8a0ee6ee39214556c527720dd6a4a89564050ff5aa9d42e3e9db794cdc9423d7

Analysis

max time kernel
142s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/08/2024, 08:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

postal2demo.exe
Size

123.0MB
MD5

4b7d0b53f01fee9426ae6b21a001d2bc
SHA1

d7f979cfff8b8bc1004451adc867a0d5c3ed658e
SHA256

8a0ee6ee39214556c527720dd6a4a89564050ff5aa9d42e3e9db794cdc9423d7
SHA512

e7a192bdfc83e5ddcdfd0f1b72b417d6a55f5b509e82f31da0170fe25145d8a0201765b1b337848d3bb1defc150c60417b015ea35339d3753ef4c9d30bb45658
SSDEEP

3145728:0oseb/k0l3u0Wb2MZ4nQQiXGD8ZRjLk1cYZOHV5hurI1fg1d:0a/kkux2i4nQpWD8ZR3k/UHDgk1fQd

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	postal2demo.exe

Executes dropped EXE 1 IoCs

pid	Process
1584	setup.exe

Loads dropped DLL 1 IoCs

pid	Process
1584	setup.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4960-0-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/4960-325-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/4960-448-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	setup.exe
File opened (read-only)	\??\B:	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	postal2demo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 1584	4960	postal2demo.exe	86
PID 4960 wrote to memory of 1584	4960	postal2demo.exe	86
PID 4960 wrote to memory of 1584	4960	postal2demo.exe	86

C:\Users\Admin\AppData\Local\Temp\postal2demo.exe
"C:\Users\Admin\AppData\Local\Temp\postal2demo.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

Filesize
471KB

MD5
21cddf64459838a32e64eee539ad9418

SHA1
e36421af40ba42f3b30c2f3a4a6343b4c076b2a5

SHA256
15b52d39d41fa1577aeb88fd31c8826418099a610156e5acb25ebb342b496fc6

SHA512
cf745c27689f562cdb7703cc122449fe2bd415979d54a327438f15cea339d5baa5613bcdd73c2398b8c2e946b2d08d7c1a41c36bf32bfcbcfaa8f80b419b7354

Download Submit
C:\Users\Admin\AppData\Local\Temp\~vis0000\English.vlg

Filesize
13KB

MD5
707e3b6418526ed6729deb4a1307f1f2

SHA1
521a175e2e18ad316c8fbf25aa35c35dbf449668

SHA256
75081f741b450b8049d3a0106121516745bba675681fb490e78b7978238258d5

SHA512
cbf15467cbd0797a8ec781ce8fcae416c9dd30db052e32c85aa717ec955e24f5592ab937c2f8b82e7cf862c09a4a5d767808b56000bf3942da58c457a3fbcc86

Download Submit
C:\Users\Admin\AppData\Local\Temp\~vis0000\vise32ex.dll

Filesize
476KB

MD5
5b30ac533b98c9ed6cd0f999d2271c26

SHA1
3a4bec5515a17b6617b3f69d197a71e59b1bf600

SHA256
06a16e3a1093d48b06e4b6745038dd21523e144911abce1c8ff1505129d14afd

SHA512
723d3970795c40a49240ed7979a3406d6fd9345da1d0091db9b5f22cda46811297a871fb7b2f5d696ffaf56f1ea85ea1085c989dcd38d6633b519f33cc8eafa8

Download Submit
memory/4960-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4960-325-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4960-448-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads