bd7952313a13fa6b4522e03332d6c00eaf68bc08c01849a126546cc27a1a02a2

Analysis

max time kernel
136s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd7952313a13fa6b4522e03332d6c00eaf68bc08c01849a126546cc27a1a02a2.exe
Size

76KB
MD5

44d3ba43e46afe3639969a5380cab6bf
SHA1

4223faa55b429df6134da232c6d65f9345cd15d6
SHA256

bd7952313a13fa6b4522e03332d6c00eaf68bc08c01849a126546cc27a1a02a2
SHA512

fa5bf1d2c93237c7cfee00ac6ba0efd53565e2833c23e230dbf0ad8f3b7016505d54a8b51eac340836eb4d1ccfb46246440b60e1712de6e6fc6092eb1b910687
SSDEEP

1536:MvP69lUyW1UwzJmWRaD1gXI7uMrpzrnacxfzZ1:G69lU2UmWVXI7uMlzTFz7

Score

7^/10

persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation	bd7952313a13fa6b4522e03332d6c00eaf68bc08c01849a126546cc27a1a02a2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 5 IoCs

pid	Process
2620	bd7952313a13fa6b4522e03332d6c00eaf68bc08c01849a126546cc27a1a02a2.exe
2264	svchost.exe
4144	svchost.exe
4364	svchost.exe
8	svchost.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2620-6-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2620-11-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2620-10-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2620-37-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2620-55-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4144-52-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4144-86-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Video Driver = "C:\\Users\\Admin\\AppData\\Roaming\\system\\svchost.exe"	reg.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4992 set thread context of 2620	4992	bd7952313a13fa6b4522e03332d6c00eaf68bc08c01849a126546cc27a1a02a2.exe	83
PID 2264 set thread context of 4144	2264	svchost.exe	89
PID 2264 set thread context of 4364	2264	svchost.exe	90
PID 4364 set thread context of 8	4364	svchost.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4144	svchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4992	bd7952313a13fa6b4522e03332d6c00eaf68bc08c01849a126546cc27a1a02a2.exe
2620	bd7952313a13fa6b4522e03332d6c00eaf68bc08c01849a126546cc27a1a02a2.exe
2264	svchost.exe
4144	svchost.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 2620	4992	bd7952313a13fa6b4522e03332d6c00eaf68bc08c01849a126546cc27a1a02a2.exe	83
PID 4992 wrote to memory of 2620	4992	bd7952313a13fa6b4522e03332d6c00eaf68bc08c01849a126546cc27a1a02a2.exe	83
PID 4992 wrote to memory of 2620	4992	bd7952313a13fa6b4522e03332d6c00eaf68bc08c01849a126546cc27a1a02a2.exe	83
PID 4992 wrote to memory of 2620	4992	bd7952313a13fa6b4522e03332d6c00eaf68bc08c01849a126546cc27a1a02a2.exe	83
PID 4992 wrote to memory of 2620	4992	bd7952313a13fa6b4522e03332d6c00eaf68bc08c01849a126546cc27a1a02a2.exe	83
PID 4992 wrote to memory of 2620	4992	bd7952313a13fa6b4522e03332d6c00eaf68bc08c01849a126546cc27a1a02a2.exe	83
PID 4992 wrote to memory of 2620	4992	bd7952313a13fa6b4522e03332d6c00eaf68bc08c01849a126546cc27a1a02a2.exe	83
PID 4992 wrote to memory of 2620	4992	bd7952313a13fa6b4522e03332d6c00eaf68bc08c01849a126546cc27a1a02a2.exe	83
PID 2620 wrote to memory of 2680	2620	bd7952313a13fa6b4522e03332d6c00eaf68bc08c01849a126546cc27a1a02a2.exe	84
PID 2620 wrote to memory of 2680	2620	bd7952313a13fa6b4522e03332d6c00eaf68bc08c01849a126546cc27a1a02a2.exe	84
PID 2620 wrote to memory of 2680	2620	bd7952313a13fa6b4522e03332d6c00eaf68bc08c01849a126546cc27a1a02a2.exe	84
PID 2680 wrote to memory of 4380	2680	cmd.exe	87
PID 2680 wrote to memory of 4380	2680	cmd.exe	87
PID 2680 wrote to memory of 4380	2680	cmd.exe	87
PID 2620 wrote to memory of 2264	2620	bd7952313a13fa6b4522e03332d6c00eaf68bc08c01849a126546cc27a1a02a2.exe	88
PID 2620 wrote to memory of 2264	2620	bd7952313a13fa6b4522e03332d6c00eaf68bc08c01849a126546cc27a1a02a2.exe	88
PID 2620 wrote to memory of 2264	2620	bd7952313a13fa6b4522e03332d6c00eaf68bc08c01849a126546cc27a1a02a2.exe	88
PID 2264 wrote to memory of 4144	2264	svchost.exe	89
PID 2264 wrote to memory of 4144	2264	svchost.exe	89
PID 2264 wrote to memory of 4144	2264	svchost.exe	89
PID 2264 wrote to memory of 4144	2264	svchost.exe	89
PID 2264 wrote to memory of 4144	2264	svchost.exe	89
PID 2264 wrote to memory of 4144	2264	svchost.exe	89
PID 2264 wrote to memory of 4144	2264	svchost.exe	89
PID 2264 wrote to memory of 4144	2264	svchost.exe	89
PID 2264 wrote to memory of 4364	2264	svchost.exe	90
PID 2264 wrote to memory of 4364	2264	svchost.exe	90
PID 2264 wrote to memory of 4364	2264	svchost.exe	90
PID 2264 wrote to memory of 4364	2264	svchost.exe	90
PID 2264 wrote to memory of 4364	2264	svchost.exe	90
PID 2264 wrote to memory of 4364	2264	svchost.exe	90
PID 2264 wrote to memory of 4364	2264	svchost.exe	90
PID 4364 wrote to memory of 8	4364	svchost.exe	91
PID 4364 wrote to memory of 8	4364	svchost.exe	91
PID 4364 wrote to memory of 8	4364	svchost.exe	91
PID 4364 wrote to memory of 8	4364	svchost.exe	91
PID 4364 wrote to memory of 8	4364	svchost.exe	91
PID 4364 wrote to memory of 8	4364	svchost.exe	91
PID 4364 wrote to memory of 8	4364	svchost.exe	91

C:\Users\Admin\AppData\Local\Temp\bd7952313a13fa6b4522e03332d6c00eaf68bc08c01849a126546cc27a1a02a2.exe
"C:\Users\Admin\AppData\Local\Temp\bd7952313a13fa6b4522e03332d6c00eaf68bc08c01849a126546cc27a1a02a2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Users\Admin\AppData\Local\Temp\bd7952313a13fa6b4522e03332d6c00eaf68bc08c01849a126546cc27a1a02a2.exe
  "C:\Users\Admin\AppData\Local\Temp\bd7952313a13fa6b4522e03332d6c00eaf68bc08c01849a126546cc27a1a02a2.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSEMD.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Video Driver" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\svchost.exe" /f
      4⤵
      Adds Run key to start application
      PID:4380
- - C:\Users\Admin\AppData\Roaming\system\svchost.exe
    "C:\Users\Admin\AppData\Roaming\system\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Users\Admin\AppData\Roaming\system\svchost.exe
      "C:\Users\Admin\AppData\Roaming\system\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4144
  - - C:\Users\Admin\AppData\Roaming\system\svchost.exe
      "C:\Users\Admin\AppData\Roaming\system\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4364
    - - C:\Users\Admin\AppData\Roaming\system\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\system\svchost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cxz.exe

Filesize
294B

MD5
b3030e8233f92962ebbbb7d60cec6ded

SHA1
20c282431e255c840d290fd18e7ba3eacd874642

SHA256
1f63ffc8c981f1ccf70b59a12091a48fbf6d795f52088d08544ff79d0fddbd1a

SHA512
870ff031efc4b35e50f256e917b3bf8dc412eec2d98c2fc590b064fdc2b579176dfb72c5350accf958575aa4eb1a92577c36351c67910404eca3e82758922980

Download Submit
C:\Users\Admin\AppData\Local\Temp\TSEMD.txt

Filesize
148B

MD5
05d958f804a3cb770b18371699915faf

SHA1
82e91a19f4f23340db8bb5c7d271aa0b590ff723

SHA256
61ae6f17d637624fd66d1dfad93a1c6a863aa7caf67d3e267910f4b9212bdf52

SHA512
3ff7be267167f2c447e9aeef2f5e84785dd45d08a10738b1b4c1b01b21d3ea29e637ede50b1091211b97fd40ae5b2bea54e053200778228ffde852f8a19ce921

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd7952313a13fa6b4522e03332d6c00eaf68bc08c01849a126546cc27a1a02a2.exe

Filesize
76KB

MD5
44d3ba43e46afe3639969a5380cab6bf

SHA1
4223faa55b429df6134da232c6d65f9345cd15d6

SHA256
bd7952313a13fa6b4522e03332d6c00eaf68bc08c01849a126546cc27a1a02a2

SHA512
fa5bf1d2c93237c7cfee00ac6ba0efd53565e2833c23e230dbf0ad8f3b7016505d54a8b51eac340836eb4d1ccfb46246440b60e1712de6e6fc6092eb1b910687

Download Submit
C:\Users\Admin\AppData\Roaming\system\svchost.exe

Filesize
76KB

MD5
c113713381f4484fc5d018b2d9b5dac8

SHA1
269fac93da2d516f06327a03f1589ea48403eebf

SHA256
63fdc6b6821272cf8cfb06d4fc702cc19eaaa7a2917abd0b8a54f473f12b7f16

SHA512
f8c36be71f81d86f3ee9d113439e4ecb087da3449e4135aac91adf53121cfa66871fd149d8c514c67fffb10998d99eb55986e3a905d33c6c63b08defdf442004

Download Submit
memory/8-84-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/8-57-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/8-62-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2264-51-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2264-39-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2264-38-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2620-11-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2620-6-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2620-10-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2620-55-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2620-37-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4144-86-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4144-52-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4364-48-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4364-54-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4364-53-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4364-42-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4364-59-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4992-3-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/4992-4-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/4992-5-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4992-2-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/4992-8-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads