209a324262c485c0baccaee66c0256c741a4b5e09a3e7ee66a31e7d75b06bc53

Analysis

max time kernel
142s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 07:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

96a8d4ca128d034f9e8cd8b3041b4741.exe
Size

130KB
MD5

96a8d4ca128d034f9e8cd8b3041b4741
SHA1

40a48a40c16420a8873f5d64c7650b0d2c29aa77
SHA256

209a324262c485c0baccaee66c0256c741a4b5e09a3e7ee66a31e7d75b06bc53
SHA512

5b3f79935dbb224071a9c2df9b976545d1d19af24363f5f721a77093eb94451a24e0ab35798d2a19e2df3306162710ee9be7c2e4551769d60f0128d671fd1740
SSDEEP

1536:RCRHRLJiQqOi9T29VcL8wUIsCuE5l6Iis/dmn1hy7QyUDhoTHjcm3ubom8V3NVEl:edrcLXTDuAis/dmn1hOS8HomeboLVHxw

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	96a8d4ca128d034f9e8cd8b3041b4741.exe

Executes dropped EXE 2 IoCs

pid	Process
2432	SOS.EXE
1668	SOS.EXE

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023203-5.dat	upx
behavioral2/memory/2432-9-0x0000000010000000-0x000000001001F000-memory.dmp	upx
behavioral2/memory/2432-26-0x0000000010000000-0x000000001001F000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2432 set thread context of 1668	2432	SOS.EXE	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2640	2432	WerFault.exe	84
4292	2432	WerFault.exe	84

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1668	SOS.EXE
1668	SOS.EXE
1668	SOS.EXE
1668	SOS.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 412 wrote to memory of 2432	412	96a8d4ca128d034f9e8cd8b3041b4741.exe	84
PID 412 wrote to memory of 2432	412	96a8d4ca128d034f9e8cd8b3041b4741.exe	84
PID 412 wrote to memory of 2432	412	96a8d4ca128d034f9e8cd8b3041b4741.exe	84
PID 2432 wrote to memory of 1668	2432	SOS.EXE	85
PID 2432 wrote to memory of 1668	2432	SOS.EXE	85
PID 2432 wrote to memory of 1668	2432	SOS.EXE	85
PID 2432 wrote to memory of 1668	2432	SOS.EXE	85
PID 2432 wrote to memory of 1668	2432	SOS.EXE	85
PID 1668 wrote to memory of 3464	1668	SOS.EXE	40
PID 1668 wrote to memory of 3464	1668	SOS.EXE	40
PID 1668 wrote to memory of 3464	1668	SOS.EXE	40
PID 1668 wrote to memory of 3464	1668	SOS.EXE	40
PID 1668 wrote to memory of 3464	1668	SOS.EXE	40
PID 1668 wrote to memory of 3464	1668	SOS.EXE	40

C:\Users\Admin\AppData\Local\Temp\96a8d4ca128d034f9e8cd8b3041b4741.exe
"C:\Users\Admin\AppData\Local\Temp\96a8d4ca128d034f9e8cd8b3041b4741.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:412
- C:\SOS.EXE
  "C:\SOS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\SOS.EXE
    C:\SOS.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 376
    3⤵
    - Program crash
    PID:2640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 372
    3⤵
    - Program crash
    PID:4292

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2432 -ip 2432
1⤵
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2432 -ip 2432
1⤵
PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SOS.EXE

Filesize
91KB

MD5
de3b30a182711e0b8b2c5efc40187852

SHA1
62deb1d32a9fecc4724951f768bcc5886a257a31

SHA256
e928875df688f669f1ee212cdc0f0a0a56c5fff076a1098906ab3e8c4505d307

SHA512
753a51ea3dcb4cd2c02ee9fdbf044b167bfd51fcdc07401cd076efeebd39c10f37eb0ba03f5732478e69e7058815e7c0d067415ca16970c07a73276dbb3e23d4

Download Submit
memory/412-10-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1668-11-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1668-14-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1668-15-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1668-18-0x0000000000020000-0x0000000000031000-memory.dmp

Filesize
68KB

Download
memory/2432-9-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/2432-26-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/3464-17-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/3464-20-0x000000007FFC0000-0x000000007FFC6000-memory.dmp

Filesize
24KB

Download