a05530a0d3a1d9cc1953e8475202a5d768e44e2f48e67b5bf856ef075df2e895

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18-03-2024 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d46da8d8f913e3d0ff2eda2fe6af0cdd.exe
Size

310KB
MD5

d46da8d8f913e3d0ff2eda2fe6af0cdd
SHA1

e6b0ba11670dde3c4af745280f04ac56c45f58ff
SHA256

a05530a0d3a1d9cc1953e8475202a5d768e44e2f48e67b5bf856ef075df2e895
SHA512

3b3c1d704cf12daccc8f8ea6027e62394c4d2979680ea2755708fff0e0c00d3c84b88c41c3054e95270d383fed394ec672d112a186872be3600a94c5ce15fa53
SSDEEP

6144:sUA3U5MQSZILHSWUFXOnqglBn9a01lAS5rnuiVH2Xr:IAbYWkXcx13rDa

Score

7^/10

persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	d46da8d8f913e3d0ff2eda2fe6af0cdd.exe

Executes dropped EXE 1 IoCs

pid	Process
2568	regger.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/228-0-0x0000000000400000-0x00000000004CE000-memory.dmp	upx
behavioral2/files/0x000300000002276e-6.dat	upx
behavioral2/memory/228-11-0x0000000000400000-0x00000000004CE000-memory.dmp	upx
behavioral2/memory/2568-12-0x0000000000400000-0x00000000004CE000-memory.dmp	upx
behavioral2/memory/2568-13-0x0000000000400000-0x00000000004CE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\regger = "\"C:\\Program Files\\regger\\regger.exe\" hide"	d46da8d8f913e3d0ff2eda2fe6af0cdd.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\regger\regger.exe	d46da8d8f913e3d0ff2eda2fe6af0cdd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2568	regger.exe
2568	regger.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 2568	228	d46da8d8f913e3d0ff2eda2fe6af0cdd.exe	92
PID 228 wrote to memory of 2568	228	d46da8d8f913e3d0ff2eda2fe6af0cdd.exe	92
PID 228 wrote to memory of 2568	228	d46da8d8f913e3d0ff2eda2fe6af0cdd.exe	92

C:\Users\Admin\AppData\Local\Temp\d46da8d8f913e3d0ff2eda2fe6af0cdd.exe
"C:\Users\Admin\AppData\Local\Temp\d46da8d8f913e3d0ff2eda2fe6af0cdd.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:228
- C:\Program Files\regger\regger.exe
  "C:\Program Files\regger\regger.exe" hide 10000
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\regger\regger.exe

Filesize
310KB

MD5
d46da8d8f913e3d0ff2eda2fe6af0cdd

SHA1
e6b0ba11670dde3c4af745280f04ac56c45f58ff

SHA256
a05530a0d3a1d9cc1953e8475202a5d768e44e2f48e67b5bf856ef075df2e895

SHA512
3b3c1d704cf12daccc8f8ea6027e62394c4d2979680ea2755708fff0e0c00d3c84b88c41c3054e95270d383fed394ec672d112a186872be3600a94c5ce15fa53

Download Submit
memory/228-0-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/228-1-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/228-11-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2568-10-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/2568-12-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2568-13-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2568-14-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads