memory/1128-41-0x0000000002220000-0x0000000002230000-memory.dmp

Filesize
64KB

Download
memory/1128-37-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/1128-11-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/2740-56-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/2740-44-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/2740-38-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/2740-50-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/2740-22-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/2740-23-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/2740-43-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/2740-21-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/3720-39-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/3748-0-0x00000000024A0000-0x00000000024B0000-memory.dmp

Filesize
64KB

Download
memory/3748-2-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3748-1-0x00000000024A0000-0x00000000024B0000-memory.dmp

Filesize
64KB

Download
memory/4444-53-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/4444-52-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/4444-58-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/4444-63-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/4444-64-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download