Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
01-08-2024 12:35
Behavioral task
behavioral1
Sample
78743c3f85b3485ec2a49a07529bc760N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
78743c3f85b3485ec2a49a07529bc760N.exe
Resource
win10v2004-20240730-en
General
-
Target
78743c3f85b3485ec2a49a07529bc760N.exe
-
Size
370KB
-
MD5
78743c3f85b3485ec2a49a07529bc760
-
SHA1
6efd2968bdbd316657417c708387bcb946ec714b
-
SHA256
fd63c2da89f16a4a2db0a86f79472a72ffd4330458d12201fa0571dc94a1f28f
-
SHA512
c7c65c2c921c59810ae754dd575222182900e7c5d88010df99da1ff952f1f5fab6e41ee66d40aca40195f28a79cb6e1c89e8c6132c5b59b73d691b6aa80ceea6
-
SSDEEP
6144:CuJkl8DV12C28tLN2/FkCO0aHftvCGCBhDOHjTPmXHk62pHj:CzGL2C2aZ2/F1XaveOHjTn
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
78743c3f85b3485ec2a49a07529bc760N.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2951562807-3718269429-4208157415-1000\Control Panel\International\Geo\Nation 78743c3f85b3485ec2a49a07529bc760N.exe -
Executes dropped EXE 1 IoCs
Processes:
uxumh.exepid process 3184 uxumh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
78743c3f85b3485ec2a49a07529bc760N.exeuxumh.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 78743c3f85b3485ec2a49a07529bc760N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uxumh.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
78743c3f85b3485ec2a49a07529bc760N.exedescription pid process target process PID 4528 wrote to memory of 3184 4528 78743c3f85b3485ec2a49a07529bc760N.exe uxumh.exe PID 4528 wrote to memory of 3184 4528 78743c3f85b3485ec2a49a07529bc760N.exe uxumh.exe PID 4528 wrote to memory of 3184 4528 78743c3f85b3485ec2a49a07529bc760N.exe uxumh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\78743c3f85b3485ec2a49a07529bc760N.exe"C:\Users\Admin\AppData\Local\Temp\78743c3f85b3485ec2a49a07529bc760N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Users\Admin\AppData\Local\Temp\uxumh.exe"C:\Users\Admin\AppData\Local\Temp\uxumh.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3184
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD58007db22973fa49184ba65ae2350178b
SHA1170d310e840a1c7c11db01c5c84a9604e4c22301
SHA256c09c90f054686d30cc3aba3b62300cfd5b46e389809d938255ea186f79acdeb0
SHA512775ac014c069a69d225e679e50684bbc32d757c4c068e07d32a5f62b25f2ec93daf98b1e84afea7117c28c92915836845c8f77faa197409391757da061277db6
-
Filesize
370KB
MD567fe85901cbfe05bf6852001fb2ce761
SHA10c353b3c4d080359d521c53597e5883fdad8e95f
SHA2564c226733d8f3a5743200e61ffc91bdd7b785a04041669c30c097d9ef67cf8ee4
SHA512e05d89149fc7a89ab861fbb4ff43c96391279324e092bfd46dc1fa4ef8f4cb12ef8b7a24c04168b44e6cc42edaab41fa56a7bf11c1b2c13d141b1b006c65483d