5cca916c65c66e18fee71185f716090f8b69894f7a2a9a2a3568f599e6a9882a

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cca916c65c66e18fee71185f716090f8b69894f7a2a9a2a3568f599e6a9882a.exe
Size

3.5MB
MD5

2868f61931a02dbbc3590b81aa0e607e
SHA1

aab4aace0e4af4e8b4c78e24c5e731241b8d9751
SHA256

5cca916c65c66e18fee71185f716090f8b69894f7a2a9a2a3568f599e6a9882a
SHA512

c183b70a445ef2a1e572b2cb761c97e10c4fc9de0581327ec859d1a17cd9879327febadae8d5536b6d9b649cbb6c86b3e73def60d021b2d6a94cda56ab5fbc1a
SSDEEP

98304:oJcUQLUGrupm8ECjd5bzSq6uxlZKL+DIvb+RB07K:GPGZKm8Ee7z7RMiXnF

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation	5cca916c65c66e18fee71185f716090f8b69894f7a2a9a2a3568f599e6a9882a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation	irsetup.exe

Executes dropped EXE 2 IoCs

pid	Process
1252	irsetup.exe
3364	load.exe

Loads dropped DLL 2 IoCs

pid	Process
1252	irsetup.exe
3364	load.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023382-5.dat	upx
behavioral2/memory/1252-12-0x0000000000C00000-0x0000000000FE8000-memory.dmp	upx
behavioral2/memory/1252-93-0x0000000000C00000-0x0000000000FE8000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5cca916c65c66e18fee71185f716090f8b69894f7a2a9a2a3568f599e6a9882a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000_Classes\Local Settings	irsetup.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1928	WINWORD.EXE
1928	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1252	irsetup.exe
1252	irsetup.exe
1252	irsetup.exe
1928	WINWORD.EXE
1928	WINWORD.EXE
1928	WINWORD.EXE
1928	WINWORD.EXE
1928	WINWORD.EXE
1928	WINWORD.EXE
1928	WINWORD.EXE
1928	WINWORD.EXE
1928	WINWORD.EXE
1928	WINWORD.EXE
1928	WINWORD.EXE
1928	WINWORD.EXE
1928	WINWORD.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1252	1972	5cca916c65c66e18fee71185f716090f8b69894f7a2a9a2a3568f599e6a9882a.exe	86
PID 1972 wrote to memory of 1252	1972	5cca916c65c66e18fee71185f716090f8b69894f7a2a9a2a3568f599e6a9882a.exe	86
PID 1972 wrote to memory of 1252	1972	5cca916c65c66e18fee71185f716090f8b69894f7a2a9a2a3568f599e6a9882a.exe	86
PID 1252 wrote to memory of 1928	1252	irsetup.exe	88
PID 1252 wrote to memory of 1928	1252	irsetup.exe	88
PID 1252 wrote to memory of 3364	1252	irsetup.exe	89
PID 1252 wrote to memory of 3364	1252	irsetup.exe	89

C:\Users\Admin\AppData\Local\Temp\5cca916c65c66e18fee71185f716090f8b69894f7a2a9a2a3568f599e6a9882a.exe
"C:\Users\Admin\AppData\Local\Temp\5cca916c65c66e18fee71185f716090f8b69894f7a2a9a2a3568f599e6a9882a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1928226 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\5cca916c65c66e18fee71185f716090f8b69894f7a2a9a2a3568f599e6a9882a.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2927035347-1736702767-189270196-1000"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Public\tmp\document.docx" /o ""
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:1928
- - C:\Users\Public\load.exe
    "C:\Users\Public\load.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCD1042.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG

Filesize
2KB

MD5
3220a6aefb4fc719cc8849f060859169

SHA1
85f624debcefd45fdfdf559ac2510a7d1501b412

SHA256
988cf422cbf400d41c48fbe491b425a827a1b70691f483679c1df02fb9352765

SHA512
5c45ea8f64b3cdfb262c642bd36b08c822427150d28977af33c9021a6316b6efed83f3172c16343fd703d351af3966b06926e5b33630d51b723709712689881d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
7eb6266334c70e3ffa235d2571614734

SHA1
de003214a0034ca3dbe9ed35f482f2aaa235c5d7

SHA256
0249a947699c4b9678718905d93811a0abb4e1b9528c405f70102ceea68bb00f

SHA512
f965de30102d1ca4f305379ce719378dc9bf23fb461318558548df9304154636123b4dea8ce19bc339d53f4c0bfc85205807250fe253d763da08105336ecac0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
e7a789232ef503dcb4929791673009a3

SHA1
8bc28bce4c9d8b4a6e360100441ba54a878de4c1

SHA256
89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1

SHA512
6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
322B

MD5
a6884ee5f495b0e9586f403834d778a6

SHA1
f3edb6b8f7cc58099f58cd2ac8b776e21092197c

SHA256
8f87478bce607a89fb729ec7f8938ef884e8d6ba933ae96341e4460ccc7a9d3b

SHA512
fcdfb398d1ef40026a1f8978242bda564e41df4c73a4aca8c81a53aed2ce870c53eb51e23a8d1a0c9ae80ebb5773cb9f249a47586876c7e1fbc108a4afcfd5f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
d4d394fbb0b0eb71b5a4cfcf940fdc4e

SHA1
e08cc79e3edc32ad99abf116174a9a21c72c0eb1

SHA256
a50beb734560a598bd93d23633227503d735aec4adbe5f3d73bd7198a5c4e2fe

SHA512
fa8e7421e93f60c8561ffb6704dcaa8e409b12f483a16b9433aaade0e0323134aa5054dbf5518e06be5a053d53f8728a9c2b3d9c11cab6edda2dc6877cad82be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
1833fffb01a67c73b196f8b9564de5db

SHA1
7162ab2552dd6023f2b67e6fb46aa26659bea108

SHA256
e0347fe501072137fc7b7aebceadf6f230558b0d9d823d27bfbb6f168b8e78ac

SHA512
22cedfee9498cf39397fbf616f22041cde2495dd1a07bafe00bd7347fe1a84cb7bcdaecbec32ce1a3ed7acb6fd355b38cf41362ebed3afa8fcd0720b2d82dfa9

Download Submit
C:\Users\Public\Uninstall\uninstall.xml

Filesize
7KB

MD5
f283283b852999c43e9df5755aea5974

SHA1
007eecdd9af07610608c80ed9b03cca7a6c873c2

SHA256
3b39cc6270aa5e18eb7a13d81e75dc469b2900e135fc8139be123f9a357f7c60

SHA512
f45e66e6fee5b60cb11741f476d1132fcfa2327b93730f8ca316e45b2b4bfd987b005224fc16628b9573cba0c9eee8f141579df40c0877d9efc5f892c5004c83

Download Submit
C:\Users\Public\lang.dll

Filesize
183KB

MD5
13274229a2af30f6e20ee9c0f20108d2

SHA1
a27e58fdcf833206946ce8d92a852782a280d0eb

SHA256
215c9890c3259f3ca89368c12df1691a82516cfd42df1128983ce36047c81273

SHA512
862e9125b19850a6a07e312854ec34492b584b6f7831463aa94e40ba92b3518db2a1b587d7716b2a70860faa891a17110d9805c167ef64a40731b857c6f0f7c6

Download Submit
C:\Users\Public\load.exe

Filesize
28KB

MD5
16c577b885a3293edb8ac665b2070b42

SHA1
4876900fdb45b6ff78851eb9ed319760f72904f1

SHA256
16dc6ec0d946d0aabfdcf8975dffc5a914ef09c9a6ddc86bd5f8c7030c56e1e2

SHA512
b69dfc1b91063d171f5756d9def0b5616f9871b711305c436e2c6e0a163a98a8ed1dad60dc7dcc2a7ffbe81ae037089f9f7fde448eb5515b34846b04b87050a3

Download Submit
C:\Users\Public\tmp\document.docx

Filesize
1.3MB

MD5
3c864941dbc7c30b91700d20e038db33

SHA1
6d717e5030917bd33ce817b30d61c705a23e72ed

SHA256
8442767b5ed63b7d76b7f8d6738402ef0561fefc811684495ae89ecd05f11ff6

SHA512
10e151c448f28fd5e9a883194a716f81769145de3657c6e152f6b821d252142d8ca713b5d68e915f660a975344331fbf0f50668836999cd97f2cb43dbc34f9a4

Download Submit
C:\Users\Public\tmp\~$cument.docx

Filesize
162B

MD5
e3607c300f8b4d23e10205903b7ad8d5

SHA1
285404c8b6ee1c8fbc4b4ec05f6e842cddb04773

SHA256
8986f5f98a2617dbf5ef61354260003f097253e8b13a72b7ff9cc3d673b94bf6

SHA512
de0aed25da2a1452dd0f3c85a2a9784597f14f69b2a93a2775f9d18d2f6908d5cac8825e2384a9456a20f4d0f9eee4671b57c32b2ef17436d584a7f29a5b0d86

Download Submit
C:\Users\Public\zh-cn

Filesize
289KB

MD5
819f068ac3ba2f08b55c2a0f6b771583

SHA1
3685b6d73f076ea5c8a94c833c0c9ca619807ab2

SHA256
6f817f367849b33de103f1d1a135ed7832874ba2ad42a3fb25f20c71f2db04bf

SHA512
209f77f0a790dff544eb5d1c57b9200ed0676a5be2c98529d85e3f0ce0b613aa395f1274ce70c33998ec0603b3dd4479bc91005c74fbdd35467544902e931c15

Download Submit
memory/1252-93-0x0000000000C00000-0x0000000000FE8000-memory.dmp

Filesize
3.9MB

Download
memory/1252-12-0x0000000000C00000-0x0000000000FE8000-memory.dmp

Filesize
3.9MB

Download
memory/1928-94-0x00007FF8D63B0000-0x00007FF8D63C0000-memory.dmp

Filesize
64KB

Download
memory/1928-313-0x00007FF8D63B0000-0x00007FF8D63C0000-memory.dmp

Filesize
64KB

Download
memory/1928-100-0x00007FF8D40E0000-0x00007FF8D40F0000-memory.dmp

Filesize
64KB

Download
memory/1928-101-0x00007FF8D40E0000-0x00007FF8D40F0000-memory.dmp

Filesize
64KB

Download
memory/1928-96-0x00007FF8D63B0000-0x00007FF8D63C0000-memory.dmp

Filesize
64KB

Download
memory/1928-97-0x00007FF8D63B0000-0x00007FF8D63C0000-memory.dmp

Filesize
64KB

Download
memory/1928-98-0x00007FF8D63B0000-0x00007FF8D63C0000-memory.dmp

Filesize
64KB

Download
memory/1928-99-0x00007FF8D63B0000-0x00007FF8D63C0000-memory.dmp

Filesize
64KB

Download
memory/1928-310-0x00007FF8D63B0000-0x00007FF8D63C0000-memory.dmp

Filesize
64KB

Download
memory/1928-312-0x00007FF8D63B0000-0x00007FF8D63C0000-memory.dmp

Filesize
64KB

Download
memory/1928-311-0x00007FF8D63B0000-0x00007FF8D63C0000-memory.dmp

Filesize
64KB

Download
memory/3364-88-0x00007FF8D5A00000-0x00007FF8D5A10000-memory.dmp

Filesize
64KB

Download
memory/3364-283-0x0000017D85030000-0x0000017D8549B000-memory.dmp

Filesize
4.4MB

Download
memory/3364-287-0x0000017D85030000-0x0000017D8549B000-memory.dmp

Filesize
4.4MB

Download
memory/3364-289-0x0000017D85030000-0x0000017D8549B000-memory.dmp

Filesize
4.4MB

Download
memory/3364-281-0x0000017D85030000-0x0000017D8549B000-memory.dmp

Filesize
4.4MB

Download
memory/3364-282-0x0000017D85570000-0x0000017D85572000-memory.dmp

Filesize
8KB

Download
memory/3364-95-0x0000017D85570000-0x0000017D85572000-memory.dmp

Filesize
8KB

Download
memory/3364-91-0x0000017D85030000-0x0000017D8549B000-memory.dmp

Filesize
4.4MB

Download
memory/3364-314-0x0000017D85030000-0x0000017D8549B000-memory.dmp

Filesize
4.4MB

Download
memory/3364-316-0x0000017D85030000-0x0000017D8549B000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads