Analysis

  • max time kernel
    142s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-02-2024 10:50

General

  • Target

    96f92cfdee68ecfcf016c2d4104ef397.exe

  • Size

    5.1MB

  • MD5

    96f92cfdee68ecfcf016c2d4104ef397

  • SHA1

    c2ed10a3fc906d46450dbcfe082a1f351732c973

  • SHA256

    32e15aa26a62761a64dfac28e63e8407c124ce2f823d9c5b67a8365ed902d0b8

  • SHA512

    c2a1c02b7b2261b9e962102317dd3eb102db5e59aabac77fed6c39747e80bf5fec3975f27ef018f7ea673c4ecf899cc2e0130d6be19f2ff9c7a42431828e5d38

  • SSDEEP

    98304:DUo2jCVAvzvcI06rDWGe+i5Ca6Tt2Sk29seCQdwr783Q0h4gkQ33zcFNHx2I:raCVALER6rmd5lSkebw03Hh4XQ33mR2I

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\96f92cfdee68ecfcf016c2d4104ef397.exe
    "C:\Users\Admin\AppData\Local\Temp\96f92cfdee68ecfcf016c2d4104ef397.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3320
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\extract.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3472
      • C:\Users\Admin\AppData\Local\Temp\7za.exe
        .\7za.exe e .\WebPlayerTV.7z -pjesuisadmin -y
        3⤵
        • Executes dropped EXE
        PID:2408
      • C:\Users\Admin\AppData\Local\Temp\Setup.exe
        .\Setup.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: GetForegroundWindowSpam
        PID:4952

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7za.exe

    Filesize

    574KB

    MD5

    42badc1d2f03a8b1e4875740d3d49336

    SHA1

    cee178da1fb05f99af7a3547093122893bd1eb46

    SHA256

    c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

    SHA512

    6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

  • C:\Users\Admin\AppData\Local\Temp\Extract.bat

    Filesize

    87B

    MD5

    9495ff73014b8a17bd4798911ad097fa

    SHA1

    71b6db4d7e576cf8b1cbf93079397bc0c1ce46b2

    SHA256

    0a59275adf474e7164e14a7e622ecb93f3a1477958e6e1e0de6d7ae2c6913a33

    SHA512

    55062bb9381ac302367aeb43492613762434da730663891f577e050fcbc0993eaf19e96154adf4d669cb9587d8eef2a7ec96cb02b366db5d5c58b1eefe64ecd3

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe

    Filesize

    387KB

    MD5

    ce68dce74b754a258c414338a0b8b1f9

    SHA1

    ac64f0252ec7097287e52ed1ce55d641c25810c5

    SHA256

    dade0855884933b3e1c4ec86f39883ea8e22c080a25ad8ac71dae915f21fd355

    SHA512

    eeae803d6f4a9f8a8258faec69c6c1d062a7d69d350f49613243c1532185e9532424d0d29b5c30fe83dc9d810f4ea391ee0ed633f21dd49f7b62992ec482319e

  • C:\Users\Admin\AppData\Local\Temp\WebPlayerTV.7z

    Filesize

    4.7MB

    MD5

    54c1975de43ac9df40f51272b3f188af

    SHA1

    db0c7d217cdb83edb58aca81ba0993a66ff442aa

    SHA256

    563ffa816354d3682494d925d32d5fe42a64183f4aaec4d11381794fe47b178e

    SHA512

    cc3160aa0f7b62ae6b1e116508e2c362166985ee4a318bbb94251f84ffc3e10e2298fd06017adfa3d464a95c519e5524a942aac068cc95a6d1e3783f65e43599

  • C:\Users\Admin\AppData\Local\Temp\conditions.txt

    Filesize

    18KB

    MD5

    18ecfd10ad618670c9b5a6506aedecd4

    SHA1

    e9659a3ccb3d74302a039d137f2abfb289b6beb1

    SHA256

    11aad77b7086f3422b2befe0fba993d4d172dd7aea24b345c6d84036fb17665e

    SHA512

    0a5ad7da4deb3b93fbf6cbe54cc45f8324e281be21cbdf887c1a727fde88feadb8dc1f6c44df35c6a6dc348ebc53f9a25f761b174495eddfd8013213f7872200

  • C:\Users\Admin\AppData\Local\Temp\config.ini

    Filesize

    428B

    MD5

    877875ed7bef4ba5c90f3850e3d39030

    SHA1

    9f45f80568fde3a0725e09eb1465a051a5271d6b

    SHA256

    d9fd4afb7ad2c1505a82c244c6c48ce8a377e8ebdd5d157615af7cb222e32697

    SHA512

    5bc55c19e4e2350f7e55adb9658ab07c993160265b577bc0219903519c6c7a12f26c29f887f5e8589b66bdef6f1a7248b24e731db0aca21147c18a69c6bccb0d

  • memory/4952-35-0x0000000000400000-0x00000000004C1000-memory.dmp

    Filesize

    772KB

  • memory/4952-38-0x0000000000400000-0x00000000004C1000-memory.dmp

    Filesize

    772KB