Analysis

  • max time kernel
    105s
  • max time network
    106s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-07-2024 07:14

General

  • Target

    85c739a75f0bab15342d19de2b8420d0N.exe

  • Size

    36KB

  • MD5

    85c739a75f0bab15342d19de2b8420d0

  • SHA1

    238993d4b5a6e687e2de92ad130bbe3948913129

  • SHA256

    0113d751d6fae6c2bd30212658ced172a5196ba6e95d14dc653042292febef8c

  • SHA512

    fded27abb8b218acff0d9c1fe3b73c743c3945a3d0ea5c29fa8f4116aea225a066f98ccd671103d94ce205569dfe2d52a375fa05567066ab433b9c7ac5ec5117

  • SSDEEP

    768:Jmao9Gg4IZq1B6GnbcuyD7Uvu5RRYTnmeyZHJf0qW46DgGTrj9qWHx3SU:+Gg1c1QGnouy8vu5nYjmLJJcfpj9qWHE

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\85c739a75f0bab15342d19de2b8420d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\85c739a75f0bab15342d19de2b8420d0N.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:408
    • C:\Users\Admin\AppData\Local\Temp\806B.tmp
      C:\Users\Admin\AppData\Local\Temp\806B.tmp C:\Users\Admin\AppData\Local\Temp
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2452
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat" "
        3⤵
          PID:3280
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat" "
          3⤵
            PID:1516

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\806B.tmp

        Filesize

        13KB

        MD5

        c798b425570b6b375bee7a6898197e99

        SHA1

        ac53c57da4bd29bf0595bc6458204d307ad6a2de

        SHA256

        2cd3df9fd104d21ddfb298cb008410369ba0827d71f046f4d0abc0306ba34662

        SHA512

        7c1c7ace9b777df5f937daba3f2e043044db75d767d2ca8999668cb0fb0c1a7c8e98d1af024e12b7243225f38a95040427764348ee58a23c63a2696398adf3e1

      • C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat

        Filesize

        191B

        MD5

        63224d4cf6405631b7bb89f67ab217a6

        SHA1

        b958e549efffb0aca78e758f2e48544da9e55845

        SHA256

        9105e418064105d75671f37341195c33feeb8ae9b45cffd949453ec27761b1ad

        SHA512

        608d1a7478c974205fa6a5b54ac6eb29384203dd73e06417bf92048b63d5fbc76f706f5f88d1690264c7c9ac7021fb475ceacb0f5098a6bcd331e75bdd5cae96

      • C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat

        Filesize

        104B

        MD5

        8c30c36020cc244604f805ea3aae60db

        SHA1

        2dcb8659d56bbdb32b98d5b138d342a577919630

        SHA256

        cc8e59ca43cf283fd57ac803b46526852e165da0b83c60d0f77266c67703c22d

        SHA512

        e9bcc7ea6694bb920253b5a28e6d48d3c08dd6abf5bcca9b6d50181efe6b5e0be5e41475a92588caa5bff1dc7d019b29d32143390bc48dc5091707ad81c8c7c3

      • C:\Users\Admin\AppData\Local\Temp\tmpfile0.tmp

        Filesize

        14B

        MD5

        ce585c6ba32ac17652d2345118536f9c

        SHA1

        be0e41b3690c42e4c0cdb53d53fc544fb46b758d

        SHA256

        589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3

        SHA512

        d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752

      • memory/408-0-0x0000000000400000-0x0000000000418000-memory.dmp

        Filesize

        96KB

      • memory/408-8-0x0000000000400000-0x0000000000418000-memory.dmp

        Filesize

        96KB

      • memory/2452-5-0x0000000000400000-0x0000000000407000-memory.dmp

        Filesize

        28KB

      • memory/2452-17-0x0000000000400000-0x0000000000407000-memory.dmp

        Filesize

        28KB