1619cb812fd84f0b2a32d0ff2cf1e71760514db530306de351e6808eafca474d

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1922b9ae0018f3395832fc3f174eda5.exe
Size

141KB
MD5

c1922b9ae0018f3395832fc3f174eda5
SHA1

41137f137123790086025efb2531eaa96665e4fa
SHA256

1619cb812fd84f0b2a32d0ff2cf1e71760514db530306de351e6808eafca474d
SHA512

b4591bfda65c23b5bcf7d330fea64097e1021e6d2187d87c7a9cebc62a12351e553d39313ae953a913696a7a512bb483f95e77ca77fcb4b56dd08c417a7ae577
SSDEEP

3072:JUy3Rg3cyCLosIDDkPWN+hWdY+pLlDov0ck1rEU1tUqo47D:22m3JCE3kPAdhg091QUPUy3

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	c1922b9ae0018f3395832fc3f174eda5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	windowviewcon_ins.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	windowviewcon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	windowviewcon_uc.exe

Executes dropped EXE 4 IoCs

pid	Process
4740	windowviewcon_ins.exe
1800	windowviewcon.exe
2872	windowviewcon_uc.exe
2092	windowviewcon.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000b0000000231fa-12.dat	upx
behavioral2/memory/4740-20-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral2/memory/4740-41-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral2/files/0x0007000000023211-56.dat	upx
behavioral2/memory/1800-63-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023212-64.dat	upx
behavioral2/memory/2872-69-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/4740-252-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral2/memory/2092-327-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/2872-354-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/1800-497-0x0000000000400000-0x000000000043A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WINDOWVIEWCON_UC = "\"C:\\Users\\Admin\\AppData\\Local\\windowviewcon\\windowviewcon_uc.exe\" /run "	windowviewcon_ins.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windowviewcon.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings	windowviewcon.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4740	windowviewcon_ins.exe
4740	windowviewcon_ins.exe
4740	windowviewcon_ins.exe
4740	windowviewcon_ins.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1800	windowviewcon.exe
1800	windowviewcon.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 4740	5072	c1922b9ae0018f3395832fc3f174eda5.exe	92
PID 5072 wrote to memory of 4740	5072	c1922b9ae0018f3395832fc3f174eda5.exe	92
PID 5072 wrote to memory of 4740	5072	c1922b9ae0018f3395832fc3f174eda5.exe	92
PID 4740 wrote to memory of 1800	4740	windowviewcon_ins.exe	102
PID 4740 wrote to memory of 1800	4740	windowviewcon_ins.exe	102
PID 4740 wrote to memory of 1800	4740	windowviewcon_ins.exe	102
PID 4740 wrote to memory of 2872	4740	windowviewcon_ins.exe	103
PID 4740 wrote to memory of 2872	4740	windowviewcon_ins.exe	103
PID 4740 wrote to memory of 2872	4740	windowviewcon_ins.exe	103
PID 2872 wrote to memory of 2092	2872	windowviewcon_uc.exe	105
PID 2872 wrote to memory of 2092	2872	windowviewcon_uc.exe	105
PID 2872 wrote to memory of 2092	2872	windowviewcon_uc.exe	105

C:\Users\Admin\AppData\Local\Temp\c1922b9ae0018f3395832fc3f174eda5.exe
"C:\Users\Admin\AppData\Local\Temp\c1922b9ae0018f3395832fc3f174eda5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Users\Admin\AppData\Local\Temp\windowviewcon_ins.exe
  "C:\Users\Admin\AppData\Local\Temp\windowviewcon_ins.exe" -pid revealer -a n
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Users\Admin\AppData\Local\windowviewcon\windowviewcon.exe
    "C:\Users\Admin\AppData\Local\windowviewcon\windowviewcon.exe" /run
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:1800
- - C:\Users\Admin\AppData\Local\windowviewcon\windowviewcon_uc.exe
    "C:\Users\Admin\AppData\Local\windowviewcon\windowviewcon_uc.exe" /first
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Users\Admin\AppData\Local\windowviewcon\windowviewcon.exe
      "C:\Users\Admin\AppData\Local\windowviewcon\windowviewcon.exe" /run
      4⤵
      Executes dropped EXE
      PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\J3U83TL1\boot[1].htm

Filesize
2B

MD5
e0aa021e21dddbd6d8cecec71e9cf564

SHA1
9ce3bd4224c8c1780db56b4125ecf3f24bf748b7

SHA256
565339bc4d33d72817b583024112eb7f5cdf3e5eef0252d6ec1b9c9a94e12bb3

SHA512
900110c951560eff857b440e89cc29f529416e0e3b3d7f0ad51651bfdbd8025b91768c5ed7db5352d1a5523354ce06ced2c42047e33a3e958a1bba5f742db874

