b09e310442fe5a9f3b0a8fba7e913e2bb06c72f87a5bc3043eb059d64c0c7069

Analysis

max time kernel
119s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
16/07/2024, 11:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b235e8de79b0191a83d3b49aa7048f40N.exe
Size

84KB
MD5

b235e8de79b0191a83d3b49aa7048f40
SHA1

4c1de2173bfaa53140aa8ee0cef628aa76edebb7
SHA256

b09e310442fe5a9f3b0a8fba7e913e2bb06c72f87a5bc3043eb059d64c0c7069
SHA512

d6bf52ddeb8eca5859d8cdb7026e5c6de5c279823fca18a2eb74a05b8497f4124f4e866bf8fd254f9f25dcca7ff2e369893f69dbb04ba725d0629c2df347b41f
SSDEEP

1536:1clIGFNMi+hJUneHoGTvvv4V9hqdhbtgS:+RMi+fUnCTvvv4V9hEhbCS

Score

7^/10

persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	b235e8de79b0191a83d3b49aa7048f40N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	lsass.exe

Executes dropped EXE 4 IoCs

pid	Process
1568	lsass.exe
4476	lsass.exe
2328	lsass.exe
2732	lsass.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2172-2-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2172-13-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2172-14-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2172-40-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4476-54-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2172-59-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4476-89-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audio Driver = "C:\\Users\\Admin\\AppData\\Roaming\\system\\lsass.exe"	reg.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3180 set thread context of 2172	3180	b235e8de79b0191a83d3b49aa7048f40N.exe	86
PID 1568 set thread context of 4476	1568	lsass.exe	95
PID 1568 set thread context of 2328	1568	lsass.exe	96
PID 2328 set thread context of 2732	2328	lsass.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe
Token: SeDebugPrivilege	4476	lsass.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3180	b235e8de79b0191a83d3b49aa7048f40N.exe
2172	b235e8de79b0191a83d3b49aa7048f40N.exe
1568	lsass.exe
4476	lsass.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 3180 wrote to memory of 2172	3180	b235e8de79b0191a83d3b49aa7048f40N.exe	86
PID 3180 wrote to memory of 2172	3180	b235e8de79b0191a83d3b49aa7048f40N.exe	86
PID 3180 wrote to memory of 2172	3180	b235e8de79b0191a83d3b49aa7048f40N.exe	86
PID 3180 wrote to memory of 2172	3180	b235e8de79b0191a83d3b49aa7048f40N.exe	86
PID 3180 wrote to memory of 2172	3180	b235e8de79b0191a83d3b49aa7048f40N.exe	86
PID 3180 wrote to memory of 2172	3180	b235e8de79b0191a83d3b49aa7048f40N.exe	86
PID 3180 wrote to memory of 2172	3180	b235e8de79b0191a83d3b49aa7048f40N.exe	86
PID 3180 wrote to memory of 2172	3180	b235e8de79b0191a83d3b49aa7048f40N.exe	86
PID 2172 wrote to memory of 376	2172	b235e8de79b0191a83d3b49aa7048f40N.exe	87
PID 2172 wrote to memory of 376	2172	b235e8de79b0191a83d3b49aa7048f40N.exe	87
PID 2172 wrote to memory of 376	2172	b235e8de79b0191a83d3b49aa7048f40N.exe	87
PID 376 wrote to memory of 2644	376	cmd.exe	90
PID 376 wrote to memory of 2644	376	cmd.exe	90
PID 376 wrote to memory of 2644	376	cmd.exe	90
PID 2172 wrote to memory of 1568	2172	b235e8de79b0191a83d3b49aa7048f40N.exe	91
PID 2172 wrote to memory of 1568	2172	b235e8de79b0191a83d3b49aa7048f40N.exe	91
PID 2172 wrote to memory of 1568	2172	b235e8de79b0191a83d3b49aa7048f40N.exe	91
PID 1568 wrote to memory of 4476	1568	lsass.exe	95
PID 1568 wrote to memory of 4476	1568	lsass.exe	95
PID 1568 wrote to memory of 4476	1568	lsass.exe	95
PID 1568 wrote to memory of 4476	1568	lsass.exe	95
PID 1568 wrote to memory of 4476	1568	lsass.exe	95
PID 1568 wrote to memory of 4476	1568	lsass.exe	95
PID 1568 wrote to memory of 4476	1568	lsass.exe	95
PID 1568 wrote to memory of 4476	1568	lsass.exe	95
PID 1568 wrote to memory of 2328	1568	lsass.exe	96
PID 1568 wrote to memory of 2328	1568	lsass.exe	96
PID 1568 wrote to memory of 2328	1568	lsass.exe	96
PID 1568 wrote to memory of 2328	1568	lsass.exe	96
PID 1568 wrote to memory of 2328	1568	lsass.exe	96
PID 1568 wrote to memory of 2328	1568	lsass.exe	96
PID 1568 wrote to memory of 2328	1568	lsass.exe	96
PID 2328 wrote to memory of 2732	2328	lsass.exe	97
PID 2328 wrote to memory of 2732	2328	lsass.exe	97
PID 2328 wrote to memory of 2732	2328	lsass.exe	97
PID 2328 wrote to memory of 2732	2328	lsass.exe	97
PID 2328 wrote to memory of 2732	2328	lsass.exe	97
PID 2328 wrote to memory of 2732	2328	lsass.exe	97
PID 2328 wrote to memory of 2732	2328	lsass.exe	97

C:\Users\Admin\AppData\Local\Temp\b235e8de79b0191a83d3b49aa7048f40N.exe
"C:\Users\Admin\AppData\Local\Temp\b235e8de79b0191a83d3b49aa7048f40N.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Users\Admin\AppData\Local\Temp\b235e8de79b0191a83d3b49aa7048f40N.exe
  "C:\Users\Admin\AppData\Local\Temp\b235e8de79b0191a83d3b49aa7048f40N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XXJRI.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:376
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Audio Driver" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\lsass.exe" /f
      4⤵
      Adds Run key to start application
      PID:2644
- - C:\Users\Admin\AppData\Roaming\system\lsass.exe
    "C:\Users\Admin\AppData\Roaming\system\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1568
  - - C:\Users\Admin\AppData\Roaming\system\lsass.exe
      "C:\Users\Admin\AppData\Roaming\system\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4476
  - - C:\Users\Admin\AppData\Roaming\system\lsass.exe
      "C:\Users\Admin\AppData\Roaming\system\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2328
    - - C:\Users\Admin\AppData\Roaming\system\lsass.exe
        
        "C:\Users\Admin\AppData\Roaming\system\lsass.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cxz.exe

Filesize
294B

MD5
c03635e0314ab006236b1d48eca01a0a

SHA1
a4197283876685d4d1a68f054c1c987be10184d0

SHA256
d7bfb8fe53ac288c1ce872b84e60318c1ddd5dcab3006393815c29a15ff53a79

SHA512
76d8fb1696390c2695c9ab52b0d5389842c896a3d57ccadbbcec821a7fd8cb2b4dc42d4a5a0248f02dd513986b4e668e5e1a471f5469b521d025db69e2cf8ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XXJRI.txt

Filesize
146B

MD5
c8cba0a9d4d5600b5f53c4c0681d1115

SHA1
0e5348e210ca70b2b0ffdc3ff7e6f611716df80c

SHA256
ca2b63f6d7bf17480415ae93e115bf9f9699335e84e62719eefdbcc5a78bd2e1

SHA512
a2ad6eb5ae2f6d57ca15363ac2f0c57ca3580474e94b9c010750948814cf4d5ffa0c3e7ef44634a3593da23f56011703ff220a3d7780f6f01785bf3b6676ced0

Download Submit
C:\Users\Admin\AppData\Roaming\system\lsass.exe

Filesize
84KB

MD5
ced8a6b9c772cbae2196f6d00711e583

SHA1
27d61fb77feb9106725aa35ca38a25f0e8cd94fa

SHA256
b39f1063dcc6b0923cca20db8075cbf30aad00dcbc2cf10772ae6425fa369cde

SHA512
cb19e774ea0721c73bb2324ffa3c8cd880a944c91e2af8857dd7a46eed6ffcbaf2269a329f84c3ac2cf80cc26e80e9b34ad0d49e9f718a392a75fc6cd14a455d

Download Submit
memory/1568-53-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2172-14-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2172-59-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2172-2-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2172-40-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2172-13-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2328-44-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2328-61-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2328-55-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2328-56-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2328-49-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2732-60-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2732-87-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2732-65-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/3180-10-0x0000000002190000-0x0000000002191000-memory.dmp

Filesize
4KB

Download
memory/3180-9-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/3180-11-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/3180-8-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3180-6-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/3180-12-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/3180-5-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/3180-7-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/4476-54-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4476-89-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads