d678c16ddfed96314e5c5a16751efbfa2136ce70f81a780273e1f3706981f70d

Analysis

max time kernel
93s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2024 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

3.1MB
MD5

ec30099424ac591d412d7af70500cd27
SHA1

053e567d81dba4ce07efad343193bae917cdf117
SHA256

d678c16ddfed96314e5c5a16751efbfa2136ce70f81a780273e1f3706981f70d
SHA512

4eb3902fa7b0a8b2f7a16e33b284717e4465146e64c0d8968699abf947d603aad7d971a7b73aa6ed70e3a9b9bf21812508a9e209a1c8dcf6da849e7f7df73fba
SSDEEP

98304:E/5TvaInDQBJ+kASYRpHvAhF8VJV64wxa:E/xvaInDeJXASYRpPcF8VJg4wE

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	tmp.exe

Executes dropped EXE 5 IoCs

pid	Process
5024	7z.exe
3768	7z.exe
376	7z.exe
4924	7z.exe
2644	Installer.exe

Loads dropped DLL 4 IoCs

pid	Process
5024	7z.exe
3768	7z.exe
376	7z.exe
4924	7z.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2644	Installer.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeRestorePrivilege	5024	7z.exe
Token: 35	5024	7z.exe
Token: SeSecurityPrivilege	5024	7z.exe
Token: SeSecurityPrivilege	5024	7z.exe
Token: SeRestorePrivilege	3768	7z.exe
Token: 35	3768	7z.exe
Token: SeSecurityPrivilege	3768	7z.exe
Token: SeSecurityPrivilege	3768	7z.exe
Token: SeRestorePrivilege	376	7z.exe
Token: 35	376	7z.exe
Token: SeSecurityPrivilege	376	7z.exe
Token: SeSecurityPrivilege	376	7z.exe
Token: SeRestorePrivilege	4924	7z.exe
Token: 35	4924	7z.exe
Token: SeSecurityPrivilege	4924	7z.exe
Token: SeSecurityPrivilege	4924	7z.exe
Token: SeDebugPrivilege	2644	Installer.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 4916	4088	tmp.exe	84
PID 4088 wrote to memory of 4916	4088	tmp.exe	84
PID 4916 wrote to memory of 3028	4916	cmd.exe	86
PID 4916 wrote to memory of 3028	4916	cmd.exe	86
PID 4916 wrote to memory of 5024	4916	cmd.exe	87
PID 4916 wrote to memory of 5024	4916	cmd.exe	87
PID 4916 wrote to memory of 3768	4916	cmd.exe	88
PID 4916 wrote to memory of 3768	4916	cmd.exe	88
PID 4916 wrote to memory of 376	4916	cmd.exe	89
PID 4916 wrote to memory of 376	4916	cmd.exe	89
PID 4916 wrote to memory of 4924	4916	cmd.exe	90
PID 4916 wrote to memory of 4924	4916	cmd.exe	90
PID 4916 wrote to memory of 1464	4916	cmd.exe	91
PID 4916 wrote to memory of 1464	4916	cmd.exe	91
PID 4916 wrote to memory of 2644	4916	cmd.exe	92
PID 4916 wrote to memory of 2644	4916	cmd.exe	92

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1464	attrib.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /s"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:3028
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e file.zip -p203191166116007172592330639 -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:5024
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3768
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:376
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4924
- - C:\Windows\system32\attrib.exe
    attrib +H "Installer.exe"
    3⤵
    - Views/modifies file attributes
    PID:1464
- - C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
    "Installer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\Installer.exe

Filesize
1.5MB

MD5
46bcf257155884c0686af49327800bcb

SHA1
000b2238f6c32d2ff2440d499e52ef47a73a65bc

SHA256
1cf0e368731371f5f0af0aa6932b3cc26a5c54102b3dbaee2371436cdaaf6b74

SHA512
8a89f27d9feb5ae40a4fa23f5e95a595924fc73915d7b3ac7900a3123cef97250410a0258593819ef1d94cb04d9d0558e6e9e3ba36f5ff8ac1bc2c5b7d893e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
2.2MB

MD5
ba9fc86780e989528708e6b185c4203f

SHA1
14d0a15b880e74d471cce2e954ff9c28f618eef4

SHA256
fd27d02aecfcae2c6f907caaf48c9910af176fe14e020f525ea49dc4a1aa3046

SHA512
d471c0c0eb3d84b403d946c43848088942b5022c100c93024752ca1ba0312d4b661b2fe33125d1f0049a1ff3894c207f47a5a46dc08da799103334a470274467

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
629KB

MD5
19bd7bd6369541ba3180e6a59af9f75c

SHA1
7b0423ff4f24aacd9bb1e107fb24f0d0c333151a

SHA256
513c16d3b97ecbf17613d97c2dbf98a424bf2a83444388e7d0a976c6808db955

SHA512
94d7ce55033ba3bae8fc916d674d060da12dd062204a9f8411b154f2d33f08517c7b0394b17165c61c52e807cfac2e9ff7f1e0cd14d12a5599d5da1efab6ae82

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
613KB

MD5
1bc8ac23f8be534702fdde2c8969770e

SHA1
7831ecd51b1ca7e6a3818923dc7bbe9b140415d5

SHA256
b809e1ea42b7521d2e868ef41d5300dd62957458b5db828980f1a91224d59d66

SHA512
60bb61c03a8c4fca6146884569606a4b9685ff704e24a3c6ceb9aa93559ad95f296aff145ef5e2d5c8089fd456930616ea634bb9a25e445f0d1f224a63d340e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

Filesize
2.2MB

MD5
4d2a676b984b8a4cc34eee6869c0f42a

SHA1
bed6423862f9bb039cf7471554b05290b4250d56

SHA256
4e02f1cfc7602eb797f9fab90499bbca5be464b70e0c6ea205b0e9d69ae45217

SHA512
4936d631c7c855e59dffdd52d91ee91998b2c152640325ff9aa4236213d22d4e26bbada1d90a5e97fb7d3af1a76612ea53257c8ddc41eb7db970b0fcc552aa7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
2.2MB

MD5
420d6d1e39f209d0933eec13102ba60a

SHA1
1e6f56a27ba2364d994c8a5f2c8e5a44af05e8c8

SHA256
2abf81d7074d3b461c39aaa136a0e12168cd886bdc8acea1a5eb1733fa5bd240

SHA512
a18754eabd54dc32269f247bd32be755fd7fdac671dace2ba1ff78aad2d6f04798f07b5056abdd5384349c4591cac018cc18e68e9efd9641f9687d3acdab60cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
473B

MD5
cd755c700e3ebf048750493716b2183f

SHA1
3c90169fc007634bcef04619673126d110da5f03

SHA256
b4a6603abc6445d9287d00bcf2ab6165ab06ec8d9226fb1ffbd6d3a40d561d52

SHA512
5597c08646380d8db7c3de25e73eee9139fc96a9cb024105a6d92bb1df9db58048d79e9faffc56f16bceb6977fd69ee90ac3e95d2b5bfff54771f5546ec66abb

Download Submit
memory/2644-43-0x0000000000100000-0x000000000027C000-memory.dmp

Filesize
1.5MB

Download
memory/2644-44-0x00007FFFD7840000-0x00007FFFD8301000-memory.dmp

Filesize
10.8MB

Download
memory/2644-45-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/2644-47-0x00007FFFD7840000-0x00007FFFD8301000-memory.dmp

Filesize
10.8MB

Download