Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-03-2024 11:36

General

  • Target

    cdf6aebe5de273b6f5d54ee844b3eaa8.exe

  • Size

    408KB

  • MD5

    cdf6aebe5de273b6f5d54ee844b3eaa8

  • SHA1

    00ec31c8deaf1e6329a317dd95e0d6587f9fe137

  • SHA256

    52ce9cc373bec4f16a17d1c84bfda66b22e245c186d03022da08170f83552582

  • SHA512

    4c79d9f0d64f7a27431a301d6e928ec95068277d1543c4400e7dd0f328dfb712d310803dadd6444778289ae748a0b28eb00bf2d0762cf0fa352372b5a574d4c5

  • SSDEEP

    6144:C5+IFll+0ICu/5a0huFFEM6LYXxApXXOCASiwQMKlSef:K+IFlg06/opFEZsXx4H+G/Khf

Score
8/10

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3444
      • C:\Users\Admin\AppData\Local\Temp\cdf6aebe5de273b6f5d54ee844b3eaa8.exe
        "C:\Users\Admin\AppData\Local\Temp\cdf6aebe5de273b6f5d54ee844b3eaa8.exe"
        2⤵
        • Checks computer location settings
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4472
        • C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe
          "C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe"
          3⤵
          • Adds policy Run key to start application
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4804
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Modifies Installed Components in the registry
            • Suspicious use of AdjustPrivilegeToken
            PID:1996
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:5112
            • C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe
              "C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe"
              4⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Drops file in System32 directory
              • Modifies registry class
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:708
              • C:\Windows\SysWOW64\WinDir\Svchost.exe
                "C:\Windows\system32\WinDir\Svchost.exe"
                5⤵
                • Executes dropped EXE
                PID:3244
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 584
                  6⤵
                  • Program crash
                  PID:4668
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3244 -ip 3244
        1⤵
          PID:3348

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Admin2.txt

          Filesize

          224KB

          MD5

          d2a8d47bc857439cfecd0ca8d4a1ff7e

          SHA1

          8076776b9354069adf5e6df834cdd08381555b19

          SHA256

          ee58257e1971df5c18732acf8f44c4bfce43ba987ed94a02ef30c2d56d2078ff

          SHA512

          ec9cef5ba0f9a977e6e9327c5dbad0f974047f18a6f99adf3479356399ad5e4d84f0f53273b0aa510696dad687c2fb2af38294f187ae1da20cbfd73854c0201f

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          6517c6a402bd64c59f7f8078aa9285ec

          SHA1

          a6457a6ddb1dedb176df661f61ea0435b0dd994f

          SHA256

          3350bffab58987bb57b92fa169444fb3400a67bc01d677a138788e552fb3f887

          SHA512

          8c301abfc24d14d2ea909c27e5ae577257bef03f41e39fb7d4798b66288ef4f3281c81d17e438765cf7a26debb3519f17366957c1f1759e5c1824a9d1d013d67

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          1f0af7ce9dc9c58728f7edc71c58c5d9

          SHA1

          3ec4c448e5328c468adef3568e7196b3a6d04b42

          SHA256

          949ce0435efb7afccad9212cf0f6f5e5711980a1c1f812b3e822a8eede725f79

          SHA512

          7eac2e6e13eab2a07fa65be3659af2243ac954fb5b64fb3e04629cc4e993f7f5143f29f47007520ad854293f72bf98d11306b7d0bbd327d22f23a5ad3ea51282

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          a0029321b93febc10661f6392c1be251

          SHA1

          58448d6b952ad72886d4d72f9001690efb191676

          SHA256

          c3c30533266286e7401c57b440dd7ec213f607c7075135107ad6e1a696bb2a8e

          SHA512

          0481cff48e2c67eb07fc12b21a6956acafc57831298cba5d614d33520fe8dba352dfd6267f01e02761bc731f39ff0f3cfe89eb50b986dd7a49c51720fbad64c2

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          3307de3b4557aab26420e6cfec874547

          SHA1

          896b7d57be0469ff99bacb78edf1527581dfd2a9

          SHA256

          dad50264d216f7c36b7e770460d6e918ad0ccd67c2df76888f7eabd6b054708b

          SHA512

          309abc99907154f45146ba73778742f2f7d63bb0dc73560330848d683e67f32dd191c70af897507c9ce23bc15690fc6e47945c2f5a4d39f7d6952279ec386e2f

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          3a9677dc6164c19892cb8a5085957a0e

          SHA1

          2c5cb806fb47d4705dee1df4dc1428e58f697686

          SHA256

          cefb049202c9db8cc62cc02bb20039d0d79afbf05df756712d5279286d8630cc

          SHA512

          7711fffade1a72ae3e9c32ac99e31c3b6b88b145eceb905f3a1cfaf9fd344dcd821cf52cdb126451316f311f64ec7bf2d8dbe7f2e5119970f164714c007dfbaf

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          6de7a10ebf2f4fcbc344a025c1760e53

          SHA1

          64ce031d30c3c714374b8170dba6bb63cb32d22f

          SHA256

          9a0d0a3cdeb4a8079f78335c07fd0b0d84a00f5e1147b3fc71ad5ed817af4613

          SHA512

          e7159861f20cbafa4a8666d333d08bd1c45f41ff8f4567a3b0867b724e693a6572749e39bed3a4c5b961cf0c047863426848608907239c1ac644f2553d9c4a19

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          ace64ca058e8e76a4b26cc846901dd51

          SHA1

          ed7c3b6a554050067d787358b802fa279451621c

          SHA256

          b6aa67f69bf8a78c9e9be7803878ff6a751b1ba7ce79a7145876ec58db4845e9

          SHA512

          4f3131f35b0408c586b6273eadcb3c5df98be9828185c48881b83e54152de954bff30e3139dd1ae412e409a321459aefc90d4e9c76b626b799aa105d88d3733b

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          bf449e1f35162e3cea145b56d4a8e4bf

          SHA1

          716c1208e1ec57db9b97a586d1d6993e9df2010f

          SHA256

          2cc04dee389f694f737fd03f4dc4f5f620d00a177dbd508a4b85a1d04fa8961a

          SHA512

          1db44b5390ee0d9a49f6febc39bd4e2402827351e2a19ae2b6428194334c887fafff84dd51a45b32db2632628942f837e5e0e027d4c875abaf63e3b9ccd8bf7e

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          e6acd364066ff0de85a1e51d92ff688e

          SHA1

          4ceb0ea474f5e5f963e8c3469a4d1420a9160a5c

          SHA256

          5d6b4087b13e19fce33e079c63c8f4ce447c12509fec120c8109d7f8fe655e1b

          SHA512

          f82f6f661f55b822bf7791b5c29e62459e7611ca0e0abe927ed48b26ba775b7a9a49b8ce50c9a389e5fbe017c248dd2f84e1f4172d403b7a9572448bb5066746

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          d3180481ad45b72c9bc1ac3a9ffe0878

          SHA1

          04223fe56ece927212c4f268c806add0c18efb7d

          SHA256

          76188a41b79e9f4edd46c661f0c5077cd3f3a4eac17b11e060be0a9144126b26

          SHA512

          bea6cc1199a5ba3f9560a8910438f20ecb1faaed30bd4887a094d14cda75f3359c615d897e72c95e56abadee7d759f3a1aecdba83a55d83573de75675e80e977

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          ae6c60d0c54b40d7051d883be9feeee8

          SHA1

          658dc5fdbb1f131561e54af8d328c0b82318d2d0

          SHA256

          197cff60242c3d1b03add1313ec0ea4e661500b8ec8d3fcd88b10f308767ea8a

          SHA512

          3e044e1ae98444f1b54149e0465c836c307d863ce7e862829aba1046d19789b9f22bf130ac925244ad21ab5cdb468263f6b89509f820d7979ada096eabfc326c

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          8a28cc76e068c8fe33eb6e1a6c2bfd12

          SHA1

          5c50d12e767590c03852476842f767a4209be421

          SHA256

          658564a0ac67e7723b1b9ea73b9abdb0b618b4f2e85abb155c59897b299af215

          SHA512

          775033d248dbb026d8ac27a13e2a8f563ea0baa28efd0255d1e17b43fb50b0894d1dcddb08a53af97f87be0667799a71307a430b15df0ecc2c5b681e41ac9faf

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          61ae0a5752e11b618991bc8fdd7d4d4d

          SHA1

          2d7adf2fe4ce586f6b784ab574fecd5ddf7591c6

          SHA256

          df1e1a8c41102c701afcc0ce64f3039327c7b521363a361ef2029d8cf76e54b1

          SHA512

          19c3e2f6b660037c3079dbadd50e195a3e0d9ea97118d116b115a77be24a3f1628d9f09e0c232bb7df7c1117238ac415a3e28c3be69905e0420d3be2422930df

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          f688940d0a48f0590cbdbb3b182f34ab

          SHA1

          e8d14523b43656ed3e150db46cf7194a989d84d0

          SHA256

          9220c6a9fa734bd29c32062d3f90c5c1667ab61b23cb806ed7b6f30e658b7f2a

          SHA512

          f3cfd799b84289c67c480b411c43d9e7d89d50e15ee7763f4c123334e6aa36f5b62d2db8e23d9b6b8f08f7fdbcd4bc8d853e9295efe0fc445e893a58b75203ef

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          068c64c174066f97153d64b6f7b4486d

          SHA1

          097032e794f3263d8523b04b037233506988ea00

          SHA256

          336f4ed09abc54ee126b539423ef2513ae9420aa7cf75ac10bb6bd11ddc95b85

          SHA512

          5d992eb65d4d29d7034952595b58fb88c0239895d0c990dbecdbe0a4de7e699b547f4a738130cce9fcd49f15729675318ea3c23a358e8d092cd6f96d05e190e9

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          0ed8e53b4ee0f50553400a525bb44c35

          SHA1

          747aa05f1a32afd74d7b0de147522c50b7c298db

          SHA256

          70b74c7c2bec38bb7d51762766f821df5884ed4165ef3ecbc613974ffa82a300

          SHA512

          97cf04ca102b44fa922d4d7feeb80e6f3d66fa3fa9712d0d29e3ad87158813c622068ed5142da9e881b327bdfae166b86425dcfc8d58ff8922ecdb494983f0a2

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          ce0e0e8d6ddbdfe4167f49bd76f00bcc

          SHA1

          19b9746b0539e0f8e2f8f3d347548dc58ed3eb82

          SHA256

          c477bb46236e1798d5d01a20c6d8da438c43688d5b1727cfeb661beeb254f72c

          SHA512

          9fa5373f66b5f418ec2d245dd0e678b51de7e63fe14db48354ad42ecbed5cb99f59356a8705145b584fa6ef2760f0dce0cdb526567b8fbbd1b7223f872d370b0

        • C:\Users\Admin\AppData\Local\Temp\Admin7

          Filesize

          8B

          MD5

          d8f3563177d270d60241baa23831c38b

          SHA1

          8e4ee0d5e675586fb143e639b3024dc76da88ea9

          SHA256

          4c627c5a600cddd46a773db7000ec001e881cc21c46ac59d978beb257b43fdd8

          SHA512

          ea307479ce06af32d47dbc95e1538bb4646819c4c50257a6fa84fe4eb037528ec0c7046b7578c4a6891c20a9b8a8e730e08327c5940780d679b62c30a3d55aaf

        • C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe

          Filesize

          296KB

          MD5

          0548c6a94dec06ff79fa14834deca881

          SHA1

          6035d95be9214b8fb5775b141a9b1156de851d9d

          SHA256

          433a6cc8a87a44d9ad6e789b6f9f496c2f699e2f0793314db04288ee739bd805

          SHA512

          33cbbb976cd035aa1ff409018c239738f78704bd6cb3fa896d39c859aa77917e200c8e772589c30031c2750f7b1e22220191cb4a9aadf91ddb4a3c854c1e8f88

        • C:\Users\Admin\AppData\Roaming\Adminlog.dat

          Filesize

          15B

          MD5

          bf3dba41023802cf6d3f8c5fd683a0c7

          SHA1

          466530987a347b68ef28faad238d7b50db8656a5

          SHA256

          4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

          SHA512

          fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

        • memory/708-153-0x0000000010560000-0x00000000105C5000-memory.dmp

          Filesize

          404KB

        • memory/708-1445-0x0000000010560000-0x00000000105C5000-memory.dmp

          Filesize

          404KB

        • memory/1996-312-0x0000000010480000-0x00000000104E5000-memory.dmp

          Filesize

          404KB

        • memory/1996-82-0x0000000010480000-0x00000000104E5000-memory.dmp

          Filesize

          404KB

        • memory/1996-81-0x0000000010480000-0x00000000104E5000-memory.dmp

          Filesize

          404KB

        • memory/1996-80-0x0000000003AB0000-0x0000000003AB1000-memory.dmp

          Filesize

          4KB

        • memory/1996-22-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

          Filesize

          4KB

        • memory/1996-21-0x0000000000F10000-0x0000000000F11000-memory.dmp

          Filesize

          4KB

        • memory/4472-0-0x000000001BC30000-0x000000001BCD6000-memory.dmp

          Filesize

          664KB

        • memory/4472-13-0x00007FF9C7D20000-0x00007FF9C86C1000-memory.dmp

          Filesize

          9.6MB

        • memory/4472-4-0x00007FF9C7D20000-0x00007FF9C86C1000-memory.dmp

          Filesize

          9.6MB

        • memory/4472-2-0x0000000001460000-0x0000000001470000-memory.dmp

          Filesize

          64KB

        • memory/4472-1-0x00007FF9C7D20000-0x00007FF9C86C1000-memory.dmp

          Filesize

          9.6MB

        • memory/4804-77-0x0000000010480000-0x00000000104E5000-memory.dmp

          Filesize

          404KB

        • memory/4804-17-0x0000000010410000-0x0000000010475000-memory.dmp

          Filesize

          404KB