d1163922c64694075ba4c602cdfad98a01db9801fdb8ced6cd0545332fc053f0

Analysis

max time kernel
99s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/02/2024, 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AppPak.exe
Size

769KB
MD5

10573579e9705052ac61c1320ccd41bc
SHA1

21eeff6d805ee6b646396b520833f99ad2c4e173
SHA256

d1163922c64694075ba4c602cdfad98a01db9801fdb8ced6cd0545332fc053f0
SHA512

e8cebfed8a56ed6c107b4af33294f6f9b3a71283e9e84097fed8e049b3c7358fd962ea5b98db45106977e2b44fb496614f198f43cdcca7cd955e94c8b4ada346
SSDEEP

6144:iV28oxoS8O8utojssssssscB000KpQC77778s2f:ioroS8j000UQC77778t

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	AppPak.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/400-0-0x0000000000400000-0x0000000000588000-memory.dmp	upx
behavioral2/memory/400-3-0x0000000000400000-0x0000000000588000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 5040	400	AppPak.exe	85
PID 400 wrote to memory of 5040	400	AppPak.exe	85

C:\Users\Admin\AppData\Local\Temp\AppPak.exe
"C:\Users\Admin\AppData\Local\Temp\AppPak.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:400
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4006.tmp\4007.tmp\4008.bat C:\Users\Admin\AppData\Local\Temp\AppPak.exe"
  2⤵
  PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4006.tmp\4007.tmp\4008.bat

Filesize
45B

MD5
2bcda5dbea7aae4c89d3cbef2af06f45

SHA1
1a4572815622b6a981344026483fb7a209e1296e

SHA256
4a955c6f7f8ba8490f784b82c81d1fe92e89cede3fb927c04b6cf4f4ff71392b

SHA512
2b7ba426440e63a41ba075d5a9fa23a42d56437524137056e47fc02226ba36e301be114cf65e26a2aaa43a3385e267c10227b817fe938066e6ccb9769e4de5bc

Download Submit
memory/400-0-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/400-3-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download