f8e31e7a15685a6f4fc5a6a13f04200066e5d43e748cb447a52609e93b156d21

Analysis

max time kernel
120s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 09:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

982a0410fa8fbebbac455d7268098000N.exe
Size

134KB
MD5

982a0410fa8fbebbac455d7268098000
SHA1

62bd54d60f61a3b3e03d416e23bdd01980445bcb
SHA256

f8e31e7a15685a6f4fc5a6a13f04200066e5d43e748cb447a52609e93b156d21
SHA512

2c3a264b21222d097ad216545938dd0e434524c296cbc08d92a163963c0cb5aec2d6159aa877157648f623c379a2a9103780962dbb7b308102676f5e15e66878
SSDEEP

3072:Dxaw7lEvFCsE8uKqMJBrHnsAWNqubkdBytQlaVrAUdB1/:TlFstuKqMJ9Hn5WNqub/tpV841

Score

7^/10

persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	982a0410fa8fbebbac455d7268098000N.exe

Executes dropped EXE 3 IoCs

pid	Process
3756	trys.exe
2464	trys.exe
3856	trys.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4956-0-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/2524-5-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2524-7-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4956-10-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/2524-9-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0009000000023413-26.dat	upx
behavioral2/memory/3756-34-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/3756-37-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/3856-45-0x0000000013140000-0x0000000013162000-memory.dmp	upx
behavioral2/memory/3756-41-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/3856-47-0x0000000013140000-0x0000000013162000-memory.dmp	upx
behavioral2/memory/3856-49-0x0000000013140000-0x0000000013162000-memory.dmp	upx
behavioral2/memory/3756-54-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/3856-53-0x0000000013140000-0x0000000013162000-memory.dmp	upx
behavioral2/memory/3856-52-0x0000000013140000-0x0000000013162000-memory.dmp	upx
behavioral2/memory/2524-57-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2464-58-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ineter Mc = "C:\\Windows\\trys.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4956 set thread context of 2524	4956	982a0410fa8fbebbac455d7268098000N.exe	91
PID 3756 set thread context of 2464	3756	trys.exe	98
PID 3756 set thread context of 3856	3756	trys.exe	99

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\trys.exe	982a0410fa8fbebbac455d7268098000N.exe
File opened for modification	C:\Windows\trys.exe	982a0410fa8fbebbac455d7268098000N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe
Token: SeDebugPrivilege	2464	trys.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4956	982a0410fa8fbebbac455d7268098000N.exe
2524	982a0410fa8fbebbac455d7268098000N.exe
3756	trys.exe
3756	trys.exe
2464	trys.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 2524	4956	982a0410fa8fbebbac455d7268098000N.exe	91
PID 4956 wrote to memory of 2524	4956	982a0410fa8fbebbac455d7268098000N.exe	91
PID 4956 wrote to memory of 2524	4956	982a0410fa8fbebbac455d7268098000N.exe	91
PID 4956 wrote to memory of 2524	4956	982a0410fa8fbebbac455d7268098000N.exe	91
PID 4956 wrote to memory of 2524	4956	982a0410fa8fbebbac455d7268098000N.exe	91
PID 4956 wrote to memory of 2524	4956	982a0410fa8fbebbac455d7268098000N.exe	91
PID 4956 wrote to memory of 2524	4956	982a0410fa8fbebbac455d7268098000N.exe	91
PID 4956 wrote to memory of 2524	4956	982a0410fa8fbebbac455d7268098000N.exe	91
PID 2524 wrote to memory of 2496	2524	982a0410fa8fbebbac455d7268098000N.exe	92
PID 2524 wrote to memory of 2496	2524	982a0410fa8fbebbac455d7268098000N.exe	92
PID 2524 wrote to memory of 2496	2524	982a0410fa8fbebbac455d7268098000N.exe	92
PID 2496 wrote to memory of 1716	2496	cmd.exe	95
PID 2496 wrote to memory of 1716	2496	cmd.exe	95
PID 2496 wrote to memory of 1716	2496	cmd.exe	95
PID 2524 wrote to memory of 3756	2524	982a0410fa8fbebbac455d7268098000N.exe	96
PID 2524 wrote to memory of 3756	2524	982a0410fa8fbebbac455d7268098000N.exe	96
PID 2524 wrote to memory of 3756	2524	982a0410fa8fbebbac455d7268098000N.exe	96
PID 3756 wrote to memory of 2464	3756	trys.exe	98
PID 3756 wrote to memory of 2464	3756	trys.exe	98
PID 3756 wrote to memory of 2464	3756	trys.exe	98
PID 3756 wrote to memory of 2464	3756	trys.exe	98
PID 3756 wrote to memory of 2464	3756	trys.exe	98
PID 3756 wrote to memory of 2464	3756	trys.exe	98
PID 3756 wrote to memory of 2464	3756	trys.exe	98
PID 3756 wrote to memory of 2464	3756	trys.exe	98
PID 3756 wrote to memory of 3856	3756	trys.exe	99
PID 3756 wrote to memory of 3856	3756	trys.exe	99
PID 3756 wrote to memory of 3856	3756	trys.exe	99
PID 3756 wrote to memory of 3856	3756	trys.exe	99
PID 3756 wrote to memory of 3856	3756	trys.exe	99
PID 3756 wrote to memory of 3856	3756	trys.exe	99
PID 3756 wrote to memory of 3856	3756	trys.exe	99
PID 3756 wrote to memory of 3856	3756	trys.exe	99

C:\Users\Admin\AppData\Local\Temp\982a0410fa8fbebbac455d7268098000N.exe
"C:\Users\Admin\AppData\Local\Temp\982a0410fa8fbebbac455d7268098000N.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Users\Admin\AppData\Local\Temp\982a0410fa8fbebbac455d7268098000N.exe
  "C:\Users\Admin\AppData\Local\Temp\982a0410fa8fbebbac455d7268098000N.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KGFSI.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Ineter Mc" /t REG_SZ /d "C:\Windows\trys.exe" /f
      4⤵
      Adds Run key to start application
      PID:1716
- - C:\Windows\trys.exe
    "C:\Windows\trys.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3756
  - - C:\Windows\trys.exe
      "C:\Windows\trys.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2464
  - - C:\Windows\trys.exe
      "C:\Windows\trys.exe"
      4⤵
      Executes dropped EXE
      PID:3856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KGFSI.txt

Filesize
115B

MD5
721f40b829b989f3ed90feba41b75b51

SHA1
0bc3e723b65a94c6ffbb8e0b32c9aaa24d10fefd

SHA256
641cbc8ccc1d7ffe1030ff40ea930cad57a855c5fa275bff57745b62d4545a15

SHA512
d11fa35712baa83380b1515242d85c1ce84ade1bd3e62144906b40c6e2d42c748d7813faaf05e5514048be3ae47fb29986e0a808c93eabf7128f31300c4d972f

Download Submit
C:\Windows\trys.exe

Filesize
134KB

MD5
626b8f04e505a82cb1f5d4f41ddcb511

SHA1
e9e4f489e15a495a38e97198ec03590fe9b94423

SHA256
1403d8e81a18e91539c0094e72b4f0f1a1aca5fd85dd3dade77fd041b7306eb6

SHA512
8ca9b9f17740abeab6fd45671c52dfeb81836f3a8061cd05231d08f6bede6feed979311a7e1661a745c718d0056fc455946887d7195953d0e075a9185acdda5a

Download Submit
memory/2464-58-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2524-57-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2524-5-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2524-7-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2524-9-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3756-54-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3756-34-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3756-37-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3756-41-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3856-45-0x0000000013140000-0x0000000013162000-memory.dmp

Filesize
136KB

Download
memory/3856-47-0x0000000013140000-0x0000000013162000-memory.dmp

Filesize
136KB

Download
memory/3856-49-0x0000000013140000-0x0000000013162000-memory.dmp

Filesize
136KB

Download
memory/3856-53-0x0000000013140000-0x0000000013162000-memory.dmp

Filesize
136KB

Download
memory/3856-52-0x0000000013140000-0x0000000013162000-memory.dmp

Filesize
136KB

Download
memory/4956-10-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4956-0-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4956-4-0x0000000002E40000-0x0000000002E41000-memory.dmp

Filesize
4KB

Download
memory/4956-3-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads