aaa5acac0791640451492c3b1f8ccf4cf9937eb32ea6bdb39b9afc2eb214602a

Analysis

max time kernel
81s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12-06-2024 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

locales.7z
Size

15.5MB
MD5

4448307411c2e146cd3b799287127ff8
SHA1

711f109c45bbfcbd5a6f640d5d1aa21c6d87000c
SHA256

aaa5acac0791640451492c3b1f8ccf4cf9937eb32ea6bdb39b9afc2eb214602a
SHA512

82ba7f970e67e971783ae6a30249d7d4829467802fa6697f2c74b76fced305126562722a5abdd819e33f61496e128ea06936d5df3310ded09c0b774d7ad0394b
SSDEEP

393216:nSkp7rSRYn7Hk+yiUywCGHAqUDJnl/362ECZTiuZP2SME9WY:nSkZSRY7E1ipEAqUDJnl/369CZTiqPdD

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
3260	nuitka-extractor.exe
1156	nuitka-extractor.exe
4464	nuitka-extractor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	cmd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2228	7zFM.exe
Token: 35	2228	7zFM.exe
Token: SeSecurityPrivilege	2228	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2228	7zFM.exe
2228	7zFM.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3408 wrote to memory of 2228	3408	cmd.exe	94
PID 3408 wrote to memory of 2228	3408	cmd.exe	94
PID 3068 wrote to memory of 1156	3068	cmd.exe	110
PID 3068 wrote to memory of 1156	3068	cmd.exe	110
PID 3068 wrote to memory of 4464	3068	cmd.exe	113
PID 3068 wrote to memory of 4464	3068	cmd.exe	113

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales.7z
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3408
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\locales.7z"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2228

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4320

C:\Users\Admin\Desktop\locales\nuitka-extractor.exe
"C:\Users\Admin\Desktop\locales\nuitka-extractor.exe"
1⤵
- Executes dropped EXE
PID:3260

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\Desktop\locales\nuitka-extractor.exe
  nuitka-extractor.exe Injector.exe
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Users\Admin\Desktop\locales\nuitka-extractor.exe
  nuitka-extractor.exe Injector.exe_extracted/DRIVER-obf.exe
  2⤵
  - Executes dropped EXE
  PID:4464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\locales\Injector.exe

Filesize
14.5MB

MD5
07ff2945b1e8176c36b3c0f1dadddb4a

SHA1
96923ee2b635d90d582b09ca1e67c330d1e08cfd

SHA256
05cf379db860c18861a374f5f44da1892d4f89f5cbb2f5819e5df5a52a7ff0f7

SHA512
8942136e0da9d2a2d5ac1e9d9e65234b7a3ddac50e51836328ddb6d798a45055e7c8f9272170c76a1b2a3dc0167a31bca6726f04c35261a0d94a09d4d78aaad9

Download Submit
C:\Users\Admin\Desktop\locales\Injector.exe_extracted\DRIVER-obf.exe

Filesize
24.3MB

MD5
9271c4ffad6091fab2d1bd7f515cedff

SHA1
353da29638b3c81f36fab047bd1d77cec753aa34

SHA256
f69b16e83cba78b927f71c88e26919fba8e81641d168b323d1f195b5b4654609

SHA512
cdd922449d1ba88e5dea1b1b24ed628c7e20c955e6256e528bd72e5831d97a1ab85968d659847fcd0a8e82768d0275adeb565cc1690bc52cc664a7f306db70ec

Download Submit
C:\Users\Admin\Desktop\locales\nuitka-extractor.exe

Filesize
3.6MB

MD5
27b827b9b4617cc6534b3fb2893b30b8

SHA1
11843274818de131aa01f27a5e1a32f8445f5e10

SHA256
5ff1182402689097675e873d0f795bed2639e69d3d0cf8fb72b975d8f9d141cd

SHA512
f8afb3e246181bc88d6afd232e7e230fcf3ed9b6090372417b14f4b729f0ddeb83eeb6c8ec67d5f347c73f2197466c092430df4b0dc710367fdf6418241f5faa

Download Submit