adc529ecd42ff60785e5769400ae39dc299dcab1b2a4bb5f1f72902a96bf0024

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adc529ecd42ff60785e5769400ae39dc299dcab1b2a4bb5f1f72902a96bf0024.exe
Size

49KB
MD5

82f46932e1e9fda743ac04921fd63850
SHA1

849e1bfb062efb9e1f6eec0d5357e49faac1e1c6
SHA256

adc529ecd42ff60785e5769400ae39dc299dcab1b2a4bb5f1f72902a96bf0024
SHA512

cde59b6da732679670eb62adc17baa1b4eae947bff4907376c51e0061d3f103accc8337841c4fcf6a64837dfce11f0c1d99abe4d24b8ba4fc00e867efb538ea6
SSDEEP

768:gePG5H8lchKD8ISZSgs1lxqsNauz8iau2II4k:gePG5H8lOc8nEgsRIAbNk

Score

9^/10

upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/2916-0-0x0000000000500000-0x000000000050D000-memory.dmp	UPX
behavioral2/memory/2916-1-0x0000000000500000-0x000000000050D000-memory.dmp	UPX
behavioral2/files/0x000300000001e9b1-6.dat	UPX
behavioral2/memory/3608-10-0x0000000000500000-0x000000000050D000-memory.dmp	UPX

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	adc529ecd42ff60785e5769400ae39dc299dcab1b2a4bb5f1f72902a96bf0024.exe

Executes dropped EXE 1 IoCs

pid	Process
3608	winupdate.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2916-0-0x0000000000500000-0x000000000050D000-memory.dmp	upx
behavioral2/memory/2916-1-0x0000000000500000-0x000000000050D000-memory.dmp	upx
behavioral2/files/0x000300000001e9b1-6.dat	upx
behavioral2/memory/3608-10-0x0000000000500000-0x000000000050D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 3608	2916	adc529ecd42ff60785e5769400ae39dc299dcab1b2a4bb5f1f72902a96bf0024.exe	85
PID 2916 wrote to memory of 3608	2916	adc529ecd42ff60785e5769400ae39dc299dcab1b2a4bb5f1f72902a96bf0024.exe	85
PID 2916 wrote to memory of 3608	2916	adc529ecd42ff60785e5769400ae39dc299dcab1b2a4bb5f1f72902a96bf0024.exe	85

C:\Users\Admin\AppData\Local\Temp\adc529ecd42ff60785e5769400ae39dc299dcab1b2a4bb5f1f72902a96bf0024.exe
"C:\Users\Admin\AppData\Local\Temp\adc529ecd42ff60785e5769400ae39dc299dcab1b2a4bb5f1f72902a96bf0024.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Users\Admin\AppData\Local\Temp\winupdate.exe
  "C:\Users\Admin\AppData\Local\Temp\winupdate.exe"
  2⤵
  - Executes dropped EXE
  PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\winupdate.exe

Filesize
49KB

MD5
5685be5dfe49a04ea43b18d943128b6e

SHA1
58fee9327538a5bb643f888ac56319bbc4acd294

SHA256
f615686a974a1fd55f521d426ce69bbe11b798bff1a45b4773d0ec60d9d43ade

SHA512
f95d5415d7486cef5a4d3af4a20f50d5db100b8b7f6ed8a918e5052e9127bcd0ae54ccf53076a4fa3041803d3ae8be7d472b0e2dbffa2944be6831edae5c4fc5

Download Submit
memory/2916-0-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download
memory/2916-1-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download
memory/3608-10-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download