21edab02c1ad7d249b699ee02a1db46ddbec44793d8016b14a21eb9a4c9ae9b9

Analysis

max time kernel
159s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

272a3d2b72ac26dbd3cc94886f031bbb.exe
Size

1.9MB
MD5

272a3d2b72ac26dbd3cc94886f031bbb
SHA1

9b1fb176fbe6d7a51550afc70fce817c65a1b75a
SHA256

21edab02c1ad7d249b699ee02a1db46ddbec44793d8016b14a21eb9a4c9ae9b9
SHA512

7e2aee9bb3ec7fdf26444ee76f9b5a6facf86846d891efc2bc7ca875eb25bc46abb3b50b5f26b4193b9ec6aefe7e48513447c59c17de3a142cb53eb24dc1c6d2
SSDEEP

49152:A34LlNIF+j7Ibyzlybnp06JpoMBmZUzP6bwQL4:44y+jsbSlKp02poMFEwQk

Score

7^/10

persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	272a3d2b72ac26dbd3cc94886f031bbb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	272a3d2b72ac26dbd3cc94886f031bbb.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/660-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/660-1-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/660-2-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/660-4-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/660-7-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/660-8-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/660-9-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/2336-10-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4904-11-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/2336-12-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0008000000023290-14.dat	upx
behavioral2/memory/660-15-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4904-20-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/3452-21-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/660-23-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/660-27-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/660-31-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/660-35-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/660-39-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/660-43-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/660-47-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/660-51-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	272a3d2b72ac26dbd3cc94886f031bbb.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	272a3d2b72ac26dbd3cc94886f031bbb.exe
File opened (read-only)	\??\Q:	272a3d2b72ac26dbd3cc94886f031bbb.exe
File opened (read-only)	\??\S:	272a3d2b72ac26dbd3cc94886f031bbb.exe
File opened (read-only)	\??\T:	272a3d2b72ac26dbd3cc94886f031bbb.exe
File opened (read-only)	\??\X:	272a3d2b72ac26dbd3cc94886f031bbb.exe
File opened (read-only)	\??\Z:	272a3d2b72ac26dbd3cc94886f031bbb.exe
File opened (read-only)	\??\G:	272a3d2b72ac26dbd3cc94886f031bbb.exe
File opened (read-only)	\??\N:	272a3d2b72ac26dbd3cc94886f031bbb.exe
File opened (read-only)	\??\P:	272a3d2b72ac26dbd3cc94886f031bbb.exe
File opened (read-only)	\??\W:	272a3d2b72ac26dbd3cc94886f031bbb.exe
File opened (read-only)	\??\Y:	272a3d2b72ac26dbd3cc94886f031bbb.exe
File opened (read-only)	\??\B:	272a3d2b72ac26dbd3cc94886f031bbb.exe
File opened (read-only)	\??\K:	272a3d2b72ac26dbd3cc94886f031bbb.exe
File opened (read-only)	\??\M:	272a3d2b72ac26dbd3cc94886f031bbb.exe
File opened (read-only)	\??\R:	272a3d2b72ac26dbd3cc94886f031bbb.exe
File opened (read-only)	\??\V:	272a3d2b72ac26dbd3cc94886f031bbb.exe
File opened (read-only)	\??\A:	272a3d2b72ac26dbd3cc94886f031bbb.exe
File opened (read-only)	\??\E:	272a3d2b72ac26dbd3cc94886f031bbb.exe
File opened (read-only)	\??\H:	272a3d2b72ac26dbd3cc94886f031bbb.exe
File opened (read-only)	\??\I:	272a3d2b72ac26dbd3cc94886f031bbb.exe
File opened (read-only)	\??\J:	272a3d2b72ac26dbd3cc94886f031bbb.exe
File opened (read-only)	\??\O:	272a3d2b72ac26dbd3cc94886f031bbb.exe
File opened (read-only)	\??\U:	272a3d2b72ac26dbd3cc94886f031bbb.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Updates\Download\horse gay hidden .mpeg.exe	272a3d2b72ac26dbd3cc94886f031bbb.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\lesbian horse several models .mpeg.exe	272a3d2b72ac26dbd3cc94886f031bbb.exe
File created	C:\Program Files\Microsoft Office\root\Templates\french fetish xxx [free] sm (Jade).avi.exe	272a3d2b72ac26dbd3cc94886f031bbb.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\nude bukkake licking hole latex (Sarah).avi.exe	272a3d2b72ac26dbd3cc94886f031bbb.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\xxx [free] nipples castration .mpg.exe	272a3d2b72ac26dbd3cc94886f031bbb.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\animal beastiality big boobs (Sonja,Kathrin).rar.exe	272a3d2b72ac26dbd3cc94886f031bbb.exe
File created	C:\Program Files\Common Files\microsoft shared\canadian cum [milf] .avi.exe	272a3d2b72ac26dbd3cc94886f031bbb.exe
File created	C:\Program Files\dotnet\shared\lingerie animal full movie nipples .zip.exe	272a3d2b72ac26dbd3cc94886f031bbb.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\malaysia kicking animal voyeur hole traffic (Sonja).avi.exe	272a3d2b72ac26dbd3cc94886f031bbb.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\mssrv.exe	272a3d2b72ac26dbd3cc94886f031bbb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
660	272a3d2b72ac26dbd3cc94886f031bbb.exe
660	272a3d2b72ac26dbd3cc94886f031bbb.exe
2336	272a3d2b72ac26dbd3cc94886f031bbb.exe
2336	272a3d2b72ac26dbd3cc94886f031bbb.exe
660	272a3d2b72ac26dbd3cc94886f031bbb.exe
660	272a3d2b72ac26dbd3cc94886f031bbb.exe
4904	272a3d2b72ac26dbd3cc94886f031bbb.exe
4904	272a3d2b72ac26dbd3cc94886f031bbb.exe
660	272a3d2b72ac26dbd3cc94886f031bbb.exe
660	272a3d2b72ac26dbd3cc94886f031bbb.exe
3452	272a3d2b72ac26dbd3cc94886f031bbb.exe
3452	272a3d2b72ac26dbd3cc94886f031bbb.exe
2336	272a3d2b72ac26dbd3cc94886f031bbb.exe
2336	272a3d2b72ac26dbd3cc94886f031bbb.exe
4904	272a3d2b72ac26dbd3cc94886f031bbb.exe
4904	272a3d2b72ac26dbd3cc94886f031bbb.exe
660	272a3d2b72ac26dbd3cc94886f031bbb.exe
660	272a3d2b72ac26dbd3cc94886f031bbb.exe
3452	272a3d2b72ac26dbd3cc94886f031bbb.exe
3452	272a3d2b72ac26dbd3cc94886f031bbb.exe
2336	272a3d2b72ac26dbd3cc94886f031bbb.exe
2336	272a3d2b72ac26dbd3cc94886f031bbb.exe
4904	272a3d2b72ac26dbd3cc94886f031bbb.exe
4904	272a3d2b72ac26dbd3cc94886f031bbb.exe
660	272a3d2b72ac26dbd3cc94886f031bbb.exe
660	272a3d2b72ac26dbd3cc94886f031bbb.exe
3452	272a3d2b72ac26dbd3cc94886f031bbb.exe
3452	272a3d2b72ac26dbd3cc94886f031bbb.exe
2336	272a3d2b72ac26dbd3cc94886f031bbb.exe
2336	272a3d2b72ac26dbd3cc94886f031bbb.exe
4904	272a3d2b72ac26dbd3cc94886f031bbb.exe
4904	272a3d2b72ac26dbd3cc94886f031bbb.exe
660	272a3d2b72ac26dbd3cc94886f031bbb.exe
660	272a3d2b72ac26dbd3cc94886f031bbb.exe
3452	272a3d2b72ac26dbd3cc94886f031bbb.exe
3452	272a3d2b72ac26dbd3cc94886f031bbb.exe
2336	272a3d2b72ac26dbd3cc94886f031bbb.exe
2336	272a3d2b72ac26dbd3cc94886f031bbb.exe
4904	272a3d2b72ac26dbd3cc94886f031bbb.exe
4904	272a3d2b72ac26dbd3cc94886f031bbb.exe
660	272a3d2b72ac26dbd3cc94886f031bbb.exe
660	272a3d2b72ac26dbd3cc94886f031bbb.exe
3452	272a3d2b72ac26dbd3cc94886f031bbb.exe
3452	272a3d2b72ac26dbd3cc94886f031bbb.exe
2336	272a3d2b72ac26dbd3cc94886f031bbb.exe
2336	272a3d2b72ac26dbd3cc94886f031bbb.exe
4904	272a3d2b72ac26dbd3cc94886f031bbb.exe
4904	272a3d2b72ac26dbd3cc94886f031bbb.exe
660	272a3d2b72ac26dbd3cc94886f031bbb.exe
660	272a3d2b72ac26dbd3cc94886f031bbb.exe
3452	272a3d2b72ac26dbd3cc94886f031bbb.exe
3452	272a3d2b72ac26dbd3cc94886f031bbb.exe
2336	272a3d2b72ac26dbd3cc94886f031bbb.exe
2336	272a3d2b72ac26dbd3cc94886f031bbb.exe
4904	272a3d2b72ac26dbd3cc94886f031bbb.exe
4904	272a3d2b72ac26dbd3cc94886f031bbb.exe
660	272a3d2b72ac26dbd3cc94886f031bbb.exe
660	272a3d2b72ac26dbd3cc94886f031bbb.exe
3452	272a3d2b72ac26dbd3cc94886f031bbb.exe
3452	272a3d2b72ac26dbd3cc94886f031bbb.exe
2336	272a3d2b72ac26dbd3cc94886f031bbb.exe
2336	272a3d2b72ac26dbd3cc94886f031bbb.exe
4904	272a3d2b72ac26dbd3cc94886f031bbb.exe
4904	272a3d2b72ac26dbd3cc94886f031bbb.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 660 wrote to memory of 2336	660	272a3d2b72ac26dbd3cc94886f031bbb.exe	98
PID 660 wrote to memory of 2336	660	272a3d2b72ac26dbd3cc94886f031bbb.exe	98
PID 660 wrote to memory of 2336	660	272a3d2b72ac26dbd3cc94886f031bbb.exe	98
PID 660 wrote to memory of 4904	660	272a3d2b72ac26dbd3cc94886f031bbb.exe	99
PID 660 wrote to memory of 4904	660	272a3d2b72ac26dbd3cc94886f031bbb.exe	99
PID 660 wrote to memory of 4904	660	272a3d2b72ac26dbd3cc94886f031bbb.exe	99
PID 2336 wrote to memory of 3452	2336	272a3d2b72ac26dbd3cc94886f031bbb.exe	100
PID 2336 wrote to memory of 3452	2336	272a3d2b72ac26dbd3cc94886f031bbb.exe	100
PID 2336 wrote to memory of 3452	2336	272a3d2b72ac26dbd3cc94886f031bbb.exe	100

