276e6eee9af3d0e3892a7594592aa16b9db4f22abf12be63549891871f13bd0b

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-02-2024 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MaChao Indicators Build 28Sep2023 Installer version2.exe
Size

1.0MB
MD5

3dc94b01ef6fa19a8448752cad869cca
SHA1

17ada6539efae0b837b5a5310f160ff28206276b
SHA256

395f6e2b174423eea1882d133eb7fc082725e7c4f4fb5812052cb2668d39fb55
SHA512

415122317e6464e7d87d88ac683f5b123109a1764eb34859b8b1a3f11448189fe93719c64a46556fc5a91542b28defdd9fc5144d1a4699851c864093d7fa0329
SSDEEP

12288:pBUAbUxvIP+AXARutmZpMgHcyTgfXsqApuYV5SdMbXY6sxjjhhi7KDRU1ndruGwF:JUg+AXmzvHcyQA4oUaa1jHiWnGwmkyBS

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	MaChao Indicators Build 28Sep2023 Installer version2.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2772-0-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/5068-2-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/2772-4-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/5068-5-0x0000000000400000-0x0000000000500000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2772	MaChao Indicators Build 28Sep2023 Installer version2.exe
5068	MaChao Indicators Build 28Sep2023 Installer version2.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 5068	2772	MaChao Indicators Build 28Sep2023 Installer version2.exe	89
PID 2772 wrote to memory of 5068	2772	MaChao Indicators Build 28Sep2023 Installer version2.exe	89
PID 2772 wrote to memory of 5068	2772	MaChao Indicators Build 28Sep2023 Installer version2.exe	89

C:\Users\Admin\AppData\Local\Temp\MaChao Indicators Build 28Sep2023 Installer version2.exe
"C:\Users\Admin\AppData\Local\Temp\MaChao Indicators Build 28Sep2023 Installer version2.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Users\Admin\AppData\Local\Temp\MaChao Indicators Build 28Sep2023 Installer version2.exe
  "C:\Users\Admin\AppData\Local\Temp\MaChao Indicators Build 28Sep2023 Installer version2.exe" spawn
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2772-0-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2772-1-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/2772-4-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2772-7-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/5068-2-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/5068-3-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/5068-5-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/5068-9-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download