bf8af655ee4cb83a11232fc6053daab65cb49f4d68cb24196de2eb3bcee32a10

Analysis

max time kernel
142s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2024 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf8af655ee4cb83a11232fc6053daab65cb49f4d68cb24196de2eb3bcee32a10.exe
Size

95KB
MD5

27fbd97392b14b3d4cf565d2a56d412e
SHA1

ae3c4080559cb2201df7c3eddc9a0d559183d6a2
SHA256

bf8af655ee4cb83a11232fc6053daab65cb49f4d68cb24196de2eb3bcee32a10
SHA512

602fb7876486b0c1d78776a6870d3a5f1c0c27347266968d098de8a3ae3ace7da17ffb1d518a759a20442512f78f365bf0a4b55dbb291c402a6ca9f4896eda57
SSDEEP

1536:EGqRGbQHSgOTw1BFxnsUdsdBhMgxRFy2kckEUEVvccRPAAXLSYPph/ATvYSByU62:lbjgjXxdWBhMwRFy2Rk/kcIAebPph/At

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation	cmd.exe

Deletes itself 1 IoCs

pid	Process
3224	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
4916	rMX.exe
3380	rMX.exe.exe
2900	rMX.exe
1088	rMX.exe
2872	rMX.exe
756	rMX.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1088-21-0x0000000010000000-0x000000001002A000-memory.dmp	upx
behavioral2/memory/1088-27-0x0000000010000000-0x000000001002A000-memory.dmp	upx
behavioral2/memory/1088-22-0x0000000010000000-0x000000001002A000-memory.dmp	upx
behavioral2/memory/1088-20-0x0000000010000000-0x000000001002A000-memory.dmp	upx
behavioral2/memory/1088-35-0x0000000010000000-0x000000001002A000-memory.dmp	upx
behavioral2/memory/1088-34-0x0000000010000000-0x000000001002A000-memory.dmp	upx

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2900 set thread context of 1088	2900	rMX.exe	91
PID 2900 set thread context of 2872	2900	rMX.exe	92
PID 2900 set thread context of 756	2900	rMX.exe	93

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\VWFLH\rMX.exe	rMX.exe.exe
File created	\??\c:\windows\rMX.exe.bat	rMX.exe
File created	C:\WINDOWS\VWFLH\rMX.exe	bf8af655ee4cb83a11232fc6053daab65cb49f4d68cb24196de2eb3bcee32a10.exe
File opened for modification	C:\WINDOWS\VWFLH\rMX.exe	bf8af655ee4cb83a11232fc6053daab65cb49f4d68cb24196de2eb3bcee32a10.exe
File created	C:\WINDOWS\VWFLH\rMX.exe.exe	rMX.exe
File created	C:\WINDOWS\VWFLH\rMX.exe	rMX.exe.exe
File created	\??\c:\windows\rMX.exe.bat	rMX.exe
File opened for modification	C:\WINDOWS\VWFLH\rMX.exe.exe	rMX.exe
File opened for modification	\??\c:\windows\nk.txt	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
828	2872	WerFault.exe	92
216	756	WerFault.exe	93

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1088	rMX.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 4916	3588	bf8af655ee4cb83a11232fc6053daab65cb49f4d68cb24196de2eb3bcee32a10.exe	82
PID 3588 wrote to memory of 4916	3588	bf8af655ee4cb83a11232fc6053daab65cb49f4d68cb24196de2eb3bcee32a10.exe	82
PID 3588 wrote to memory of 4916	3588	bf8af655ee4cb83a11232fc6053daab65cb49f4d68cb24196de2eb3bcee32a10.exe	82
PID 4916 wrote to memory of 3080	4916	rMX.exe	83
PID 4916 wrote to memory of 3080	4916	rMX.exe	83
PID 4916 wrote to memory of 3080	4916	rMX.exe	83
PID 4916 wrote to memory of 3480	4916	rMX.exe	84
PID 4916 wrote to memory of 3480	4916	rMX.exe	84
PID 4916 wrote to memory of 3480	4916	rMX.exe	84
PID 3588 wrote to memory of 4860	3588	bf8af655ee4cb83a11232fc6053daab65cb49f4d68cb24196de2eb3bcee32a10.exe	86
PID 3588 wrote to memory of 4860	3588	bf8af655ee4cb83a11232fc6053daab65cb49f4d68cb24196de2eb3bcee32a10.exe	86
PID 3588 wrote to memory of 4860	3588	bf8af655ee4cb83a11232fc6053daab65cb49f4d68cb24196de2eb3bcee32a10.exe	86
PID 3480 wrote to memory of 3380	3480	cmd.exe	89
PID 3480 wrote to memory of 3380	3480	cmd.exe	89
PID 3480 wrote to memory of 3380	3480	cmd.exe	89
PID 3380 wrote to memory of 2900	3380	rMX.exe.exe	90
PID 3380 wrote to memory of 2900	3380	rMX.exe.exe	90
PID 3380 wrote to memory of 2900	3380	rMX.exe.exe	90
PID 2900 wrote to memory of 1088	2900	rMX.exe	91
PID 2900 wrote to memory of 1088	2900	rMX.exe	91
PID 2900 wrote to memory of 1088	2900	rMX.exe	91
PID 2900 wrote to memory of 1088	2900	rMX.exe	91
PID 2900 wrote to memory of 1088	2900	rMX.exe	91
PID 2900 wrote to memory of 1088	2900	rMX.exe	91
PID 2900 wrote to memory of 1088	2900	rMX.exe	91
PID 2900 wrote to memory of 1088	2900	rMX.exe	91
PID 2900 wrote to memory of 2872	2900	rMX.exe	92
PID 2900 wrote to memory of 2872	2900	rMX.exe	92
PID 2900 wrote to memory of 2872	2900	rMX.exe	92
PID 2900 wrote to memory of 2872	2900	rMX.exe	92
PID 2900 wrote to memory of 756	2900	rMX.exe	93
PID 2900 wrote to memory of 756	2900	rMX.exe	93
PID 2900 wrote to memory of 756	2900	rMX.exe	93
PID 2900 wrote to memory of 756	2900	rMX.exe	93
PID 3380 wrote to memory of 1324	3380	rMX.exe.exe	94
PID 3380 wrote to memory of 1324	3380	rMX.exe.exe	94
PID 3380 wrote to memory of 1324	3380	rMX.exe.exe	94
PID 4860 wrote to memory of 3224	4860	cmd.exe	101
PID 4860 wrote to memory of 3224	4860	cmd.exe	101
PID 4860 wrote to memory of 3224	4860	cmd.exe	101
PID 1324 wrote to memory of 2364	1324	cmd.exe	102
PID 1324 wrote to memory of 2364	1324	cmd.exe	102
PID 1324 wrote to memory of 2364	1324	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\bf8af655ee4cb83a11232fc6053daab65cb49f4d68cb24196de2eb3bcee32a10.exe
"C:\Users\Admin\AppData\Local\Temp\bf8af655ee4cb83a11232fc6053daab65cb49f4d68cb24196de2eb3bcee32a10.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3588
- C:\WINDOWS\VWFLH\rMX.exe
  C:\WINDOWS\VWFLH\rMX.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo 0>>c:\windows\nk.txt
    3⤵
    - Drops file in Windows directory
    PID:3080
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\WINDOWS\VWFLH\rMX.exe.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3480
  - - C:\WINDOWS\VWFLH\rMX.exe.exe
      C:\WINDOWS\VWFLH\rMX.exe.exe
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:3380
    - - C:\WINDOWS\VWFLH\rMX.exe
        
        C:\WINDOWS\VWFLH\rMX.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2900
      - C:\WINDOWS\VWFLH\rMX.exe
        
        C:\WINDOWS\VWFLH\rMX.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
      - C:\WINDOWS\VWFLH\rMX.exe
        
        C:\WINDOWS\VWFLH\rMX.exe
        6⤵
        Executes dropped EXE
        
        PID:2872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 80
        7⤵
        Program crash
        
        PID:828
      - C:\WINDOWS\VWFLH\rMX.exe
        
        C:\WINDOWS\VWFLH\rMX.exe
        6⤵
        Executes dropped EXE
        
        PID:756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 80
        7⤵
        Program crash
        
        PID:216
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\54.vbs
        5⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1324
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\54.vbs"
        6⤵
        
        PID:2364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\34.vbs
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\34.vbs"
    3⤵
    - Deletes itself
    PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 756 -ip 756
1⤵
PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2872 -ip 2872
1⤵
PID:3216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\34.vbs

Filesize
236B

MD5
289ed9c78d637f442fb0d9265420ebe1

SHA1
6a0ede9a06a7b32e1ef24f4271f056b77a2a918d

SHA256
bfce282bd64be5ca7ff9373d257bfa949f278a44407836c607e3394e35f492f9

SHA512
5bf835e82d436704d012f2e619be2257741326f1e84f3b42772b20477a7d3c7a343f9b8a92c038bbed9e0ee20a193153f4bc9aae3f3d4ab06fb9c941bb2f4d5d

Download Submit
C:\54.vbs

Filesize
162B

MD5
c4299fd0fd73ec4d00555bc6df9f231d

SHA1
44d2e8a80ccf6b5dbfd4edc0897707e264c8652a

SHA256
6600d0dea3a5dc9e12332b8bb3c0b79796b06fa88abe1bb370aac7e508ccdf35

SHA512
34e1f06a036f45d83c230d66749333fef42abdcf86006f2cffb59466ba001e673ef53232a605c979893771d3a1063852ef269cbb829bb32305366867316fa152

Download Submit
C:\Windows\VWFLH\rMX.exe

Filesize
95KB

MD5
27fbd97392b14b3d4cf565d2a56d412e

SHA1
ae3c4080559cb2201df7c3eddc9a0d559183d6a2

SHA256
bf8af655ee4cb83a11232fc6053daab65cb49f4d68cb24196de2eb3bcee32a10

SHA512
602fb7876486b0c1d78776a6870d3a5f1c0c27347266968d098de8a3ae3ace7da17ffb1d518a759a20442512f78f365bf0a4b55dbb291c402a6ca9f4896eda57

Download Submit
C:\Windows\VWFLH\rMX.exe.exe

Filesize
95KB

MD5
429d5bf656780d098181f5c530d10ed4

SHA1
b0ef7f73433025abd1442f94a5b01479fe525c40

SHA256
ceacce1f1b6a024ab63ec126a030472a5fd5ff4f4e664f7c52eac200bb960920

SHA512
db5a152caf7e88e5d9d1a0fa57ab2ee6af146c973cbb40157ce74898f69ba3c9a48a79bd4d5a673ae37c97f16f403e4a68266c9897bc2359bc8fd0ed464aa175

Download Submit
memory/1088-35-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/1088-27-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/1088-22-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/1088-20-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/1088-21-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/1088-34-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/2900-32-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download
memory/3380-33-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download
memory/3588-10-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download
memory/4916-9-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download