9aa5cbc8a45a6b921b4eb7b098b17cbc5e8c7f5f90ae824af7c0b14915944818

Resubmissions

16/03/2024, 01:20

240316-bqgjzagd6y 3

16/03/2024, 01:16

240316-bmydbagc8s 7

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16/03/2024, 01:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

UndressMe.exe
Size

2.1MB
MD5

512b987a950fb54f7a30439863a8af32
SHA1

143f645c0d026a738562909aa87d6c2728b2ce88
SHA256

9aa5cbc8a45a6b921b4eb7b098b17cbc5e8c7f5f90ae824af7c0b14915944818
SHA512

a538e29928fffd73f28fe6eb231d480c21e0276b4111463a655901ff57f8d6eca87458b03c03ef4fab8d6f23c961583128157d49be12fa795b21d5a9c8b8c394
SSDEEP

49152:PB0//p5dr/jdTMdnARAF/TCQZfxMawExWc1dPyF:m3dtTMdnASF28xM/WdP+

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	UndressMe.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3160	UndressMe.exe
3160	UndressMe.exe
3160	UndressMe.exe
3160	UndressMe.exe
3160	UndressMe.exe
3160	UndressMe.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	916	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	916	AUDIODG.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3160 wrote to memory of 4080	3160	UndressMe.exe	95
PID 3160 wrote to memory of 4080	3160	UndressMe.exe	95

C:\Users\Admin\AppData\Local\Temp\UndressMe.exe
"C:\Users\Admin\AppData\Local\Temp\UndressMe.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4080

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4 0x474
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ukraine.wav

Filesize
2.8MB

MD5
19fa73dcacaaf8228a07ebeab690a88e

SHA1
1a13ad4df4f09e75020fb4086c6d24f60b29a6f5

SHA256
920a3346ea2702604409ff23befdd91fa6ddc50c974ab7f1e456c91277c2aeb2

SHA512
41668593146f9697657ce8cca5fed8d0aff36c6c8e320836551c46c6443b5a75a8ae09b3aadcff18111086838ac3efc4f53e74f764745c46d70345fa82fc8b48

Download Submit
memory/3160-0-0x0000000140000000-0x00000001405DE000-memory.dmp

Filesize
5.9MB

Download
memory/3160-14-0x0000000140000000-0x00000001405DE000-memory.dmp

Filesize
5.9MB

Download