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K4KS10IH\auction[1].ico

Filesize
17KB

MD5
c0407c6cb439009e68c78e2456efbdc6

SHA1
e6b5f72938ec16fce6c20f9e4d2016465f0fb37b

SHA256
047ffc7c33507a45e422ff331f53be249bec77cde383119cdd5b82d0bacdfb2f

SHA512
00b22363502570f0b9fc1adca9f2eaba5fde6bc44ccaf7842a949c4eae9720a9d309ab6c8245b5d2ce32ad547cc38c51fad97221cdaab8edb4e29603b4acaeb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K4KS10IH\gmarket[1].ico

Filesize
113KB

MD5
f2a4e8d3cd319a5c131af31900b1ac5b

SHA1
20bc0e7c3b6d60acd2c9a33fbcc83637cd164f3d

SHA256
214a6da24c56caf00372fcc54e4f9a1e6d5be2ec373531cc0cc3df2776fd5331

SHA512
839281f7e7d2e42773fa574a5a1d5591a55367a49f9dcf4e3fcac71e58d482b2fa6a5dd2219e1f4054e553226c6d4b43aff076be3a9de3d48f57bd01b69de825

Download Submit
C:\Users\Admin\AppData\Local\Temp\1715043.tmp

Filesize
148B

MD5
62bbdcfcc41ff4e1317fc3b6cab05e1c

SHA1
8ee2fda1c337158be197e95abb6a1338509b3946

SHA256
6eb8d6850460cae5568ac494688a6472fdc4addd4c987b4058c4b57b4565008a

SHA512
7932907fbb5e003d235f74aad8545093810ed91ac046a8d37132f191dbe93b57b151f811bec6514d4ae83fa50fa27859fffb92b82444f79ad4034b0006dbddc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1716BBA.tmp

Filesize
598B

MD5
ff6b9be3e47ec5c11484f1b3555dddba

SHA1
96cdc7370a437ca6dc8bc407ed23309dd705393d

SHA256
a41b899fe6876ff7cf7de1f9e236614c8250003a87460d6343d5be2106ac77af

SHA512
b7d10ebf01f1e5f1249a270a7d00c60fb123f64702305a72976bb0a500734c0546c85bda53f3acc5372fa4203a4274a569d365b25588c2a5e2186a21e86438cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1717187.tmp

Filesize
244KB

MD5
fb52fda427cc4c9d8244ea971b532d98

SHA1
e133e383c1545d69065f0008939c7ebe42979d18

SHA256
cc04adb439fbd9581b22cfab9a269ce3c9b4f5a408f262b22c66bb6187eeade1

SHA512
d8c92cd3e0f355d513db3c56c592f33af88366a7486591cb9e3ff81cd492ed83d5ca2092e072264d673d4983dfb681f7c8ea61519698da6d6a80205638bc0cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1719FF9.tmp

Filesize
2KB

MD5
8ddc904d3f88d19854d653240fa30f4f

SHA1
cce551dc44777bcff621295d09e9ec3b328e9012

SHA256
54d2f160cceb1e48a67835677488879fe2323bd300fb5c0bc87b90269c9dc956

SHA512
473f566504fe8935657df92227e4488013bca743066b9affeed26d7b29674c44bc6664ea3c4d149bff9fe09a17ccbbb6c52a21ee39bb478ba5a07a96bcf5edbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\171B660.tmp

Filesize
397B

MD5
2521e9db62f4b6c7e47fbfcf71398fc5

SHA1
6b115ddf78bc0101fb7bf4126f2b665742ec97fe

SHA256
d9758d0eb1db9fc9a0d0800ce6353e4d9a4cedf97415eb8521961c8a3ad12e9f

SHA512
aefbce37297d29e35af357f24752e41b6329fe47b8a21ee49318b4d44ba8eb0982de0e1e429b28946ea6fd4be064e57b632233bd455629f4391c469030e54174

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowviewcon_ins.exe

Filesize
96KB

MD5
4a974b5beee57107f723c6b1e4e4590c

SHA1
6f5c7a3562a535ba047978d8a96d432c18b36f29

SHA256
2af4777f94bc30370735a110e3c0957a27370d4f889c9a49b9c8d0537b12d573

SHA512
9d30903b071eb8b637787ce1321503a58d10db993dff52c25080cf1f6c7c358bc20baa5c56e35fa8c8bdb82f1168b83adce35a7f9f664f04fac6c8f5b4c12ecc

Download Submit
C:\Users\Admin\AppData\Local\windowviewcon\windowviewcon.exe

Filesize
88KB

MD5
4c9f3e3f3a5654855f13e3c37237fdd2

SHA1
2bcd8bea79cfc629a780ccb7d1b869c68dd86ed0

SHA256
3a975e07ce9d38d423a0721d313af44235c4265aee64d62e72ad496468e62d24

SHA512
0de7b3a27f89e55bd89c42533b1911be30590bef1a0637fa0e0e6d935730df0012a175b27396ec1f2c9825c85ec839e7da6212f3777b354306b123a1eb76e076

Download Submit
C:\Users\Admin\AppData\Local\windowviewcon\windowviewcon_uc.exe

Filesize
90KB

MD5
46d8bcf39b740e160b0d8acab62644ca

SHA1
bcec889903702cf7b227f9c86e4771e86e4c2920

SHA256
c399d5f2a1df247d7bcc7e807405c45193d934bbb3837835c9200f7f3f90cfd0

SHA512
0be7e9a0b69d69d679d38afd1637aa1c87544185d1bba9fcbdb74d48192fdf209a9f6adbb08c499183b5402795f9b99df251fbb11b73f94cec31377434ee470a

Download Submit
C:\Users\Admin\AppData\Local\windowviewcone\StartMenu\G¸¶ÄÏ.lnk

Filesize
2KB

MD5
a0d43f14ababb1a37fb348e3c17cc2f8

SHA1
713020bcd476e47b683c287b960cc399d291091f

SHA256
6cff35984b4fd6eac8a643c6b5b236bf23c519ec11341cd03e7266a09eb2695b

SHA512
0f93e15f5eb703917796939718b468420ff7cb43d545ab34aec7cc2736d3b78c25ed010f3526df9f8beee530df8ac0424382493e43a5ba8b7b787e43e7ba2bbb

Download Submit
C:\Users\Admin\AppData\Local\windowviewcone\StartMenu\¿Á¼Ç.lnk

Filesize
2KB

MD5
322489db9791293c3f6b36e9bebf8188

SHA1
074efb1f3d447a5f2be41b05e68f00eedd582cc6

SHA256
dd65a4f4a9a9c295f3b199c8d3674c0a048d7657668708beec59c51d35d70db0

SHA512
3779636dd26deb9bcf4f9f0d15b061da8a40de97ad8b3fd0879d8d6176ef592bfbf7acfcd57a010ce044265ef57b430b7e3dca1cd95ca3a8b848cd30dda74cc2

Download Submit
C:\Users\Admin\AppData\Local\windowviewcone\TaskBar\G¸¶ÄÏ.lnk

Filesize
2KB

MD5
079e253037a6c4360470fdbf29a83edb

SHA1
3bc7d35e41a98a4c56f44f4af60d39169b1075ec

SHA256
6c6a34e909891475b7f68d2dce600565ddeafa8e1d56322034fa1fa1d97d9ec7

SHA512
33a3c332adf07509fc3100d04c4947a2499a777658e3cba21d4f2fc58a844dda060961caf2f5225a6d0b9bee03e76f98736d90c5f8bc1e7b85a4ecb2dcb6fa9b

Download Submit
C:\Users\Admin\AppData\Local\windowviewcone\TaskBar\¿Á¼Ç.lnk

Filesize
2KB

MD5
97941a021489d579cdea85d2ecaae9ea

SHA1
e54822c07f26732d14b2fd84e081ca3ec228f449

SHA256
c5930da7dc236716d87e3f822b0be2427de105bebcd8ce4b84933d126652d8d1

SHA512
0399d0ad7eb3c7983f13c04d615e5093a622dbc26f46e391974fdd1cd6364466ccf76858bb59fd279e2bf1a9e4d4412eb04a83d3b01776e658f6cd96f129f5f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\G¸¶ÄÏ.lnk

Filesize
2KB

MD5
b73d1560187f6786ec349738885632e1

SHA1
360e1f21b7d14abf5532059e4d59a4dda988c638

SHA256
3e732d7178b8daf46007bce610c6b01eeb8473b70dda4464dc72d9e23b4cd7fe

SHA512
f3b857e4122e8dcb58579da8dedf8a8b9ca4411eacefdcb6599550d2187de39ef5081b41a47920c5f87250724c2130ddb3d11ff960e6c5d7191546f492a387d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\¿Á¼Ç.lnk

Filesize
2KB

MD5
5872b7515938fcb3b13d7beae90bdb32

SHA1
71db31d1394cf2ae4a1822d4b60a8d5ca42327d5

SHA256
917f19c319ac9fc2697e2c110397f0add60d9088efb76b1290d03c9a72c25737

SHA512
fcaf974334a1d422b59ac60433e1e317c80783af1949fb63ac15a227446a5fa779312ed7c6e26c8ad597b5bf49292e46ddc928817f35861d1f8fd2ccba9f6a95

Download Submit
memory/1800-497-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1800-63-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2092-327-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2872-354-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2872-69-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4740-20-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4740-41-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4740-252-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download