2e60b0b009b7b4b018add8a4d3457fcb770fea8a7603ea44f1c919bf13bf60b4

Analysis

max time kernel
149s
max time network
58s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
07/07/2024, 20:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2e60b0b009b7b4b018add8a4d3457fcb770fea8a7603ea44f1c919bf13bf60b4.exe
Size

304KB
MD5

800e4f08dd90d41f5e5e894a96af3d6b
SHA1

ac66287e1fb387bbfc9020c263b7039159550447
SHA256

2e60b0b009b7b4b018add8a4d3457fcb770fea8a7603ea44f1c919bf13bf60b4
SHA512

2e792ff4818eef725841097257d1884536a8e767a133aaeef20a25e7a64bd5edc786f2305e6c9608d931da8c84bfaa4f3e40b302bc9cc57358409b43f888dbda
SSDEEP

3072:6t5SVkkgUWib1UC7AdYzrV+Dljy/32ubwZZqJ:NUquCkdYzrVolu/J0ZZ

Score

7^/10

persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	2e60b0b009b7b4b018add8a4d3457fcb770fea8a7603ea44f1c919bf13bf60b4.exe

Executes dropped EXE 3 IoCs

pid	Process
2644	WindowsService.exe
4580	WindowsService.exe
2156	WindowsService.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3156-0-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral2/memory/3892-6-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3892-10-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3892-8-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3156-13-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral2/files/0x00070000000233b3-27.dat	upx
behavioral2/memory/2644-35-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral2/memory/2644-47-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral2/memory/3892-53-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4580-54-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sidebar = "C:\\Users\\Admin\\AppData\\Roaming\\SystemWindows\\WindowsService.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3156 set thread context of 3892	3156	2e60b0b009b7b4b018add8a4d3457fcb770fea8a7603ea44f1c919bf13bf60b4.exe	81
PID 2644 set thread context of 4580	2644	WindowsService.exe	87
PID 2644 set thread context of 2156	2644	WindowsService.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe
Token: SeDebugPrivilege	4580	WindowsService.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3156	2e60b0b009b7b4b018add8a4d3457fcb770fea8a7603ea44f1c919bf13bf60b4.exe
3892	2e60b0b009b7b4b018add8a4d3457fcb770fea8a7603ea44f1c919bf13bf60b4.exe
2644	WindowsService.exe
4580	WindowsService.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 3156 wrote to memory of 3892	3156	2e60b0b009b7b4b018add8a4d3457fcb770fea8a7603ea44f1c919bf13bf60b4.exe	81
PID 3156 wrote to memory of 3892	3156	2e60b0b009b7b4b018add8a4d3457fcb770fea8a7603ea44f1c919bf13bf60b4.exe	81
PID 3156 wrote to memory of 3892	3156	2e60b0b009b7b4b018add8a4d3457fcb770fea8a7603ea44f1c919bf13bf60b4.exe	81
PID 3156 wrote to memory of 3892	3156	2e60b0b009b7b4b018add8a4d3457fcb770fea8a7603ea44f1c919bf13bf60b4.exe	81
PID 3156 wrote to memory of 3892	3156	2e60b0b009b7b4b018add8a4d3457fcb770fea8a7603ea44f1c919bf13bf60b4.exe	81
PID 3156 wrote to memory of 3892	3156	2e60b0b009b7b4b018add8a4d3457fcb770fea8a7603ea44f1c919bf13bf60b4.exe	81
PID 3156 wrote to memory of 3892	3156	2e60b0b009b7b4b018add8a4d3457fcb770fea8a7603ea44f1c919bf13bf60b4.exe	81
PID 3156 wrote to memory of 3892	3156	2e60b0b009b7b4b018add8a4d3457fcb770fea8a7603ea44f1c919bf13bf60b4.exe	81
PID 3892 wrote to memory of 1796	3892	2e60b0b009b7b4b018add8a4d3457fcb770fea8a7603ea44f1c919bf13bf60b4.exe	82
PID 3892 wrote to memory of 1796	3892	2e60b0b009b7b4b018add8a4d3457fcb770fea8a7603ea44f1c919bf13bf60b4.exe	82
PID 3892 wrote to memory of 1796	3892	2e60b0b009b7b4b018add8a4d3457fcb770fea8a7603ea44f1c919bf13bf60b4.exe	82
PID 1796 wrote to memory of 4588	1796	cmd.exe	85
PID 1796 wrote to memory of 4588	1796	cmd.exe	85
PID 1796 wrote to memory of 4588	1796	cmd.exe	85
PID 3892 wrote to memory of 2644	3892	2e60b0b009b7b4b018add8a4d3457fcb770fea8a7603ea44f1c919bf13bf60b4.exe	86
PID 3892 wrote to memory of 2644	3892	2e60b0b009b7b4b018add8a4d3457fcb770fea8a7603ea44f1c919bf13bf60b4.exe	86
PID 3892 wrote to memory of 2644	3892	2e60b0b009b7b4b018add8a4d3457fcb770fea8a7603ea44f1c919bf13bf60b4.exe	86
PID 2644 wrote to memory of 4580	2644	WindowsService.exe	87
PID 2644 wrote to memory of 4580	2644	WindowsService.exe	87
PID 2644 wrote to memory of 4580	2644	WindowsService.exe	87
PID 2644 wrote to memory of 4580	2644	WindowsService.exe	87
PID 2644 wrote to memory of 4580	2644	WindowsService.exe	87
PID 2644 wrote to memory of 4580	2644	WindowsService.exe	87
PID 2644 wrote to memory of 4580	2644	WindowsService.exe	87
PID 2644 wrote to memory of 4580	2644	WindowsService.exe	87
PID 2644 wrote to memory of 2156	2644	WindowsService.exe	88
PID 2644 wrote to memory of 2156	2644	WindowsService.exe	88
PID 2644 wrote to memory of 2156	2644	WindowsService.exe	88
PID 2644 wrote to memory of 2156	2644	WindowsService.exe	88
PID 2644 wrote to memory of 2156	2644	WindowsService.exe	88
PID 2644 wrote to memory of 2156	2644	WindowsService.exe	88
PID 2644 wrote to memory of 2156	2644	WindowsService.exe	88
PID 2644 wrote to memory of 2156	2644	WindowsService.exe	88
PID 2644 wrote to memory of 2156	2644	WindowsService.exe	88
PID 2644 wrote to memory of 2156	2644	WindowsService.exe	88
PID 2644 wrote to memory of 2156	2644	WindowsService.exe	88
PID 2644 wrote to memory of 2156	2644	WindowsService.exe	88
PID 2644 wrote to memory of 2156	2644	WindowsService.exe	88
PID 2644 wrote to memory of 2156	2644	WindowsService.exe	88

C:\Users\Admin\AppData\Local\Temp\2e60b0b009b7b4b018add8a4d3457fcb770fea8a7603ea44f1c919bf13bf60b4.exe
"C:\Users\Admin\AppData\Local\Temp\2e60b0b009b7b4b018add8a4d3457fcb770fea8a7603ea44f1c919bf13bf60b4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Users\Admin\AppData\Local\Temp\2e60b0b009b7b4b018add8a4d3457fcb770fea8a7603ea44f1c919bf13bf60b4.exe
  "C:\Users\Admin\AppData\Local\Temp\2e60b0b009b7b4b018add8a4d3457fcb770fea8a7603ea44f1c919bf13bf60b4.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AFUVS.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe" /f
      4⤵
      Adds Run key to start application
      PID:4588
- - C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
    "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
      "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4580
  - - C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
      "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
      4⤵
      Executes dropped EXE
      PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AFUVS.txt

Filesize
157B

MD5
f6a90c20834f271a907a4e2bc28184c2

SHA1
36c9d1602b74f622346fbb22693597d7889df48d

SHA256
73f29cd953eee40cea4de67842556ffd96efe8094a6a9b70f33a35df2582febd

SHA512
39cabae19fe1faa37455e4bd242c868be60d6252b07f01224b3f7501c3cf734e503300b840d83381a452707cab6df2f95f920655884be56d4024676b26943804

Download Submit
C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe

Filesize
304KB

MD5
4a9a5e73769c1aa7f44e222203069964

SHA1
cc7d17e1d8e3dbd015aa4e04f7a280f5da8fcb56

SHA256
4cb1791a16c6b98e93dbd3ecc1c581b006ff247a3ce6a873e748dd0e148ceef6

SHA512
ea0f67c11e72f7dc9a7a0fca88450f5b3601ab97393d471d4b0ff9cf7cd17a2a338a39157cd02de3eaa7235713792e7a887f40b01d7f089c3a7be607c00aec25

Download Submit
memory/2156-57-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2156-55-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2156-42-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2156-46-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2156-48-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2156-44-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2644-35-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2644-47-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3156-13-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3156-0-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3156-5-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/3156-4-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3156-3-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/3892-8-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3892-10-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3892-53-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3892-6-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4580-54-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads