b15e078fcc5709ed413ab3b642c99fe8ebce1307c5961cba45604b4a979951fe

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2024, 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ef9483b406174ab8a9ca725b366801c.exe
Size

3.4MB
MD5

8ef9483b406174ab8a9ca725b366801c
SHA1

f9360d8b81bbbd9b1310a259a092a6d23b6092dc
SHA256

b15e078fcc5709ed413ab3b642c99fe8ebce1307c5961cba45604b4a979951fe
SHA512

67bd615c1ef1483dcbd1ecca558340234d1d2639991479f9eda3dbc06005342a537e961800bbcbe07ab1f0c153f48797a3fcdd7246c179df72316b474695db08
SSDEEP

98304:e/w8KJ8dYXhKDKZv4ajwhIgJWxMq/q2uk7fWCrz33o:yDKnIDNajwhTJWxMq/q2F+QL4

Score

7^/10

persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	genuine.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	8ef9483b406174ab8a9ca725b366801c.exe

Executes dropped EXE 3 IoCs

pid	Process
4624	genuine.exe
5084	cmd.exe
3148	oem.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1880-0-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral2/memory/1880-717-0x0000000000400000-0x0000000000483000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\cmd.exe"	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	genuine.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 4624	1880	8ef9483b406174ab8a9ca725b366801c.exe	83
PID 1880 wrote to memory of 4624	1880	8ef9483b406174ab8a9ca725b366801c.exe	83
PID 1880 wrote to memory of 4624	1880	8ef9483b406174ab8a9ca725b366801c.exe	83
PID 4624 wrote to memory of 5084	4624	genuine.exe	89
PID 4624 wrote to memory of 5084	4624	genuine.exe	89
PID 4624 wrote to memory of 5084	4624	genuine.exe	89
PID 1880 wrote to memory of 3148	1880	8ef9483b406174ab8a9ca725b366801c.exe	90
PID 1880 wrote to memory of 3148	1880	8ef9483b406174ab8a9ca725b366801c.exe	90

C:\Users\Admin\AppData\Local\Temp\8ef9483b406174ab8a9ca725b366801c.exe
"C:\Users\Admin\AppData\Local\Temp\8ef9483b406174ab8a9ca725b366801c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\files\genuine.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\files\genuine.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4624
- - C:\Users\Admin\AppData\Roaming\Microsoft\cmd.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\cmd.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:5084
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\oem.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\oem.exe"
  2⤵
  - Executes dropped EXE
  PID:3148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\files\ADVENT\info\ADVENT_BADGE.BMP

Filesize
42KB

MD5
5f2863a87ff613468069632e80ffc0f5

SHA1
d324aef39ebbc058af8025a37074fccc3f7097f0

SHA256
a0c6f7ac7576ef42552b91d89ef8b6f962248a0c7bd6782615f7f5765344f2c4

SHA512
02732115c5ae2806cb3e2969169c55f5778133458249162d52318da69486f066f2269dcc176cc7f4c8a89780f4f5ff807898fc388ccc2d823238f67526666256

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\files\AMDPH3\info\AMDLOGO.GIF

Filesize
1KB

MD5
f9b5a5fce223c74ef9298c56163ea334

SHA1
8b1cf758d901bc08fadf5dce7c9c0a8f366192ff

SHA256
f782d30d91013e2ece0e939972f8be55be2eda76898623b39dd0bfe47664b10b

SHA512
1b05ac77f912fbdda475a1a878c91a80781601e1e906ef6e015cf3727e775ae811e78496e600c5a2b25587fb2f7c582585e229d144dde92b0bd85ebd12793cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\files\AMDPH3\info\AMD_BADGE.PNG

Filesize
7KB

MD5
989d128adbd85a2513266bb8a5824d7d

SHA1
7092207c42d6ca5809f762161dc95120358cf35a

SHA256
e694ab8a5ee6082435b45bab2b1a4d2e875158a3df582d5fb1121cd22a56b4c5

SHA512
4419ae62716745f924cc4dec0c9cd382b0d70d190afb5cf90a97c661764951ae2671462fc37d2dfb17420468cef95d282bd8aa66231218e8733a1186ef28c1ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\files\AMDPH3\info\AMD_BAR.PNG

Filesize
6KB

MD5
c942e6b3fb024721b34b43ab701b7fbd

SHA1
37124b11a6393a99ab3144f05620dc24c3a29c26

SHA256
7d42104fbdfd71258af8069c751ace5c8da8982898e2a3a95bf09ec92215c281

SHA512
0aa0625a024503312359c2f731b608459b63710735a3246a1bd52be34fa0ed0dc8bee5d64057270521935988ff52db7a1d601662190733a02803aca5d2484882

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\files\AMDPH3\info\AMD_LOGO.PNG

Filesize
4KB

MD5
4b143d2ea8be0745a868d8e597f40ed4

SHA1
369381715e8f374d8bb3c92d91631e14590220bb

SHA256
5fed7f698194e5ba0633c89e4984b5e580a1b5fafcaf91d12132aced6cf1a438

SHA512
298666047a5a16c4219755f6ded0bd64c40e548db0a0e39d5827db8094b2eacb88a4da3e3f755b4594d3b6a5958e13cae345fc81a49bcdb4a00c69dd614448f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\files\AMDPH3\info\AMD_MCE_LOGO.PNG

Filesize
4KB

MD5
0f4087cad5d812cf313d807f30e6abb9

SHA1
cc5e01bd810146d59f44e6e359d251b7a73fc220

SHA256
bd805d81cb869e2915b68e4c4b14cf0c0e91dbe9c14b9fd164683445773867f3

SHA512
596ad1554c998b722bd6442f12051c5983990a74269e35f657b994b1e6ebc6f0e0ec9385ffc8cc9afe7c7977f0b1436fc16b25ac869d93301aea6e3ff38f03ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\files\AMDPH3\info\OOBE.XML

Filesize
463B

MD5
d6bd304ee32016bbf1bdbdf88099a4e1

SHA1
543a3879ea6b1453fe36bbf5f84cc6a537770a16

SHA256
bc36ef62fee4059bb76e25a0821ccba42c34b9b0bc38a84026499127f36ecba2

SHA512
e21160cb0822493b944bf447eb41c72259614e091d7d51ab0b256effe007151f72e5cc5b2a5f9a60f3ff4b2728f8344ceeb7b247a4e7e511ef51e6d0bec233bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\files\Compaq\info\COMPAQ_MCE_LOGO.PNG

Filesize
1KB

MD5
09b9b9ca70502cd2186d5b790886c18a

SHA1
6adf1b894ac895c57b169b63af0e416082d66d4b

SHA256
46e4db6659243c1c8e94ac6f1924bffb8e750c7766b0ad0f5ea3bbeb02365aa7

SHA512
c24bea6933ec7ab7eb53fc61667ec3682491e1efeebe437b35e269fb496854550f9ca906bfe54320e8f3ea901ebefdd69a8c978e216db85657cf9520ed64f14d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\files\INTELViiv\info\INTELLOGO.GIF

Filesize
1KB

MD5
e612ed6dbc6f6ea2d43d2e1689571bab

SHA1
5fe7c622a18bf10e2f3fc08cbf8b826b928eb328

SHA256
9e7d19ff4634435870f1c65affc54af4d6d108cdae789c958d514efb491a385a

SHA512
09af883fe975f3bf0e0391e397e176e5f76acac5d0cfbeea7a98100e38c7f53d68cc8bac9da0389aa39dd9402c58e61662a70cf309c3f343fec3f99ee658de97

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\files\INTELViiv\info\INTEL_BAR.PNG

Filesize
5KB

MD5
d00d17e64e251c09d43ee0f0edb7dafc

SHA1
2a5bdcb54d7b838bb7085a34fb94a71154515fd2

SHA256
d85fcc68795b7f172823d9123f58fb94cc71858b620ce6deeca07b313067eab7

SHA512
f3ad407be0b4e11ced0df5115d43a0fc854f205b3e067c0efdc513d0ccb6a01891e037b3f44a29b1d91b97d32e241d71d457c522929b5e4acba06f4143040995

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\files\INTELViiv\info\INTEL_LOGO.PNG

Filesize
9KB

MD5
dae5e919580e8c530d520e35c23c83d5

SHA1
bb12cf308a1814c69e37db2de0ca3424b61f6b01

SHA256
1e58edf443bd0e66c45a4a83b1f75062753da11670abd7eff2ef0c500eddc14d

SHA512
630ba7eebf0d8df58204389c0d9c15c88a041d7d835142f5e04d34fd0bff47a1ba8933796d2751dffe2ac10be4cb2d2a622ce6ccea1c862f2cf2ecf75b10e762

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\files\INTELViiv\info\INTEL_MCE_LOGO.PNG

Filesize
6KB

MD5
ebac005c0b4b87324dbfb063738054bf

SHA1
bbbc98da319c02fa885d55eb85468efae0ffb475

SHA256
d764487d4ddd77e035d945abeda70447d2aad816a88eebc0fab72bc7bb6532cd

SHA512
09222586c7c406a6a3f59c61fef4c18ffb0da95aec7b1f1ac91bf287a0295820290e27e0408b523c6de57384068a4ab42cb0ebb872a200c2063c364f731eef5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\files\INTELViiv\info\OOBE.XML

Filesize
467B

MD5
0e91b3bc65bbef7d506ac7fdbf1891f8

SHA1
1130030619b718d4d20c12d668feb0b76410b933

SHA256
17535d9764845b90a5e418bda9f17b2195276f61b0e076c71560276e00a26417

SHA512
76a5c47ca1497af3102a51fed29883ffc6293d03c48833aa0df7ec25105f79a5281414a6e6c621f2afbbfcd18764666f65eaf713c43647d0d348d4b5e4e92f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\files\NvidiaXFX\info\NVIDIALOGO.GIF

Filesize
1KB

MD5
b216f60f4320d9b257b72362e726a1a7

SHA1
7da35c9d27b9f795315ca93aebc574384ef9d9ae

SHA256
864ee979975855d7e79be416a6e59d183daa5758bbe7a2272bfa712a45ca15fa

SHA512
e8159513b71ee0e7c147d6d564ce2b1d610d9801b7d6d529704e1ad7084407976bdb799b1168dc84cd707086bbd7fabf9107e6c4f47f282c5295888d598656ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\files\NvidiaXFX\info\NVIDIA_BAR.PNG

Filesize
8KB

MD5
223eb69b0b15999b6508df89aafcedad

SHA1
086b432bd883c0b76a4c86add4825e45ef313203

SHA256
2146c413dddeee80f062e2f7aad713eb683bf0d6752bf46550fb5731c169f622

SHA512
b393e3b83937a3fb61daec94b41190baaaa44e8227056153bb0a4258b3bf3bb64f2ba01ad041adc916ceb85c6da14789e85958641780841cdeeafbad21594794

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\files\NvidiaXFX\info\NVIDIA_LOGO.PNG

Filesize
10KB

MD5
5c60aa764e591284fffdc288dd957b12

SHA1
72407c96700bd20c7610146eaac57b01af5fd94c

SHA256
17141a5ad962f96f3caf6bb8c122694425b0ab6e935da53d52191583524635d9

SHA512
800e2af715405ab41ab690fc1f9db79ea76fa46db3202274d7182c5ffc81676789541383fc79964b6616b5ce172507fb0dab14ef5b6b2730480d38bdc0bbf658

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\files\NvidiaXFX\info\NVIDIA_MCE_LOGO.PNG

Filesize
4KB

MD5
901ab024e42d4377f64531dca9933992

SHA1
2a26a914925a207225b430a02fb2b06a42977c12

SHA256
cf02a30535424baa675851c5c40faec4b3266931147e4fb3c24e657600f76e50

SHA512
9db6617c3d7d6d18289064c2fc147cc69c48eb4e2eda60795f66a88474dd1659a116d019d414832c3c6fa2d89bb4aba92e5822507ce15be8449bba0bd6f80e45

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\files\NvidiaXFX\info\OOBE.XML

Filesize
469B

MD5
bc804295fe13f228d5920f7d96c1ed6b

SHA1
044a332c56ca93dd1add96144c802138edd7814c

SHA256
de758bbcb5e0020f8f7302cd1f74ff9b6b57571e2fde53bbeca4e97309d1721a

SHA512
94b702a20117c75628e23dd648c720d9f222a2ff157ee084ab4e7800409bdc51e70c33623d6a750dbcc0fb920560bb1813496faab2e4758bd6c8eeca95c6e6e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\files\genuine.exe

Filesize
130KB

MD5
623b1d6cd552ea6c1919f946d80280f7

SHA1
8a05f64feaa6b07792240b56990d626dc8ace614

SHA256
bf744c1ad2f1589b5b8d54a826b7a31fb5b2d606609d506adc96a4e122858ca6

SHA512
2fe167c172537ccdf3132c82a81087546df9e01d341bf5033e8ac9958444fa5c5ef63e1c01ee79b5f8603997aba3fb58b0c9dff351e4343e00febc017cfda66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\oem.exe

Filesize
2.6MB

MD5
d078205b1721b935c5bf43d2071678dc

SHA1
55cbe61983460f9275ba75c8a576033b90436686

SHA256
dbde124d8d2cb50f6fcfdf823ec92198654cdcc6575fdfca135cb2dea010cbe1

SHA512
e817d1255fdba810f1a50f326a952eeddc2a110622c4b5b995968942eb45c1bbe39b294722ed3915b584fff93009a2e31a5ffe1ef341dbbc82f59f8b62bcb1ba

Download Submit
memory/1880-717-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1880-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3148-776-0x000000001C0E0000-0x000000001C17C000-memory.dmp

Filesize
624KB

Download
memory/3148-785-0x00007FFE5A0A0000-0x00007FFE5AA41000-memory.dmp

Filesize
9.6MB

Download
memory/3148-772-0x0000000000F30000-0x0000000000F40000-memory.dmp

Filesize
64KB

Download
memory/3148-773-0x00007FFE5A0A0000-0x00007FFE5AA41000-memory.dmp

Filesize
9.6MB

Download
memory/3148-774-0x000000001B590000-0x000000001B636000-memory.dmp

Filesize
664KB

Download
memory/3148-775-0x000000001BB10000-0x000000001BFDE000-memory.dmp

Filesize
4.8MB

Download
memory/3148-790-0x0000000000F30000-0x0000000000F40000-memory.dmp

Filesize
64KB

Download
memory/3148-777-0x0000000001150000-0x0000000001158000-memory.dmp

Filesize
32KB

Download
memory/3148-778-0x000000001C240000-0x000000001C28C000-memory.dmp

Filesize
304KB

Download
memory/3148-789-0x0000000000F30000-0x0000000000F40000-memory.dmp

Filesize
64KB

Download
memory/3148-781-0x0000000000F30000-0x0000000000F40000-memory.dmp

Filesize
64KB

Download
memory/3148-782-0x0000000000F30000-0x0000000000F40000-memory.dmp

Filesize
64KB

Download
memory/3148-786-0x0000000000F30000-0x0000000000F40000-memory.dmp

Filesize
64KB

Download
memory/3148-771-0x00007FFE5A0A0000-0x00007FFE5AA41000-memory.dmp

Filesize
9.6MB

Download
memory/4624-759-0x0000000000010000-0x000000000003B000-memory.dmp

Filesize
172KB

Download
memory/5084-784-0x0000000000010000-0x000000000003B000-memory.dmp

Filesize
172KB

Download
memory/5084-780-0x0000000000010000-0x000000000003B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads