87bc71b36b242a954f6dac19f466de0944becce465b37825552c1ba9703a19a8

Analysis

max time kernel
143s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 00:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ta4073.exe
Size

25.8MB
MD5

15ecc8ba9811b8e5bd9d868b213a2182
SHA1

b221004e3ac301e686a02f9c7667cf2c85276c65
SHA256

87bc71b36b242a954f6dac19f466de0944becce465b37825552c1ba9703a19a8
SHA512

88d1518444f53b1a555ab52b97821ac594a2b6f3c78acb8c04798e26d1c5b3eb84af86e5707f45cfc61bf147de05a7e9eab9bc7e406c79290bb4692174012fd5
SSDEEP

786432:xkCG+BZo4femcZvQEqe1aecl5OzvUme1g6fJ3t:xk+BZo4fexQyvcl5OzAfh9

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ta4073.exe

Executes dropped EXE 2 IoCs

pid	Process
2184	NextUpTA4Installer.exe
3368	NextUpTA4Installer.tmp

Loads dropped DLL 3 IoCs

pid	Process
3368	NextUpTA4Installer.tmp
3368	NextUpTA4Installer.tmp
3368	NextUpTA4Installer.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 2184	620	ta4073.exe	82
PID 620 wrote to memory of 2184	620	ta4073.exe	82
PID 620 wrote to memory of 2184	620	ta4073.exe	82
PID 2184 wrote to memory of 3368	2184	NextUpTA4Installer.exe	83
PID 2184 wrote to memory of 3368	2184	NextUpTA4Installer.exe	83
PID 2184 wrote to memory of 3368	2184	NextUpTA4Installer.exe	83

C:\Users\Admin\AppData\Local\Temp\ta4073.exe
"C:\Users\Admin\AppData\Local\Temp\ta4073.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:620
- C:\Users\Admin\AppData\Local\Temp\TextAloud\NextUpTA4Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\TextAloud\NextUpTA4Installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Users\Admin\AppData\Local\Temp\is-HI3KV.tmp\NextUpTA4Installer.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-HI3KV.tmp\NextUpTA4Installer.tmp" /SL5="$90054,24417821,57856,C:\Users\Admin\AppData\Local\Temp\TextAloud\NextUpTA4Installer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TextAloud\NextUpTA4Installer.exe

Filesize
23.6MB

MD5
b2b3d7a79ce92eea03c5a11a6f3a4c61

SHA1
2c7a1b65fb2f3f3f1710e26434af8cc6ecaa39de

SHA256
5c61e6b04a94a8af724500f062b2615818f3a24eab983977e50484742c7f0f57

SHA512
dea97e4b83128ea4bd4b84e0b5658d5b60b716521aad80927f505c15c16b402f684cd98d994ca96536f9817f2795949a73da4ec977cbf1358912a648be694535

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G8LCQ.tmp\InstallerHelper.dll

Filesize
2.1MB

MD5
f79170750b22e2031592fbda6b16b3ca

SHA1
d2e35403ed38111c09d3dbdd166459a954968ff9

SHA256
76e86688b6d2bf3cbfb9bfe6661e9e93b4dd1aefe0c4d843081108648e66c962

SHA512
2086c7197993b2978e3cd30cb0a2fd70e5b1346bb1bd58070bd7360afda605faa36528ed71d3f3486d7bdb4f0c50a8946e329d24ea5f79d5a2572d8dfd2b1d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G8LCQ.tmp\idp.dll

Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HI3KV.tmp\NextUpTA4Installer.tmp

Filesize
708KB

MD5
ae5108fec9e1c3da26674d02ecc76153

SHA1
1ddf0c8de4032a6f649eb2d824ec2c9756806e53

SHA256
1d3e6c985ffb65f507795dc35beab5006121374a1a176d73abe7abf4505f1dfe

SHA512
ca7fae476ada3ab002e4d6826e704dfc0db7899789715fbcf3c9674394855d68b57260899e6fd792b8fc61a9e1fc22b0058335cac38a23c8f725c50d1baf9708

Download Submit
memory/620-14-0x0000000000400000-0x0000000001DDB000-memory.dmp

Filesize
25.9MB

Download
memory/620-0-0x0000000003A30000-0x0000000003A31000-memory.dmp

Filesize
4KB

Download
memory/2184-35-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2184-15-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2184-19-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/3368-22-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/3368-32-0x0000000003B80000-0x0000000003D9D000-memory.dmp

Filesize
2.1MB

Download
memory/3368-36-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/3368-37-0x0000000003B80000-0x0000000003D9D000-memory.dmp

Filesize
2.1MB

Download
memory/3368-43-0x0000000003B80000-0x0000000003D9D000-memory.dmp

Filesize
2.1MB

Download