C:\Users\Admin\AppData\Local\Temp\272a3d2b72ac26dbd3cc94886f031bbb.exe
"C:\Users\Admin\AppData\Local\Temp\272a3d2b72ac26dbd3cc94886f031bbb.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:660
- C:\Users\Admin\AppData\Local\Temp\272a3d2b72ac26dbd3cc94886f031bbb.exe
  "C:\Users\Admin\AppData\Local\Temp\272a3d2b72ac26dbd3cc94886f031bbb.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Users\Admin\AppData\Local\Temp\272a3d2b72ac26dbd3cc94886f031bbb.exe
    "C:\Users\Admin\AppData\Local\Temp\272a3d2b72ac26dbd3cc94886f031bbb.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3452
- C:\Users\Admin\AppData\Local\Temp\272a3d2b72ac26dbd3cc94886f031bbb.exe
  "C:\Users\Admin\AppData\Local\Temp\272a3d2b72ac26dbd3cc94886f031bbb.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:3320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\malaysia kicking animal voyeur hole traffic (Sonja).avi.exe

Filesize
807KB

MD5
ac6c23b818d617c1ef5dca12840a9737

SHA1
fc2b8e291be9c3b9f36793d7d597768d8ebfcf9b

SHA256
048be86f249fd314da7b5fd1fc094d6bce02b791822e68893327120b72929c5a

SHA512
ef312e8675a7516b973671455be682ba40103a13867cc71f2704ccb478dadbc49a30984f80d3482c8767a93e651a003bb21258298e8ea17220e55241159fe637

Download Submit
memory/660-8-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/660-35-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/660-15-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/660-51-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/660-47-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/660-9-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/660-43-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/660-39-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/660-2-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/660-1-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/660-4-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/660-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/660-7-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/660-23-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/660-27-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/660-31-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2336-12-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2336-10-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3452-21-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4904-11-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4904-20-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download