023ab137657d4dfffd5bf98d9dcd2fd2bc9600fdea317ff3323d48c2d2923d74

Analysis

max time kernel
89s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2024, 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

winzip26.exe
Size

992KB
MD5

40a49a13e2ed6577937568ef19b6e853
SHA1

2b2458cab8730ea3c69fc8cc7059f6fdc3c7f4c7
SHA256

9bf1cab2cfcf82b772242c09f49bd43d7300f5996456f56dca471364f5e70d9a
SHA512

962a1297cb9652a52d4901317bd8e3a1953ec7b277e84dcbdeb31ff665b3d643a58f690179bf527187fff85d7ea409485dd928209e906f4a5b09d6ccf9c11446
SSDEEP

12288:xkrPMg09CmiJQ21FUOkBVVWh7qZWoHnJ9NTwmHJMNm7aFxNcEQmi5WsvcXphs/:xQLkBVVWh7dA9NlM7c0Za/

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	winzip26.exe

Executes dropped EXE 1 IoCs

pid	Process
220	winzip26.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3380	220	WerFault.exe	85

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 220	2180	winzip26.exe	85
PID 2180 wrote to memory of 220	2180	winzip26.exe	85
PID 2180 wrote to memory of 220	2180	winzip26.exe	85

C:\Users\Admin\AppData\Local\Temp\winzip26.exe
"C:\Users\Admin\AppData\Local\Temp\winzip26.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\e574f68\winzip26.exe
  run=1 shortcut="C:\Users\Admin\AppData\Local\Temp\winzip26.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:220
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 2000
    3⤵
    - Program crash
    PID:3380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 220 -ip 220
1⤵
PID:3284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e574f68\winzip26.exe

Filesize
992KB

MD5
40a49a13e2ed6577937568ef19b6e853

SHA1
2b2458cab8730ea3c69fc8cc7059f6fdc3c7f4c7

SHA256
9bf1cab2cfcf82b772242c09f49bd43d7300f5996456f56dca471364f5e70d9a

SHA512
962a1297cb9652a52d4901317bd8e3a1953ec7b277e84dcbdeb31ff665b3d643a58f690179bf527187fff85d7ea409485dd928209e906f4a5b09d6ccf9c11446

Download Submit
C:\Users\Admin\AppData\Local\Temp\e575081\Load.html

Filesize
2KB

MD5
a0ee77be6ca2f3878987d59e3246e082

SHA1
e78b27ca4c94a4eeedd6ce05010c13e050776d16

SHA256
52921dcab34d93a043828dd6524db0a1a98f5e269fc60263ce488d1a0da2742b

SHA512
cb9746eac2f4ddf093ab9c30e454dcffb76c609ab380eb84aec305cb203d8cf723affaf7730393b60ef2b181f11f9b6cde9f7c04b9f9c0db7d5b907439ae6622

Download Submit
C:\Users\Admin\AppData\Local\Temp\e575081\common\js\common.js

Filesize
42KB

MD5
bcc0e36682468d62634cdfa5864e1707

SHA1
ba9173b2634c1c1d89635c0c8f36afea9eb09d1f

SHA256
fd475166caa2045b7fa0991b06b5731788f3e111a0d81ad6598fbb44b5293b30

SHA512
94e5394233b4eb8f448960eb43680d9269922bfe2c2d1b8919bf029b68148f6753e65da2a32c3c86122bf66925680f8b63ec093baaec8935867d23215d378f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\e575081\common\js\external.js

Filesize
36B

MD5
140918feded87fe0a5563a4080071258

SHA1
9a45488c130eba3a9279393d27d4a81080d9b96a

SHA256
25df7ab9509d4e8760f1fdc99684e0e72aac6e885cbdd3396febc405ea77e7f6

SHA512
56f5771db6f0f750ae60a1bb04e187a75fbee1210e1381831dcc2d9d0d4669ef4e58858945c1d5935e1f2d2f2e02fe4d2f08dd2ab27a14be10280b2dd4d8a7c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e575081\common\js\jquery-1.11.2.min.js

Filesize
93KB

MD5
5790ead7ad3ba27397aedfa3d263b867

SHA1
8130544c215fe5d1ec081d83461bf4a711e74882

SHA256
2ecd295d295bec062cedebe177e54b9d6b19fc0a841dc5c178c654c9ccff09c0

SHA512
781acedc99de4ce8d53d9b43a158c645eab1b23dfdfd6b57b3c442b11acc4a344e0d5b0067d4b78bb173abbded75fb91c410f2b5a58f71d438aa6266d048d98a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e575081\config\config.js

Filesize
5KB

MD5
b83ac079cfdf3ec94a9449f532b01dc5

SHA1
d5877393567da4503944f61d7c694ddaa42506d9

SHA256
1b935aeb2d5694bad98f525af8e471091a20817273cfcdbf17dc5e857b0de530

SHA512
530b926ea47a7cf8afb2d11dc3599c13b8e7af6d174340b09dce484cb71470ff7cce69137ee326fd3e9d16b89736b5a8188e7e224f3cf021c53343e034657ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e575081\config\installparams.js

Filesize
603B

MD5
60fd88ff53dfb4cd623a2348eb6f86f1

SHA1
251000f587ac908e594c56cc7b009406e432d8c8

SHA256
b6c3bbc5bfc2842c776a38024261d5110597064b4dfa1d1c10f2566a80a6d0e1

SHA512
91bf1e8fec524469903b9678ec0543d652746332f3ee63fb27689b8f1921db9293f89b16348a3b19cce86ca89f571f31fe2d9bd5c931587701da36402848c1ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\e575081\config\stubparams.js

Filesize
49KB

MD5
80472176503553a33de41bffba59cd64

SHA1
30da7e2d13b2b9186d7ba94c2bcedcc35d5895cc

SHA256
c263e80b91fe87fb1a07bcc72c02778b51e0440807444b19efa8329b3b406ce0

SHA512
7bcd8e17b1c81c50ad1d29ba45131f6068322354594ba3f306c563f5a074c2068ca3488ce723b7fd20be428c568d810fce654a2d71613eafe484ca64944bf3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\e575081\pages\Initialization\page.html

Filesize
2KB

MD5
b23411777957312ec2a28cf8da6bcb4a

SHA1
6dd3bdf8be0abb5cb8bf63a35de95c8304f5e7c7

SHA256
4d0bdf44125e8be91eecaba44c9b965be9b0d2cb8897f3f35e94f2a74912f074

SHA512
e520b4096949a6d7648c197a57f8ce5462adb2cc260ccac712e5b939e7d259f1eee0dfc782959f3ea689befce99cddf38b56a2cc140566870b045114e9b240dc

Download Submit