d5bff8474fab1c49324cae2253c6bba0f802592b0f14fbcc13624806e5367aef

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28-01-2024 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7db7e97c3ce779a4b1fa90902f9c19e3.exe
Size

956KB
MD5

7db7e97c3ce779a4b1fa90902f9c19e3
SHA1

a6475070117cf1602affba6bbd1644d6b0dc0178
SHA256

d5bff8474fab1c49324cae2253c6bba0f802592b0f14fbcc13624806e5367aef
SHA512

5c199deb74e3f4b4c8e27ddd56d026e5b0de19971307f4bbd907484b8d42cdd19a1d8b060c31d51801c86b1178f788b22b744255f9bf5ec8354615895a443a23
SSDEEP

24576:JdYnl8+Z77rA/i503hVkjyCSFAhJuVg8lcCkz:JdY3prAKcQHPhAVDxkz

Score

7^/10

persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	INS6ED7.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	lol.exe

Executes dropped EXE 10 IoCs

pid	Process
4668	INS6ED7.tmp
3500	install.exe
2080	setup.exe
1804	lol.exe
3444	codec.exe
4104	service.exe
3884	ld12.exe
4256	dad.exe
3452	ld12.exe
4200	install.48322.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1804-58-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1804-59-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/files/0x0006000000023206-76.dat	upx
behavioral2/memory/4104-81-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/4104-90-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/files/0x000600000002320b-93.dat	upx
behavioral2/memory/4256-99-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/4256-105-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysldtray = "c:\\windows\\ld12.exe"	ld12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysldtray = "c:\\windows\\ld12.exe"	ld12.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adult Tube XXX codec\Antivirus\codec.exe	INS6ED7.tmp
File opened for modification	C:\Program Files (x86)\Adult Tube XXX codec\Antivirus\install.48322.exe	INS6ED7.tmp
File opened for modification	C:\Program Files (x86)\Adult Tube XXX codec\Antivirus\install.48322.exe	install.48322.exe
File opened for modification	C:\Program Files (x86)\Adult Tube XXX codec\Antivirus\setup.exe	INS6ED7.tmp
File opened for modification	C:\Program Files (x86)\Adult Tube XXX codec\Antivirus\service.exe	INS6ED7.tmp
File opened for modification	C:\Program Files (x86)\Adult Tube XXX codec\Antivirus\lol.exe	INS6ED7.tmp
File opened for modification	C:\Program Files (x86)\Adult Tube XXX codec\Antivirus\install.exe	INS6ED7.tmp
File opened for modification	C:\Program Files (x86)\Adult Tube XXX codec\Antivirus\dad.exe	INS6ED7.tmp
File created	C:\Program Files (x86)\Adult Tube XXX codec\Antivirus\x2.dat	service.exe
File created	C:\Program Files (x86)\Adult Tube XXX codec\Antivirus\x2.dat	dad.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\ld12.exe	service.exe
File created	\??\c:\windows\ld12.exe	service.exe
File created	C:\Windows\567788.bat	service.exe
File opened for modification	\??\c:\windows\ld12.exe	dad.exe
File created	\??\c:\windows\ld12.exe	dad.exe
File opened for modification	C:\Windows\567788.bat	dad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1620	3500	WerFault.exe	85
2256	2080	WerFault.exe	90
4756	3444	WerFault.exe	101

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4200	install.48322.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 4668	1512	7db7e97c3ce779a4b1fa90902f9c19e3.exe	84
PID 1512 wrote to memory of 4668	1512	7db7e97c3ce779a4b1fa90902f9c19e3.exe	84
PID 1512 wrote to memory of 4668	1512	7db7e97c3ce779a4b1fa90902f9c19e3.exe	84
PID 4668 wrote to memory of 3500	4668	INS6ED7.tmp	85
PID 4668 wrote to memory of 3500	4668	INS6ED7.tmp	85
PID 4668 wrote to memory of 3500	4668	INS6ED7.tmp	85
PID 4668 wrote to memory of 2080	4668	INS6ED7.tmp	90
PID 4668 wrote to memory of 2080	4668	INS6ED7.tmp	90
PID 4668 wrote to memory of 2080	4668	INS6ED7.tmp	90
PID 4668 wrote to memory of 1804	4668	INS6ED7.tmp	96
PID 4668 wrote to memory of 1804	4668	INS6ED7.tmp	96
PID 4668 wrote to memory of 1804	4668	INS6ED7.tmp	96
PID 1804 wrote to memory of 4868	1804	lol.exe	99
PID 1804 wrote to memory of 4868	1804	lol.exe	99
PID 1804 wrote to memory of 4868	1804	lol.exe	99
PID 4668 wrote to memory of 3444	4668	INS6ED7.tmp	101
PID 4668 wrote to memory of 3444	4668	INS6ED7.tmp	101
PID 4668 wrote to memory of 3444	4668	INS6ED7.tmp	101
PID 4668 wrote to memory of 4104	4668	INS6ED7.tmp	104
PID 4668 wrote to memory of 4104	4668	INS6ED7.tmp	104
PID 4668 wrote to memory of 4104	4668	INS6ED7.tmp	104
PID 4104 wrote to memory of 3884	4104	service.exe	105
PID 4104 wrote to memory of 3884	4104	service.exe	105
PID 4104 wrote to memory of 3884	4104	service.exe	105
PID 4104 wrote to memory of 4788	4104	service.exe	106
PID 4104 wrote to memory of 4788	4104	service.exe	106
PID 4104 wrote to memory of 4788	4104	service.exe	106
PID 4668 wrote to memory of 4256	4668	INS6ED7.tmp	108
PID 4668 wrote to memory of 4256	4668	INS6ED7.tmp	108
PID 4668 wrote to memory of 4256	4668	INS6ED7.tmp	108
PID 4256 wrote to memory of 3452	4256	dad.exe	112
PID 4256 wrote to memory of 3452	4256	dad.exe	112
PID 4256 wrote to memory of 3452	4256	dad.exe	112
PID 4256 wrote to memory of 5104	4256	dad.exe	111
PID 4256 wrote to memory of 5104	4256	dad.exe	111
PID 4256 wrote to memory of 5104	4256	dad.exe	111
PID 4668 wrote to memory of 4200	4668	INS6ED7.tmp	110
PID 4668 wrote to memory of 4200	4668	INS6ED7.tmp	110
PID 4668 wrote to memory of 4200	4668	INS6ED7.tmp	110

C:\Users\Admin\AppData\Local\Temp\7db7e97c3ce779a4b1fa90902f9c19e3.exe
"C:\Users\Admin\AppData\Local\Temp\7db7e97c3ce779a4b1fa90902f9c19e3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Users\Admin\AppData\Local\Temp\INS6ED7.tmp
  "C:\Users\Admin\AppData\Local\Temp\INS6ED7.tmp"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\Program Files (x86)\Adult Tube XXX codec\Antivirus\install.exe
    "C:\Program Files (x86)\Adult Tube XXX codec\Antivirus\install.exe"
    3⤵
    - Executes dropped EXE
    PID:3500
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 224
      4⤵
      Program crash
      PID:1620
- - C:\Program Files (x86)\Adult Tube XXX codec\Antivirus\setup.exe
    "C:\Program Files (x86)\Adult Tube XXX codec\Antivirus\setup.exe"
    3⤵
    - Executes dropped EXE
    PID:2080
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 604
      4⤵
      Program crash
      PID:2256
- - C:\Program Files (x86)\Adult Tube XXX codec\Antivirus\lol.exe
    "C:\Program Files (x86)\Adult Tube XXX codec\Antivirus\lol.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\a..bat" > nul 2> nul
      4⤵
      PID:4868
- - C:\Program Files (x86)\Adult Tube XXX codec\Antivirus\codec.exe
    "C:\Program Files (x86)\Adult Tube XXX codec\Antivirus\codec.exe"
    3⤵
    - Executes dropped EXE
    PID:3444
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 264
      4⤵
      Program crash
      PID:4756
- - C:\Program Files (x86)\Adult Tube XXX codec\Antivirus\service.exe
    "C:\Program Files (x86)\Adult Tube XXX codec\Antivirus\service.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:4104
  - - \??\c:\windows\ld12.exe
      c:\windows\ld12.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:3884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\567788.bat
      4⤵
      PID:4788
- - C:\Program Files (x86)\Adult Tube XXX codec\Antivirus\dad.exe
    "C:\Program Files (x86)\Adult Tube XXX codec\Antivirus\dad.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:4256
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\567788.bat
      4⤵
      PID:5104
  - - \??\c:\windows\ld12.exe
      c:\windows\ld12.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:3452
- - C:\Program Files (x86)\Adult Tube XXX codec\Antivirus\install.48322.exe
    "C:\Program Files (x86)\Adult Tube XXX codec\Antivirus\install.48322.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3500 -ip 3500
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2080 -ip 2080
1⤵
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3444 -ip 3444
1⤵
PID:3100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adult Tube XXX codec\Antivirus\codec.exe

Filesize
24KB

MD5
50f81d56bc7e620032d6e87c917aa663

SHA1
627ca3d7ae7cfd969e60efb2feca284e49d42748

SHA256
330c24817c65edd69bc1f092ff5438145b4e52e671156570fb4ee16610f74b01

SHA512
fdb3aae4de9a5cde0ad3c27dcd2352b94cd47bcdf2eb8db810489c3bdb0f25bee8fa15a60aa8de7ef8508ab965959449dc54dc3ecc3f5810e246062f21f53512

Download Submit
C:\Program Files (x86)\Adult Tube XXX codec\Antivirus\dad.exe

Filesize
17KB

MD5
b225157cb28b62503e5853a2c6e5e379

SHA1
63cd38af8b87ae8401bef6beea20b561363b49d9

SHA256
cc229f4126fdc2fc7d880cc42abcc4b5ac3aba44ec5afb8b41217214bff09715

SHA512
565560a79fb5ec7e7a1b952a2767d86ff02d8ace62fa94094e4d7dc4064d3843e854800cf00a7be144bea815af0f62b5fe81bde25ab6d290e91cafd51854dab4

Download Submit
C:\Program Files (x86)\Adult Tube XXX codec\Antivirus\install.48322.exe

Filesize
87KB

MD5
ff0b91d40a778927d0f3937e4ae2aeae

SHA1
63fc86af47dbececeda4e23a43db41e39ec28986

SHA256
23c788fe1ef5ddab36ad23de23908b9d226bca21ecef649ae2e2437fe97250cb

SHA512
f9ef58f51afba5abaf63f39287c2d51c185798a2d60391fe63c633714684529e9eb7f63e79a4648178b57a40f71ecfb1fac9695a0bf7e9f68c590518cf85e8b6

Download Submit
C:\Program Files (x86)\Adult Tube XXX codec\Antivirus\install.exe

Filesize
82KB

MD5
07b99fd0f00ea9229de4ce5dc76f9e27

SHA1
4085b9e60725eab338059230816ffd361249bed0

SHA256
9e06f29cfdceaf21ef441e3bf1a000a3d0fb0e06e0b71632334715ceb8c01df1

SHA512
e57fba6796ef48ed1e91a74fc0904773482d53785e0664d661870ccac8f4954fd3ebbd2170fb45cb0e0fd64114522b84eb7588c52ee688b38fba5a51d04739e9

Download Submit
C:\Program Files (x86)\Adult Tube XXX codec\Antivirus\lol.exe

Filesize
99KB

MD5
5df6c893243fbddf9a3b7851454d0ec1

SHA1
7dc322860b23433a5ab52472d5ba4575941da931

SHA256
1b8870c0797e18aba48e101f4194c365ce7bf6a9bf023eedb7819cd65bdcb9cb

SHA512
f34dd9650e23b3be6a8be10c26ce39d627b5753a372dc258893bd3b28301acf30a56989140f92dd24d044d91c089642981c7e0608bb415f53769411d94ae1aa8

Download Submit
C:\Program Files (x86)\Adult Tube XXX codec\Antivirus\service.exe

Filesize
17KB

MD5
118c0e9ffcfdb5c9de57aaa99d3b1e3c

SHA1
1dc067f8ce539178a9fcdfe1c8417053851dfa60

SHA256
cc36cbbbc418a1dd6d38401f910d88b03273a4aaa723bf4aec3fee32233af802

SHA512
154f903c1ab3531ce7416a42a35056397acb350d197ecfc21a0e9e795cc04e063bc4752156c876b011f2d6c700cd3c192109033fd67f70d99c602d2cfa2945fc

Download Submit
C:\Program Files (x86)\Adult Tube XXX codec\Antivirus\setup.exe

Filesize
698KB

MD5
56e149ca2cb922afabaac9d465b40089

SHA1
f4a2450215c0ba65a5f7f0fe112e1647dd6703e3

SHA256
dac537bfdbefe8782a0890b800a7cdd4ca3c5fd10026fc187c48c50114fccdc7

SHA512
214935337d516cc6473c9467247583daae0a541157c8ccdbca14180761abca6e0bef051a931f03c582553d77fa9b510508eddda1c511bcce0c3472fc7fb768e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\INS6ED7.tmp

Filesize
951KB

MD5
b10d8fb9732dad00203b9b0b53e22f01

SHA1
5cf36298529b7b6d0fe92a6596cbe758fc4577f6

SHA256
785ae107fb18fddf7f3b08dc31a0b5144ad123293d439c4bb8b004766a11ed31

SHA512
3f71a924212e8eb9a6ec46a610c145d743bf8c5473c5a8f566cdc26c6980551304c0196c4148edb8d155639d4c3a0aa79566f9235e5ee0efe68ac9f77d2c0f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\a..bat

Filesize
192B

MD5
08d6cab406ce802cdc6f07c09b3ee8ca

SHA1
1f89af7f07d15ba013351ab94c91b94498b5db4a

SHA256
93361ba699acb35c2a32324da729c9b6025df58bb03630a17ab817d7615ec9c5

SHA512
a0e4470a018d298178bcb1403a2e75a07fd1130cb5019d82a4871773be95374bd6e3b8abcbf9c05761ae6c9cf59c86949c7ab16b18e8d35fdc40418f0b1f3827

Download Submit
C:\Windows\567788.bat

Filesize
228B

MD5
960838651f18ca3c18ad7aeb96973773

SHA1
9bf8e074b3959021d7c56c62466c2c0e443fc61e

SHA256
a9b67a1edd3c0fbeaf1e59d0ac402dd3f63cec6265c273e8c6895fa6f1e1fc31

SHA512
607fa6709a046817c1c0eb87ff5cfb0007e0cc1249541d1dd01b3d1e83863167314ad732479fdf04b3c1ae21c1753348576e3fc0c7c06da10980914cdb35842f

Download Submit
memory/1512-9-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1512-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1804-58-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1804-59-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3444-74-0x0000000000400000-0x000000000090D000-memory.dmp

Filesize
5.1MB

Download
memory/3444-72-0x0000000000400000-0x000000000090D000-memory.dmp

Filesize
5.1MB

Download
memory/3500-42-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4104-90-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4104-81-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4200-116-0x0000000000890000-0x00000000008A7000-memory.dmp

Filesize
92KB

Download
memory/4200-117-0x0000000003FF0000-0x0000000004007000-memory.dmp

Filesize
92KB

Download
memory/4256-99-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4256-105-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4668-128-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads