5b6b5211a736b31ef8029f7c45d08f3c552a9a12fd58c8765f5663402b669d70

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

552d092a0c8560e3359cd08e98b6f830N.exe
Size

88KB
MD5

552d092a0c8560e3359cd08e98b6f830
SHA1

65d841b92ace7e278b5287b33210988010eb2185
SHA256

5b6b5211a736b31ef8029f7c45d08f3c552a9a12fd58c8765f5663402b669d70
SHA512

dcaeaf9d1ea95ee0949d5c24da3a4204cd6d8328a44adb99640e2a9b79164e8e68a2b127b174bba18694d3ff642c226d89ac19aaba6581f149ebc687329ced9d
SSDEEP

1536:ahUDofByDJWbMGcEFLPEPKOJUsy1+VMA:aIofBHbKMP0PvMA

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	552d092a0c8560e3359cd08e98b6f830N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
2412	explorer.exe
372	explorer.exe
4392	explorer.exe
4476	explorer.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2584-2-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2584-20-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2584-19-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2584-61-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/372-91-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Video Driver = "C:\\Users\\Admin\\AppData\\Roaming\\config\\explorer.exe"	reg.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3932 set thread context of 2584	3932	552d092a0c8560e3359cd08e98b6f830N.exe	86
PID 2412 set thread context of 372	2412	explorer.exe	92
PID 2412 set thread context of 4392	2412	explorer.exe	93
PID 4392 set thread context of 4476	4392	explorer.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	552d092a0c8560e3359cd08e98b6f830N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	552d092a0c8560e3359cd08e98b6f830N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe
Token: SeDebugPrivilege	372	explorer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3932	552d092a0c8560e3359cd08e98b6f830N.exe
2584	552d092a0c8560e3359cd08e98b6f830N.exe
2412	explorer.exe
372	explorer.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 2584	3932	552d092a0c8560e3359cd08e98b6f830N.exe	86
PID 3932 wrote to memory of 2584	3932	552d092a0c8560e3359cd08e98b6f830N.exe	86
PID 3932 wrote to memory of 2584	3932	552d092a0c8560e3359cd08e98b6f830N.exe	86
PID 3932 wrote to memory of 2584	3932	552d092a0c8560e3359cd08e98b6f830N.exe	86
PID 3932 wrote to memory of 2584	3932	552d092a0c8560e3359cd08e98b6f830N.exe	86
PID 3932 wrote to memory of 2584	3932	552d092a0c8560e3359cd08e98b6f830N.exe	86
PID 3932 wrote to memory of 2584	3932	552d092a0c8560e3359cd08e98b6f830N.exe	86
PID 3932 wrote to memory of 2584	3932	552d092a0c8560e3359cd08e98b6f830N.exe	86
PID 2584 wrote to memory of 1472	2584	552d092a0c8560e3359cd08e98b6f830N.exe	87
PID 2584 wrote to memory of 1472	2584	552d092a0c8560e3359cd08e98b6f830N.exe	87
PID 2584 wrote to memory of 1472	2584	552d092a0c8560e3359cd08e98b6f830N.exe	87
PID 1472 wrote to memory of 3116	1472	cmd.exe	90
PID 1472 wrote to memory of 3116	1472	cmd.exe	90
PID 1472 wrote to memory of 3116	1472	cmd.exe	90
PID 2584 wrote to memory of 2412	2584	552d092a0c8560e3359cd08e98b6f830N.exe	91
PID 2584 wrote to memory of 2412	2584	552d092a0c8560e3359cd08e98b6f830N.exe	91
PID 2584 wrote to memory of 2412	2584	552d092a0c8560e3359cd08e98b6f830N.exe	91
PID 2412 wrote to memory of 372	2412	explorer.exe	92
PID 2412 wrote to memory of 372	2412	explorer.exe	92
PID 2412 wrote to memory of 372	2412	explorer.exe	92
PID 2412 wrote to memory of 372	2412	explorer.exe	92
PID 2412 wrote to memory of 372	2412	explorer.exe	92
PID 2412 wrote to memory of 372	2412	explorer.exe	92
PID 2412 wrote to memory of 372	2412	explorer.exe	92
PID 2412 wrote to memory of 372	2412	explorer.exe	92
PID 2412 wrote to memory of 4392	2412	explorer.exe	93
PID 2412 wrote to memory of 4392	2412	explorer.exe	93
PID 2412 wrote to memory of 4392	2412	explorer.exe	93
PID 2412 wrote to memory of 4392	2412	explorer.exe	93
PID 2412 wrote to memory of 4392	2412	explorer.exe	93
PID 2412 wrote to memory of 4392	2412	explorer.exe	93
PID 2412 wrote to memory of 4392	2412	explorer.exe	93
PID 4392 wrote to memory of 4476	4392	explorer.exe	94
PID 4392 wrote to memory of 4476	4392	explorer.exe	94
PID 4392 wrote to memory of 4476	4392	explorer.exe	94
PID 4392 wrote to memory of 4476	4392	explorer.exe	94
PID 4392 wrote to memory of 4476	4392	explorer.exe	94
PID 4392 wrote to memory of 4476	4392	explorer.exe	94
PID 4392 wrote to memory of 4476	4392	explorer.exe	94

C:\Users\Admin\AppData\Local\Temp\552d092a0c8560e3359cd08e98b6f830N.exe
"C:\Users\Admin\AppData\Local\Temp\552d092a0c8560e3359cd08e98b6f830N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Users\Admin\AppData\Local\Temp\552d092a0c8560e3359cd08e98b6f830N.exe
  "C:\Users\Admin\AppData\Local\Temp\552d092a0c8560e3359cd08e98b6f830N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GUUIJ.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1472
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Video Driver" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\config\explorer.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:3116
- - C:\Users\Admin\AppData\Roaming\config\explorer.exe
    "C:\Users\Admin\AppData\Roaming\config\explorer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Users\Admin\AppData\Roaming\config\explorer.exe
      "C:\Users\Admin\AppData\Roaming\config\explorer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:372
  - - C:\Users\Admin\AppData\Roaming\config\explorer.exe
      "C:\Users\Admin\AppData\Roaming\config\explorer.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4392
    - - C:\Users\Admin\AppData\Roaming\config\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\config\explorer.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cxz.exe

Filesize
314B

MD5
b16aace9de5a5ca6bf1157f159032588

SHA1
a7e4c7a1a904eb82a498ecfaa1565127fa080891

SHA256
197dc8e594bdad5f6482bc6c5a4cbada54360248c35773c3af3ff84a7fde4bb0

SHA512
10336e7793ae87e9b5b6e77c599980b0eb85ba4ed4334653cda6f74db167b4619997a368f7339108d6212b4caa80af7af7d75c1cc9be914ff5af81f198b1f00d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUUIJ.txt

Filesize
149B

MD5
fc1798b7c7938454220fda837a76f354

SHA1
b232912930b2bc24ff18bf7ecd58f872bbe01ea0

SHA256
7f0a5917b5aca9c5beb153aad0ef95bf0aeafb83768da5b086c3f029ba42d7c8

SHA512
d1abdd45a8e5d33893b9d19424174a07feed145d2e6b4be318ab5fde503f850579a4a101a010f30e16ecde2c7123f45357a8341214655321ee0f0097ca911331

Download Submit
C:\Users\Admin\AppData\Roaming\config\explorer.exe

Filesize
88KB

MD5
9a891571993447486a8c1a39c085c897

SHA1
bed993c26faf3597d8eb84a4df7d9630c22051fa

SHA256
9c7c5b8fa7b07d4a3cd462457272f1c902532e669258ab2efa984f1eefd8c312

SHA512
88ef3c16591e6029400aaa7bc2bdaf5eab25451677e4b94c7e240b351bae9dab098bc2734243203435551d41f4526624dc788021abba9167d47ef241ab945012

Download Submit
memory/372-91-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2412-52-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2584-20-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2584-61-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2584-2-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2584-19-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3932-7-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/3932-15-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

Filesize
4KB

Download
memory/3932-8-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/3932-10-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/3932-11-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/3932-12-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/3932-6-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/3932-5-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/3932-4-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/3932-13-0x0000000002BC0000-0x0000000002BC1000-memory.dmp

Filesize
4KB

Download
memory/3932-14-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/3932-9-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/3932-3-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/3932-17-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/3932-16-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/4392-58-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4392-63-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4392-57-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4392-49-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4476-62-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/4476-67-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/4476-89-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads