64c665b2dbdaca4a20aaef96d625091757008c88b49d71070e4eefcd45d986d8

Resubmissions

10-05-2024 17:13

240510-vrrk4sgd7t 10

10-05-2024 17:09

240510-vphv7abd29 10

Analysis

max time kernel
130s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

High Priority/5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Size

669KB
MD5

ead18f3a909685922d7213714ea9a183
SHA1

1270bd7fd62acc00447b30f066bb23f4745869bf
SHA256

5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18
SHA512

6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91
SSDEEP

6144:bLUHLyHlwFjxDi2nEZkQ4NXxp0XMgkBWPqdN/jGdfYY7SRA7j4YlvfYAAjJ:4uFi02nEZh4jp0XLuxGdgTm73vL

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3520	icacls.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/memory/2700-0-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral4/files/0x0008000000023410-12.dat	upx
behavioral4/memory/3600-13-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral4/memory/4252-27-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral4/memory/3312-32-0x0000000000400000-0x00000000004A9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f3c85b24-b7d1-4017-ac95-bb409c0525bc\\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe\" --AutoStart"	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	api.2ip.ua
27	api.2ip.ua
45	api.2ip.ua
46	api.2ip.ua
49	api.2ip.ua
19	api.2ip.ua

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4056	2700	WerFault.exe	81
1108	3312	WerFault.exe	97
4536	4252	WerFault.exe	95

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2700	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
2700	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
3600	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
3600	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4252	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4252	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
3388	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
3388	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
3312	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
3312	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 3520	2700	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	86
PID 2700 wrote to memory of 3520	2700	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	86
PID 2700 wrote to memory of 3520	2700	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	86
PID 2700 wrote to memory of 3600	2700	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	87
PID 2700 wrote to memory of 3600	2700	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	87
PID 2700 wrote to memory of 3600	2700	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	87
PID 3600 wrote to memory of 4252	3600	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	95
PID 3600 wrote to memory of 4252	3600	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	95
PID 3600 wrote to memory of 4252	3600	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	95
PID 3600 wrote to memory of 3388	3600	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	96
PID 3600 wrote to memory of 3388	3600	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	96
PID 3600 wrote to memory of 3388	3600	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	96
PID 4252 wrote to memory of 3312	4252	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	97
PID 4252 wrote to memory of 3312	4252	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	97
PID 4252 wrote to memory of 3312	4252	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	97

C:\Users\Admin\AppData\Local\Temp\High Priority\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\Temp\High Priority\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\Users\Admin\AppData\Local\f3c85b24-b7d1-4017-ac95-bb409c0525bc" /deny *S-1-1-0:(OI)(CI)(DE,DC)
  2⤵
  - Modifies file permissions
  PID:3520
- C:\Users\Admin\AppData\Local\Temp\High Priority\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
  "C:\Users\Admin\AppData\Local\Temp\High Priority\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Admin IsNotAutoStart IsNotTask
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3600
- - C:\Users\Admin\AppData\Local\Temp\High Priority\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    "C:\Users\Admin\AppData\Local\Temp\High Priority\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsNotTask
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4252
  - - C:\Users\Admin\AppData\Local\Temp\High Priority\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\Temp\High Priority\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 4252 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3312
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 1056
        5⤵
        Program crash
        
        PID:1108
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1652
      4⤵
      Program crash
      PID:4536
- - C:\Users\Admin\AppData\Local\Temp\High Priority\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    "C:\Users\Admin\AppData\Local\Temp\High Priority\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 3600 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3388
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 2124
  2⤵
  - Program crash
  PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2700 -ip 2700
1⤵
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3312 -ip 3312
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4252 -ip 4252
1⤵
PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
d4f07ee61e152f1392d3acfbd611a65d

SHA1
cbad4b0fc4b752be2a4b29ac12b40b9d04d3888a

SHA256
e3568bd51370abfded43c7e09b4f26d1d018e3d0925890d457d0bcf080cfc495

SHA512
209fed14cb895ff81521ed80a93b9c1c10c227b8102d65dddd9fd651fa5990d307a7f3836766f660362caaba2fb6573a2b3e542254eb593466e8696a3b87102e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
d0aeded9d6398dbd055bdd80fa6f3ce3

SHA1
75bb9c8cd5b3d47891af88ee9872ef30f0291b2e

SHA256
63467e32b1ba73fede1810bfec11eec6f0ff9e30b6714b344dfbfe94804fc811

SHA512
04738e58f0298e7457596fecd43ad8d4dd83c394b5b615fcc57a6224a276a6a3bf11c9f4651c7e562cc904df47fa0d78d3ed370ab7117527b70cf589b170f67e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
89050787f262cab81193e899ad10b626

SHA1
804fe6a3d27b56a2e02e344274b87bbf0a40d240

SHA256
c093c01849755c607de62525c9704e14a68ff45a3f9f1f6260b4d0fd518e0e6c

SHA512
f88daeb9964142cddfa2b3d800461159a0cf8c4963ced3e5a87944115fc3fd6eb4cc19806bb7a397f87788444f4ae318f6d738f5bf98c246cc78f1d3fa1c82d5

Download Submit
C:\Users\Admin\AppData\Local\f3c85b24-b7d1-4017-ac95-bb409c0525bc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

Filesize
669KB

MD5
ead18f3a909685922d7213714ea9a183

SHA1
1270bd7fd62acc00447b30f066bb23f4745869bf

SHA256
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

SHA512
6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

Download Submit
memory/2700-16-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2700-0-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2700-15-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2700-4-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2700-3-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2700-2-0x0000000000810000-0x0000000000910000-memory.dmp

Filesize
1024KB

Download
memory/3312-38-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3312-37-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3312-32-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3388-35-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3600-26-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3600-25-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3600-29-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3600-24-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3600-13-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3600-19-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3600-18-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4252-27-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4252-30-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4252-34-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4252-39-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download