3da928f0eff88dddb363a32469f8ec1e908f1bdcad8be40f786a06a0eaeb9785

Analysis

max time kernel
21s
max time network
24s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 06:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a12f69255b91e8b44c0e9669a79b5892.exe
Size

441KB
MD5

a12f69255b91e8b44c0e9669a79b5892
SHA1

be099758c080b89c52169ca7cf2e5232c6c79455
SHA256

3da928f0eff88dddb363a32469f8ec1e908f1bdcad8be40f786a06a0eaeb9785
SHA512

d81594ae69d6459df12ad180ca310a411fb0d634048a3737482701fcb02acd3fc166ab26c486c9d22f28cbd18b4af4a678cf0140259bbd1441a2cd51759ad1ec
SSDEEP

12288:NUFdYk7h/6hgTv3TGEGwIUdtLDT0OHev/XUz:mFl6hgTawvP1HiXUz

Score

7^/10

bootkit evasion persistence trojan upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\International\Geo\Nation	a12f69255b91e8b44c0e9669a79b5892.exe

Executes dropped EXE 7 IoCs

pid	Process
4672	cb.exe
2332	1EuroP.exe
5116	2IC.exe
4048	3E4U - Bucks.exe
1244	6tbp.exe
1384	IR.exe
4324	m5bw8pr.exe

Loads dropped DLL 1 IoCs

pid	Process
3068	rundll32.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4048-72-0x0000000000BB0000-0x0000000000BE0000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vfeveraxifo = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\rowsct.dll\",Startup"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\741b = "C:\\Users\\Admin\\AppData\\Roaming\\m5bw8pr.exe"	IR.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IR.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\physicaldrive0	2IC.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1712	sc.exe
1984	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1332	4048	WerFault.exe	92

Runs net.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5116	2IC.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1244	6tbp.exe
3068	rundll32.exe
1384	IR.exe
1384	IR.exe
1384	IR.exe
4324	m5bw8pr.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 4672	2328	a12f69255b91e8b44c0e9669a79b5892.exe	88
PID 2328 wrote to memory of 4672	2328	a12f69255b91e8b44c0e9669a79b5892.exe	88
PID 2328 wrote to memory of 4672	2328	a12f69255b91e8b44c0e9669a79b5892.exe	88
PID 2328 wrote to memory of 2332	2328	a12f69255b91e8b44c0e9669a79b5892.exe	90
PID 2328 wrote to memory of 2332	2328	a12f69255b91e8b44c0e9669a79b5892.exe	90
PID 2328 wrote to memory of 2332	2328	a12f69255b91e8b44c0e9669a79b5892.exe	90
PID 2328 wrote to memory of 5116	2328	a12f69255b91e8b44c0e9669a79b5892.exe	91
PID 2328 wrote to memory of 5116	2328	a12f69255b91e8b44c0e9669a79b5892.exe	91
PID 2328 wrote to memory of 5116	2328	a12f69255b91e8b44c0e9669a79b5892.exe	91
PID 2328 wrote to memory of 4048	2328	a12f69255b91e8b44c0e9669a79b5892.exe	92
PID 2328 wrote to memory of 4048	2328	a12f69255b91e8b44c0e9669a79b5892.exe	92
PID 2328 wrote to memory of 4048	2328	a12f69255b91e8b44c0e9669a79b5892.exe	92
PID 2328 wrote to memory of 1244	2328	a12f69255b91e8b44c0e9669a79b5892.exe	95
PID 2328 wrote to memory of 1244	2328	a12f69255b91e8b44c0e9669a79b5892.exe	95
PID 2328 wrote to memory of 1244	2328	a12f69255b91e8b44c0e9669a79b5892.exe	95
PID 2328 wrote to memory of 1384	2328	a12f69255b91e8b44c0e9669a79b5892.exe	94
PID 2328 wrote to memory of 1384	2328	a12f69255b91e8b44c0e9669a79b5892.exe	94
PID 2328 wrote to memory of 1384	2328	a12f69255b91e8b44c0e9669a79b5892.exe	94
PID 1244 wrote to memory of 3068	1244	6tbp.exe	97
PID 1244 wrote to memory of 3068	1244	6tbp.exe	97
PID 1244 wrote to memory of 3068	1244	6tbp.exe	97
PID 1384 wrote to memory of 3716	1384	IR.exe	105
PID 1384 wrote to memory of 3716	1384	IR.exe	105
PID 1384 wrote to memory of 3716	1384	IR.exe	105
PID 1384 wrote to memory of 1984	1384	IR.exe	104
PID 1384 wrote to memory of 1984	1384	IR.exe	104
PID 1384 wrote to memory of 1984	1384	IR.exe	104
PID 1384 wrote to memory of 2560	1384	IR.exe	101
PID 1384 wrote to memory of 2560	1384	IR.exe	101
PID 1384 wrote to memory of 2560	1384	IR.exe	101
PID 1384 wrote to memory of 1712	1384	IR.exe	103
PID 1384 wrote to memory of 1712	1384	IR.exe	103
PID 1384 wrote to memory of 1712	1384	IR.exe	103
PID 1384 wrote to memory of 4324	1384	IR.exe	102
PID 1384 wrote to memory of 4324	1384	IR.exe	102
PID 1384 wrote to memory of 4324	1384	IR.exe	102

C:\Users\Admin\AppData\Local\Temp\a12f69255b91e8b44c0e9669a79b5892.exe
"C:\Users\Admin\AppData\Local\Temp\a12f69255b91e8b44c0e9669a79b5892.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\cb.exe
  "C:\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\cb.exe"
  2⤵
  - Executes dropped EXE
  PID:4672
- C:\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\1EuroP.exe
  "C:\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\1EuroP.exe"
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\2IC.exe
  "C:\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\2IC.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of AdjustPrivilegeToken
  PID:5116
- C:\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\3E4U - Bucks.exe
  "C:\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\3E4U - Bucks.exe"
  2⤵
  - Executes dropped EXE
  PID:4048
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 516
    3⤵
    - Program crash
    PID:1332
- C:\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\IR.exe
  "C:\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\IR.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Windows\SysWOW64\net.exe
    net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:2560
- - C:\Users\Admin\AppData\Roaming\m5bw8pr.exe
    C:\Users\Admin\AppData\Roaming\m5bw8pr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4324
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= DISABLED
    3⤵
    - Launches sc.exe
    PID:1712
- - C:\Windows\SysWOW64\sc.exe
    sc config wscsvc start= DISABLED
    3⤵
    - Launches sc.exe
    PID:1984
- - C:\Windows\SysWOW64\net.exe
    net.exe stop "Security Center"
    3⤵
    PID:3716
- - C:\Windows\SysWOW64\Rundll32.exe
    Rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Roaming\mdinstall.inf
    3⤵
    PID:3484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\um1uox4ss.bat
    3⤵
    PID:2284
- C:\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\6tbp.exe
  "C:\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\6tbp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\rowsct.dll",Startup
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4048 -ip 4048
1⤵
PID:652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\1EuroP.exe

Filesize
172KB

MD5
c78858a5387f9e6039052337a60e1c9f

SHA1
64a4f563660b237d7979842aee3e0e814bdf6dc3

SHA256
585198c25b353243c10aaf423bd38b274e1acd3e3b82f589e310bb611f249b0c

SHA512
2cc1e2eaea5cc9738f2dbd3e11652b06a0043576f1824b7971a9d3181b7038eeb06af69cdacbe31ecbb7bd3ec5947001ea0e955bb2458b099c2e7717e4ef8eec

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\2IC.exe

Filesize
176KB

MD5
0833072c350b80d75b41350eaa91b8f9

SHA1
7da1f4489ce39df76ab3962dec2c0b2494eba5bf

SHA256
139adf83da42f7d18c83a27f0bb7d9e8d5515c60acb549cd8df6f1bef40906c7

SHA512
1743aff9b711712fbe1591682c01bbcc9786ed5a3f172cd54468b79799f43c6fbeae604c94c780e63354cd7e9d904c4757c0602014fb5493b2c55bb816cd43d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\3E4U - Bucks.exe

Filesize
27KB

MD5
5f6c6b5e491ac60e088adba6dd5791c2

SHA1
292f4b81b3eee53877c672faf540aceeb2fc881f

SHA256
b010d2d5cdee46b1b97b88aa48968ffd34f6e3e382b250c98f2e1a89c950e018

SHA512
59c15d1a3f8d14eb441bb6e187cd91eaa13114afa1d8220aa7d08e259ee28af6bab92258b624d9824944b1776f916b6b551f3c3be982262d28b5330c7ba28252

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\6tbp.exe

Filesize
120KB

MD5
9cea92b564d09997cef7769eb6364a74

SHA1
9cb90c8baa2e22381086da6c7d89f04610a47cfe

SHA256
939dc43e2355d0a478de8f0770652093f63c28c49d86abdaaa9f20ae48d6137d

SHA512
4e186f6f7825ff8230f3073560dc26a339c20b08c0f03413b12075fc861200a581e68df96c9801af3d33f30f6c773a05318238822abe9cd171f00d2f736a85bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\IR.exe

Filesize
176KB

MD5
249805102fbd08d7fb9b47499ad25479

SHA1
ee28f439b5dc814eec561d77e6d1285640d5cc4e

SHA256
fb47245c821a1aaf9ea6dfc0dffecf478614dc7c88e119695af940c2a2f35eb4

SHA512
e6a2b866fe40395ae74c7a5339e52ba90132122a62f1c0c778c3488f77b2017e47c86f7714f92ae2fae1196feddafb9d4932f0914f7ecc50c66e65ebb0ac5608

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\cb.exe

Filesize
3KB

MD5
46e07fd3a40760fda18cf6b4fc691742

SHA1
53ee1a754bf5e94fa88a6ab8bb6120b4011afcfa

SHA256
bd7ca609d2fb63e14d08acab1091579c23e298b4fa2ac1e8d2daaff94fc107be

SHA512
ce13f6527cbd13002dca00b71ab38ab12e3f3f7138ada0780ad3f40e7c49946c018a00782ec957b1fd123fb439aabc0d9b3660829dabf10ddcebba08d6e2fbbd

Download Submit
C:\Users\Admin\AppData\Local\rowsct.dll

Filesize
120KB

MD5
0fddb4583534718972194a1ded2206e6

SHA1
56f4b709ce11e595c168e9612b26fd9f606b0e59

SHA256
b2057cc655156cf142995d137c860ae69ec1134a20d180ea94d135788151b822

SHA512
35a24f8962779c578d5dfb09cb94f97fb04acfe1e922af2a9da38ce408e738fd52a581c10cf751188b5a49d9eb5d1d0a751b848f3f28b42b63ed6ad96f6dcd5d

Download Submit
C:\Users\Admin\AppData\Roaming\m5bw8pr.exe

Filesize
64KB

MD5
59d8f5392bd0f05aaec5935fd0f2a066

SHA1
910b7ce7cf4d236e073243bd2757b47d6f93fcb6

SHA256
39b9e0936c0ca101b3075ccd3ba7879dbee2b96b112c2d24e963cec174516186

SHA512
d487d4d2c4e614871aa8075347af7d453a50f19199539a2357607bf4eea15600c073653436f517a493049fe980535fd402371290643f0660d5cb283f1aa46faa

Download Submit
memory/1244-68-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/1244-61-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1244-88-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2332-33-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3068-78-0x0000000002280000-0x0000000002290000-memory.dmp

Filesize
64KB

Download
memory/3068-77-0x0000000002280000-0x0000000002290000-memory.dmp

Filesize
64KB

Download
memory/3068-91-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/3068-75-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/4048-72-0x0000000000BB0000-0x0000000000BE0000-memory.dmp

Filesize
192KB

Download
memory/4048-67-0x0000000002850000-0x0000000003310000-memory.dmp

Filesize
10.8MB

Download
memory/5116-82-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5116-83-0x0000000002080000-0x00000000020C5000-memory.dmp

Filesize
276KB

Download
memory/5116-84-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5116-86-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads