19e4b8511307b215721c7c6a7150bfca078045360d258355f7e172a0a357ec43

Analysis

max time kernel
142s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31c14cdf08f79c8dd23da19ea5913c8d.exe
Size

36.7MB
MD5

31c14cdf08f79c8dd23da19ea5913c8d
SHA1

024d9bf8c6416d201e132eae3d82e7d3de804b5c
SHA256

19e4b8511307b215721c7c6a7150bfca078045360d258355f7e172a0a357ec43
SHA512

8c1d2e69cd42234553ec4bc28fad79dd4b739b134073162084c19ec13f400d4fd167af39612a3edb611cd9e70ee504f05f77625f5cb4b6c2cd6e3c354657df9f
SSDEEP

786432:pDsCef8iSTCkgTVaG79BNQUN36YP/+W6B36hMx02DouwT:pD8w2Z79B+UN36K+WU6D2kuw

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	31c14cdf08f79c8dd23da19ea5913c8d.tmp

Executes dropped EXE 3 IoCs

pid	Process
2400	31c14cdf08f79c8dd23da19ea5913c8d.tmp
3288	7z.exe
3896	7z.exe

Loads dropped DLL 5 IoCs

pid	Process
2400	31c14cdf08f79c8dd23da19ea5913c8d.tmp
2400	31c14cdf08f79c8dd23da19ea5913c8d.tmp
2400	31c14cdf08f79c8dd23da19ea5913c8d.tmp
3288	7z.exe
3896	7z.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	31c14cdf08f79c8dd23da19ea5913c8d.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	31c14cdf08f79c8dd23da19ea5913c8d.tmp

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	31c14cdf08f79c8dd23da19ea5913c8d.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	31c14cdf08f79c8dd23da19ea5913c8d.tmp
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\IESettingSync	31c14cdf08f79c8dd23da19ea5913c8d.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	31c14cdf08f79c8dd23da19ea5913c8d.tmp

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	3288	7z.exe
Token: 35	3288	7z.exe
Token: SeSecurityPrivilege	3288	7z.exe
Token: SeSecurityPrivilege	3288	7z.exe
Token: SeRestorePrivilege	3896	7z.exe
Token: 35	3896	7z.exe
Token: SeSecurityPrivilege	3896	7z.exe
Token: SeSecurityPrivilege	3896	7z.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2400	31c14cdf08f79c8dd23da19ea5913c8d.tmp
2400	31c14cdf08f79c8dd23da19ea5913c8d.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4160 wrote to memory of 2400	4160	31c14cdf08f79c8dd23da19ea5913c8d.exe	81
PID 4160 wrote to memory of 2400	4160	31c14cdf08f79c8dd23da19ea5913c8d.exe	81
PID 4160 wrote to memory of 2400	4160	31c14cdf08f79c8dd23da19ea5913c8d.exe	81
PID 2400 wrote to memory of 3288	2400	31c14cdf08f79c8dd23da19ea5913c8d.tmp	82
PID 2400 wrote to memory of 3288	2400	31c14cdf08f79c8dd23da19ea5913c8d.tmp	82
PID 2400 wrote to memory of 3896	2400	31c14cdf08f79c8dd23da19ea5913c8d.tmp	84
PID 2400 wrote to memory of 3896	2400	31c14cdf08f79c8dd23da19ea5913c8d.tmp	84

C:\Users\Admin\AppData\Local\Temp\31c14cdf08f79c8dd23da19ea5913c8d.exe
"C:\Users\Admin\AppData\Local\Temp\31c14cdf08f79c8dd23da19ea5913c8d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Users\Admin\AppData\Local\Temp\is-PKFEP.tmp\31c14cdf08f79c8dd23da19ea5913c8d.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-PKFEP.tmp\31c14cdf08f79c8dd23da19ea5913c8d.tmp" /SL5="$50164,37611458,1148416,C:\Users\Admin\AppData\Local\Temp\31c14cdf08f79c8dd23da19ea5913c8d.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Users\Admin\AppData\Local\Temp\is-8RO6O.tmp\7z.exe
    "C:\Users\Admin\AppData\Local\Temp\is-8RO6O.tmp\7z.exe" x C:\Users\Admin\AppData\Local\Temp\is-8RO6O.tmp\2TGOTUHZV.7z -pqwerty0987 -oC:\Users\Admin\AppData\Local\Temp\is-8RO6O.tmp\CDD1A1C7-191B-7BC1-5C7D-33473DD19D8F
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3288
- - C:\Users\Admin\AppData\Local\Temp\is-8RO6O.tmp\7z.exe
    "C:\Users\Admin\AppData\Local\Temp\is-8RO6O.tmp\7z.exe" x C:\Users\Admin\AppData\Local\Temp\is-8RO6O.tmp\DBQM4FAUZ.7z -pqwerty0987 -oC:\Users\Admin\AppData\Local\Temp\is-8RO6O.tmp\CDD1A1C7-191B-7BC1-5C7D-33473DD19D8F
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-8RO6O.tmp\2TGOTUHZV.7z

Filesize
499KB

MD5
3175cec55609ca0f6b8ec96519a77c47

SHA1
19ad5d8e54f573f9eab9315fda4fa8474adc10ea

SHA256
dc552ce2e691dad50b2ff62197928a9c34bf2bf2a14e7b16bd76a18275e3fe00

SHA512
8d72da712206721ac4c11663f0b04284d3d067f135fde30f8ae50c1e764a1663f4e7f9916c3ec721bebab2c0b9b43d68a9b8104266920743ce96e5ca89ef1140

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8RO6O.tmp\7z.dll

Filesize
1.7MB

MD5
6416fc6c11f5775f474607ee7eec2935

SHA1
4d1703ee174f5f6b20274864ec2cb1c6b6c8529b

SHA256
ed594e74aa38cdb08d38807eb626b28ffd9eb8c73f75b303031598963331ff55

SHA512
816725ea67f43041692a58e6fec75c9485cc8fe56cf97894b6b6e570ad18863edd9d7d047aaca33d8c93af26913bd1f7e1da10b869dab981d7626a3b0920d1bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8RO6O.tmp\7z.exe

Filesize
532KB

MD5
ed53b28ab53811c06879e8fc5e1000ce

SHA1
e4e4d66639097862a59410decf5db146ceaa5d19

SHA256
7135e78794c5ceacb094afcadca57755cc3801591552776f1a717bbdd65605a7

SHA512
be92e468682ee681436c31d8f39db6585185bf8f8adefae8f6646b65c7e9339e54a027ac7e63d9356cb4602d5020664b023a74486c4da629cdc97b5cff61985f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8RO6O.tmp\CDD1A1C7-191B-7BC1-5C7D-33473DD19D8F\Install\info.xml

Filesize
1KB

MD5
f1a0d79bc6bcbb684b634a22a6e4b892

SHA1
3e25c55cd492509f159cc22b5e1638949e502a63

SHA256
11599d4b685ed4af5a28ffb8b9793cecfa0f069084e053d95020d7be60aa9f69

SHA512
91897508e0f9cb6ba926a933250cfa6a56742b7540bf260d953e4f77301a62a6f678827bf655abed644b2fd822107c61da24b0b0237b743adabfa5e8ba3177cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8RO6O.tmp\CDD1A1C7-191B-7BC1-5C7D-33473DD19D8F\install\0\offer0.html

Filesize
16KB

MD5
6ac56705899b7e41664135444ae3b736

SHA1
04cd5dc01cdc322b79ef8309e4ccdc852871c327

SHA256
4b6f5643ef970105bf33ae47d53001fdbeb939b79d22acc77124a98c9c38d6d4

SHA512
c5884f4a8bf1e6ab7aa6bf7f680a527cfc31ff5ad7b7834cce6d673b4b316dfbf55358042528692f3448369cc169d46bc014241e602c4f2c4fd4e666b0fe5a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8RO6O.tmp\DBQM4FAUZ.7z

Filesize
32.4MB

MD5
0ba639980fbb48eb931a461b2953974d

SHA1
98143706e9f5568411b56d139013349fafcd1573

SHA256
b4193b80034515e841c7599522c38e6e8db227216b784ebef7dc89af80ae65f9

SHA512
b700ac29f6a12ecba8bdf700197d6a6ffb2a52bb192c3236c59fead6068c2f2d93df52d1fe348659006ab3c0206da9aebd5e5114e6ce9d988a782e9ea6fd6bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8RO6O.tmp\_isetup\_isdecmp.dll

Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8RO6O.tmp\webview.dll

Filesize
2.2MB

MD5
c663759adbcf6c47f9fec3a835a97c92

SHA1
4fb9b1f6ec51d4c3674977020c1723f6641e07d7

SHA256
1e9b2bf3b80fe61a32f66097fd371db197ddde1a2ea5b6120f7b39f76a186288

SHA512
afd0661b7f70d22e147affc9fe20ee9df8a2234ce3c23e8a262d2e9c148317caf19d9c68d77aba02151774bb55d316b0316719b9e5cc6cff54bb4fcad258ee20

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PKFEP.tmp\31c14cdf08f79c8dd23da19ea5913c8d.tmp

Filesize
3.2MB

MD5
cbf5b2bddfd6a5bffd958e11427abc41

SHA1
f6d675d9f600f0934fae373762f2901bf72b312c

SHA256
43982e6d11f2be798d0d3317dbd337d55b48a63f4400964fdf906556aebde1ba

SHA512
d1db4894656e910d5ca26073df07b287d91f0dd91e855419a7308e6b4390929dc0d8cf36b72e865aa49942904e5eaf5c59572f47221f4e2f87f266405d112ba8

Download Submit
memory/2400-63-0x0000000002490000-0x00000000025D0000-memory.dmp

Filesize
1.2MB

Download
memory/2400-66-0x0000000002490000-0x00000000025D0000-memory.dmp

Filesize
1.2MB

Download
memory/2400-65-0x0000000002490000-0x00000000025D0000-memory.dmp

Filesize
1.2MB

Download
memory/2400-64-0x0000000002490000-0x00000000025D0000-memory.dmp

Filesize
1.2MB

Download
memory/2400-62-0x0000000002490000-0x00000000025D0000-memory.dmp

Filesize
1.2MB

Download
memory/2400-6-0x0000000000400000-0x0000000000748000-memory.dmp

Filesize
3.3MB

Download
memory/2400-71-0x0000000000400000-0x0000000000748000-memory.dmp

Filesize
3.3MB

Download
memory/4160-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/4160-0-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/4160-70-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads