87a76d4861ee691e2f95076d175246ae0497b4b17667a4061ed2283c0ac4f561

Analysis

max time kernel
93s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2024, 08:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

742919cf56049170657c68af7a35a100.exe
Size

25KB
MD5

742919cf56049170657c68af7a35a100
SHA1

adecc6c2e8cd9886918fde117973c80579f71ab5
SHA256

87a76d4861ee691e2f95076d175246ae0497b4b17667a4061ed2283c0ac4f561
SHA512

2f72a1f782ac982769d1afda0aaa18d84f0c460305eeade703e0d441c2919d42576649be8945e6ad3229ab5c4a9fd5555581da269ed9f75d1c5d2f1025e2a66b
SSDEEP

384:hUmKnSZYRuVh7f0EYw+BrkylhOLX4+l6BU0NTy93SKUn:9uSZwuLD0xw3qOLo/lTyM7n

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	742919cf56049170657c68af7a35a100.exe

Executes dropped EXE 1 IoCs

pid	Process
3772	clientex.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\clientex.exe	742919cf56049170657c68af7a35a100.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnscfg.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-App.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\wmlaunch.exe.mui	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\wmplayer.exe.mui	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\createdump.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\telemetryrules\hxcalendarappimm.exe_Rules.xml	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\ieinstal.exe.mui	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Integrator.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\wmpnscfg.exe.mui	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketch.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TabTip.exe.mui	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\excel.exe.manifest	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe.config	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\WindowsCamera.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\ieinstal.exe.mui	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\msinfo32.exe.mui	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\telemetryrules\hxoutlook.exe_Rules.xml	742919cf56049170657c68af7a35a100.exe
File created	C:\Program Files\iexplore.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\ieinstal.exe.mui	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\dbcicons.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\codecpacks.webp.exe	742919cf56049170657c68af7a35a100.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe	742919cf56049170657c68af7a35a100.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1520	742919cf56049170657c68af7a35a100.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 3772	1520	742919cf56049170657c68af7a35a100.exe	86
PID 1520 wrote to memory of 3772	1520	742919cf56049170657c68af7a35a100.exe	86
PID 1520 wrote to memory of 3772	1520	742919cf56049170657c68af7a35a100.exe	86

C:\Users\Admin\AppData\Local\Temp\742919cf56049170657c68af7a35a100.exe
"C:\Users\Admin\AppData\Local\Temp\742919cf56049170657c68af7a35a100.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\SysWOW64\clientex.exe
  "C:\Windows\system32\clientex.exe"
  2⤵
  - Executes dropped EXE
  PID:3772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\clientex.exe

Filesize
25KB

MD5
0337abf5abe1de481ff63f1d43f8eed5

SHA1
eaffcf2860049f1ba923b13cb2a62b9029d531a9

SHA256
c47918bd09000a7747dfd5bea46cb7f66c99a065ca5a4e1e3dbc2d212dd968b4

SHA512
371d425a156b0203b580d94e9b3914161bbd5873ccb1f409c505a5c2c45c228cd2851e463059bbdc9067108639ff0e07be84a950a75eb324702158099aa775fd

Download Submit