1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264

General

Target

1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe
Size

1.6MB
MD5

b22270d4f34b77e9b058073fe86bc54a
SHA1

a19dffbad17b8ae56d90d4af77e8e5006432e68e
SHA256

1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264
SHA512

9373bd6da7462a9e069170100523a77bb33e1570fa28bd8c8bc7d61463ec9faf2fcf79cbca4f4029ea59e37242116def5383d05fa1158e356dcc3c46ac146ed2
SSDEEP

24576:gPTSFvPz6LOpNNYVe16EEqk3a+WFEtsrJfo4u0+t7Teed24b6IQ+:gazfdr+WdrJQ4uztG8tV

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3772-1-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3772-4-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3772-5-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3772-3-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3772-6-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3772-7-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3772-9-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3772-11-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3772-13-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3772-15-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3772-18-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3772-21-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3772-23-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3772-25-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3772-27-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3772-29-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3772-31-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3772-33-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3772-36-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3772-39-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3772-41-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3772-43-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3772-46-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3772-48-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3772-50-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3772-52-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3772-72-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2752	4872	WerFault.exe	93

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3772	1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe
3772	1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe
3772	1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe
3772	1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4872	1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe
Token: SeDebugPrivilege	3772	1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4872	1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe
4872	1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe
4872	1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe
4872	1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe
3772	1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe
3772	1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe
3772	1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe
3772	1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe
3772	1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 3772	4872	1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe	99
PID 4872 wrote to memory of 3772	4872	1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe	99
PID 4872 wrote to memory of 3772	4872	1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe	99

C:\Users\Admin\AppData\Local\Temp\1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe
"C:\Users\Admin\AppData\Local\Temp\1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Users\Admin\AppData\Local\Temp\1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe
  "C:\Users\Admin\AppData\Local\Temp\1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe" 475083
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 1792
  2⤵
  - Program crash
  PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4872 -ip 4872
1⤵
PID:1276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=3044,i,17059189006398306756,4247826696353232857,262144 --variations-seed-version /prefetch:8
1⤵
PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7BCD0073E18CD58350F13D78BD31AF51

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
memory/3772-25-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3772-48-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3772-5-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3772-3-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3772-27-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3772-7-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3772-9-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3772-11-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3772-13-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3772-15-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3772-18-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3772-21-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3772-4-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3772-23-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3772-6-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3772-29-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3772-31-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3772-33-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3772-36-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3772-39-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3772-41-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3772-43-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3772-46-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3772-72-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3772-50-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3772-52-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3772-1-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4872-0-0x0000000077214000-0x0000000077215000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing