Analysis

  • max time kernel
    62s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/06/2024, 21:53

General

  • Target

    4d1e5f808b9e90b9b7ac9e32b4e11b2ef223745fa707aa4c34f60e3bd72ae42a.exe

  • Size

    134KB

  • MD5

    b3b9455487c8b7e0200fd886bd4da330

  • SHA1

    8b8d0118d9b155363e283bf492c7b873b4f79578

  • SHA256

    4d1e5f808b9e90b9b7ac9e32b4e11b2ef223745fa707aa4c34f60e3bd72ae42a

  • SHA512

    1c0a008123801ea3375c02f98417353a19ec831a652b58a5ea14c85245a8ace6b3019f6836899d66743410784b43f246055b98e382d0cef709beffca38222380

  • SSDEEP

    1536:YGYU/W2/HG6QMauSV3ixJHABLrmhH7i9eNOOg00GqMIK7aGZh3SO7:YfU/WF6QMauSuiWNi9eNOl0007NZIO7

Score
9/10

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 6 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4d1e5f808b9e90b9b7ac9e32b4e11b2ef223745fa707aa4c34f60e3bd72ae42a.exe
    "C:\Users\Admin\AppData\Local\Temp\4d1e5f808b9e90b9b7ac9e32b4e11b2ef223745fa707aa4c34f60e3bd72ae42a.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3112
    • C:\ProgramData\Update\wuauclt.exe
      "C:\ProgramData\Update\wuauclt.exe" /run
      2⤵
      • Executes dropped EXE
      PID:3528
    • C:\windows\SysWOW64\cmd.exe
      "C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\4d1e5f808b9e90b9b7ac9e32b4e11b2ef223745fa707aa4c34f60e3bd72ae42a.exe" >> NUL
      2⤵
        PID:2672

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Update\wuauclt.exe

            Filesize

            134KB

            MD5

            7308cf2a1b7a86816824b65a82f8ee63

            SHA1

            b47f84862ce71a3d20875dab2d979986d54dcb03

            SHA256

            9def86394fcb1aa5376cefce8247c096fb3827c5e060805e2dcbf93226aa93e6

            SHA512

            c68c85cc85227aba0ac7f46ddac04c408503a619ecba1933518983265f569bcb0a65ae071b32d0530aa511bf9ad35c45465239b277c2870e912de36d33c6fe62

          • memory/3112-0-0x00000000009B0000-0x00000000009D8000-memory.dmp

            Filesize

            160KB

          • memory/3112-6-0x00000000009B0000-0x00000000009D8000-memory.dmp

            Filesize

            160KB

          • memory/3112-8-0x00000000009B0000-0x00000000009D8000-memory.dmp

            Filesize

            160KB

          • memory/3528-4-0x0000000000DD0000-0x0000000000DF8000-memory.dmp

            Filesize

            160KB

          • memory/3528-7-0x0000000000DD0000-0x0000000000DF8000-memory.dmp

            Filesize

            160KB