0bb06663236c1266071b5c95bd75e2bc3aff88694049bfabb4f05322ff106f32

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 03:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

tf2.exe
Size

278KB
MD5

5fb9b39cdc37129e031fae6e6c281eb2
SHA1

4bbf881f8e1f5fd24f64e87afa3989188d9e8e84
SHA256

73e565150ce7ae12b6d7bd4fa6146c1feafac6f0e4c8c025e00db984537c4bc8
SHA512

5f156ba868a41840f7183d069d05b41914930ad5de3a6bdb6657539935e04525b00345af69b426f4bb2e8ea9f0cefacd5477a94be5acb6fa59d3ea061c46bbb3
SSDEEP

3072:P7cWbQout+8rei+T87ZiLIh7yRO9LyOGOecs8WYRbSgF3L97S:PFsoS+8S+i27yRW0WtxR

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Control Panel\International\Geo\Nation	tf2.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral20/memory/736-0-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral20/memory/736-10-0x0000000000400000-0x0000000000490000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Patch_engine.dll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Patch_client.dll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tf2.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 3492	736	tf2.exe	86
PID 736 wrote to memory of 3492	736	tf2.exe	86
PID 736 wrote to memory of 3492	736	tf2.exe	86
PID 3492 wrote to memory of 1524	3492	cmd.exe	89
PID 3492 wrote to memory of 1524	3492	cmd.exe	89
PID 3492 wrote to memory of 1524	3492	cmd.exe	89
PID 3492 wrote to memory of 3348	3492	cmd.exe	90
PID 3492 wrote to memory of 3348	3492	cmd.exe	90
PID 3492 wrote to memory of 3348	3492	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\tf2.exe
"C:\Users\Admin\AppData\Local\Temp\tf2.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C880.tmp\tf2.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3492
- - C:\Users\Admin\AppData\Local\Temp\bin\Patch_engine.dll.exe
    bin\Patch_engine.dll.exe /silent /overwrite
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1524
- - C:\Users\Admin\AppData\Local\Temp\tf\bin\Patch_client.dll.exe
    tf\bin\Patch_client.dll.exe /silent /overwrite
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C880.tmp\tf2.bat

Filesize
284B

MD5
495922f25f5224784ef2da216ab12fb1

SHA1
e95f32de7ca85368800f0839dae90b4625ca9488

SHA256
bf5349dd4e20d8de29bfb30e461d18f51218232bd11a3b0674323d95d2c16e0e

SHA512
62a8c2319bb345e8a056a6ae266235d17a51242e72740e420ee7e24f173d7d8fd3781b7bc5922b2f3a6bf5a8df25d21665506ea0a11d618e71d2d6b7ad092cd3

Download Submit
memory/736-0-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/736-10-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1524-5-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1524-8-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3348-6-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3348-7-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download