8bc8a71745b194ecca332454132e91c48433b990f3c4770fd1ddc17be3427541

Analysis

max time kernel
148s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2024, 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8bc8a71745b194ecca332454132e91c48433b990f3c4770fd1ddc17be3427541.exe
Size

84KB
MD5

5291f39da088b1ac535b2cf5b5973658
SHA1

a92ac5efff6172eb2f9cb6cc4bcae05cd65e47bc
SHA256

8bc8a71745b194ecca332454132e91c48433b990f3c4770fd1ddc17be3427541
SHA512

aa2e961ae6fc4af3aaec2f56eb27bb0c1aa8896d09fb4962107bffddf9788469aefc43332cd7d902b4d661cd4c567c12ff9d437d58b8080af72791005b069265
SSDEEP

1536:1clIGFNMi+hJUneHoGTvvv4V9hqdhbtgS:+RMi+fUnCTvvv4V9hEhbCS

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	8bc8a71745b194ecca332454132e91c48433b990f3c4770fd1ddc17be3427541.exe

Executes dropped EXE 4 IoCs

pid	Process
2436	lsass.exe
5068	lsass.exe
1960	lsass.exe
3832	lsass.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4500-2-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4500-13-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4500-12-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4500-39-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/5068-54-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4500-57-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/5068-88-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audio Driver = "C:\\Users\\Admin\\AppData\\Roaming\\system\\lsass.exe"	reg.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4464 set thread context of 4500	4464	8bc8a71745b194ecca332454132e91c48433b990f3c4770fd1ddc17be3427541.exe	89
PID 2436 set thread context of 5068	2436	lsass.exe	100
PID 2436 set thread context of 1960	2436	lsass.exe	101
PID 1960 set thread context of 3832	1960	lsass.exe	102

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8bc8a71745b194ecca332454132e91c48433b990f3c4770fd1ddc17be3427541.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8bc8a71745b194ecca332454132e91c48433b990f3c4770fd1ddc17be3427541.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe
Token: SeDebugPrivilege	5068	lsass.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4464	8bc8a71745b194ecca332454132e91c48433b990f3c4770fd1ddc17be3427541.exe
4500	8bc8a71745b194ecca332454132e91c48433b990f3c4770fd1ddc17be3427541.exe
2436	lsass.exe
5068	lsass.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 4500	4464	8bc8a71745b194ecca332454132e91c48433b990f3c4770fd1ddc17be3427541.exe	89
PID 4464 wrote to memory of 4500	4464	8bc8a71745b194ecca332454132e91c48433b990f3c4770fd1ddc17be3427541.exe	89
PID 4464 wrote to memory of 4500	4464	8bc8a71745b194ecca332454132e91c48433b990f3c4770fd1ddc17be3427541.exe	89
PID 4464 wrote to memory of 4500	4464	8bc8a71745b194ecca332454132e91c48433b990f3c4770fd1ddc17be3427541.exe	89
PID 4464 wrote to memory of 4500	4464	8bc8a71745b194ecca332454132e91c48433b990f3c4770fd1ddc17be3427541.exe	89
PID 4464 wrote to memory of 4500	4464	8bc8a71745b194ecca332454132e91c48433b990f3c4770fd1ddc17be3427541.exe	89
PID 4464 wrote to memory of 4500	4464	8bc8a71745b194ecca332454132e91c48433b990f3c4770fd1ddc17be3427541.exe	89
PID 4464 wrote to memory of 4500	4464	8bc8a71745b194ecca332454132e91c48433b990f3c4770fd1ddc17be3427541.exe	89
PID 4500 wrote to memory of 2960	4500	8bc8a71745b194ecca332454132e91c48433b990f3c4770fd1ddc17be3427541.exe	90
PID 4500 wrote to memory of 2960	4500	8bc8a71745b194ecca332454132e91c48433b990f3c4770fd1ddc17be3427541.exe	90
PID 4500 wrote to memory of 2960	4500	8bc8a71745b194ecca332454132e91c48433b990f3c4770fd1ddc17be3427541.exe	90
PID 2960 wrote to memory of 672	2960	cmd.exe	93
PID 2960 wrote to memory of 672	2960	cmd.exe	93
PID 2960 wrote to memory of 672	2960	cmd.exe	93
PID 4500 wrote to memory of 2436	4500	8bc8a71745b194ecca332454132e91c48433b990f3c4770fd1ddc17be3427541.exe	94
PID 4500 wrote to memory of 2436	4500	8bc8a71745b194ecca332454132e91c48433b990f3c4770fd1ddc17be3427541.exe	94
PID 4500 wrote to memory of 2436	4500	8bc8a71745b194ecca332454132e91c48433b990f3c4770fd1ddc17be3427541.exe	94
PID 2436 wrote to memory of 5068	2436	lsass.exe	100
PID 2436 wrote to memory of 5068	2436	lsass.exe	100
PID 2436 wrote to memory of 5068	2436	lsass.exe	100
PID 2436 wrote to memory of 5068	2436	lsass.exe	100
PID 2436 wrote to memory of 5068	2436	lsass.exe	100
PID 2436 wrote to memory of 5068	2436	lsass.exe	100
PID 2436 wrote to memory of 5068	2436	lsass.exe	100
PID 2436 wrote to memory of 5068	2436	lsass.exe	100
PID 2436 wrote to memory of 1960	2436	lsass.exe	101
PID 2436 wrote to memory of 1960	2436	lsass.exe	101
PID 2436 wrote to memory of 1960	2436	lsass.exe	101
PID 2436 wrote to memory of 1960	2436	lsass.exe	101
PID 2436 wrote to memory of 1960	2436	lsass.exe	101
PID 2436 wrote to memory of 1960	2436	lsass.exe	101
PID 2436 wrote to memory of 1960	2436	lsass.exe	101
PID 1960 wrote to memory of 3832	1960	lsass.exe	102
PID 1960 wrote to memory of 3832	1960	lsass.exe	102
PID 1960 wrote to memory of 3832	1960	lsass.exe	102
PID 1960 wrote to memory of 3832	1960	lsass.exe	102
PID 1960 wrote to memory of 3832	1960	lsass.exe	102
PID 1960 wrote to memory of 3832	1960	lsass.exe	102
PID 1960 wrote to memory of 3832	1960	lsass.exe	102

C:\Users\Admin\AppData\Local\Temp\8bc8a71745b194ecca332454132e91c48433b990f3c4770fd1ddc17be3427541.exe
"C:\Users\Admin\AppData\Local\Temp\8bc8a71745b194ecca332454132e91c48433b990f3c4770fd1ddc17be3427541.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Users\Admin\AppData\Local\Temp\8bc8a71745b194ecca332454132e91c48433b990f3c4770fd1ddc17be3427541.exe
  "C:\Users\Admin\AppData\Local\Temp\8bc8a71745b194ecca332454132e91c48433b990f3c4770fd1ddc17be3427541.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VASWS.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Audio Driver" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\lsass.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:672
- - C:\Users\Admin\AppData\Roaming\system\lsass.exe
    "C:\Users\Admin\AppData\Roaming\system\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Users\Admin\AppData\Roaming\system\lsass.exe
      "C:\Users\Admin\AppData\Roaming\system\lsass.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:5068
  - - C:\Users\Admin\AppData\Roaming\system\lsass.exe
      "C:\Users\Admin\AppData\Roaming\system\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1960
    - - C:\Users\Admin\AppData\Roaming\system\lsass.exe
        
        "C:\Users\Admin\AppData\Roaming\system\lsass.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cxz.exe

Filesize
294B

MD5
42e30e9c39cbd93f3d5b7eafd0d014c6

SHA1
544c795f0a6d2c4a39cd783485ed21f25e1bbd85

SHA256
42120f1d3333fad2e6bf9a846aa610898d7a370c8e0593996c409b1a3f0240b8

SHA512
e4e168d26e08886a806c98632b0d3ece4392d3467aa00594fc4ca1d6effccebabd0e247d739fddbbea190a87798dd6d841073c953880d86c0bc39e5917570472

Download Submit
C:\Users\Admin\AppData\Local\Temp\VASWS.txt

Filesize
146B

MD5
c8cba0a9d4d5600b5f53c4c0681d1115

SHA1
0e5348e210ca70b2b0ffdc3ff7e6f611716df80c

SHA256
ca2b63f6d7bf17480415ae93e115bf9f9699335e84e62719eefdbcc5a78bd2e1

SHA512
a2ad6eb5ae2f6d57ca15363ac2f0c57ca3580474e94b9c010750948814cf4d5ffa0c3e7ef44634a3593da23f56011703ff220a3d7780f6f01785bf3b6676ced0

Download Submit
C:\Users\Admin\AppData\Roaming\system\lsass.exe

Filesize
84KB

MD5
cf7eb31129fae2561af6620fcbcdf361

SHA1
4706d29ebf71e08f4935289ad177b8c3b42f5712

SHA256
7aeb4877a5e291a7afa723e8c23fe5bbb17cbb9628095f1c8ff83208edd13e1c

SHA512
2a6caa78c8f4a8d278cf9de196b3e55aea8e948df2391076869b5045afddb2a2da9b6e2b2529d75bf15a23727fe25cb4acbf245a4f69a9f6637ca56885bdfb92

Download Submit
memory/1960-56-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1960-55-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1960-60-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1960-43-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1960-48-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2436-53-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2436-52-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3832-59-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/3832-64-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/3832-86-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/4464-9-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/4464-10-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

Filesize
4KB

Download
memory/4464-5-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/4464-6-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/4464-7-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/4464-8-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/4464-11-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

Filesize
4KB

Download
memory/4500-57-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4500-39-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4500-2-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4500-12-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4500-13-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5068-54-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5068-88-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads