aedd00b2986a23d333567a12e8ee11fe3aaae35ebebfda06e7d82622564a40dc

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2024, 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aedd00b2986a23d333567a12e8ee11fe3aaae35ebebfda06e7d82622564a40dc.exe
Size

47KB
MD5

a3010623d3fef58541204ebf04a98690
SHA1

8292806f8acf849f49022b7f21743845eb022566
SHA256

aedd00b2986a23d333567a12e8ee11fe3aaae35ebebfda06e7d82622564a40dc
SHA512

bd414c8ae044447833a06ff93111425cff851fc5e24c0c4354e6f32770bf895b86d1986a7082c493fdbbb86b753112b0be4908143b9b131260869c50a17a99b5
SSDEEP

768:IpwuGS2MxhRtEaKxY4Cnfcshsti92CbMuW6zuU7ec:JmxF+XWVhs02PZ6zuUKc

Score

9^/10

upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/892-0-0x0000000000400000-0x000000000040E000-memory.dmp	UPX
behavioral2/memory/892-1-0x0000000000400000-0x000000000040E000-memory.dmp	UPX
behavioral2/files/0x0008000000023206-6.dat	UPX
behavioral2/memory/1372-10-0x0000000000400000-0x000000000040E000-memory.dmp	UPX

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	aedd00b2986a23d333567a12e8ee11fe3aaae35ebebfda06e7d82622564a40dc.exe

Executes dropped EXE 1 IoCs

pid	Process
1372	pdfupdate.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/892-0-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/892-1-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/files/0x0008000000023206-6.dat	upx
behavioral2/memory/1372-10-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 892 wrote to memory of 1372	892	aedd00b2986a23d333567a12e8ee11fe3aaae35ebebfda06e7d82622564a40dc.exe	87
PID 892 wrote to memory of 1372	892	aedd00b2986a23d333567a12e8ee11fe3aaae35ebebfda06e7d82622564a40dc.exe	87
PID 892 wrote to memory of 1372	892	aedd00b2986a23d333567a12e8ee11fe3aaae35ebebfda06e7d82622564a40dc.exe	87

C:\Users\Admin\AppData\Local\Temp\aedd00b2986a23d333567a12e8ee11fe3aaae35ebebfda06e7d82622564a40dc.exe
"C:\Users\Admin\AppData\Local\Temp\aedd00b2986a23d333567a12e8ee11fe3aaae35ebebfda06e7d82622564a40dc.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:892
- C:\Users\Admin\AppData\Local\Temp\pdfupdate.exe
  "C:\Users\Admin\AppData\Local\Temp\pdfupdate.exe"
  2⤵
  - Executes dropped EXE
  PID:1372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pdfupdate.exe

Filesize
47KB

MD5
67492fe4292f2ac1680d5c3888e608f6

SHA1
9566554dfd221d1b6a89532c366886f82299a9ef

SHA256
63b12ea19588e45a071df2768c58311c38ad1dd50b1082e34c1df42bde404d97

SHA512
781d8c3e9079c5ce016ad02a1348134f83dff4a62074d436ad7acceb7e4e11ce14d4b12279fb7a325f2263fc2fbae2686dce6d91cb1c8d22fef7616bae9596a1

Download Submit
memory/892-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/892-1-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1372-10-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download