58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd.exe
Size

246KB
MD5

d7a82d875706d57720b3a35ea797290d
SHA1

9dbc048de8ea29ab951b08341fd141dcd317f78f
SHA256

58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd
SHA512

f8ecd8c34a84448291d99f0135811da9dedeb7aea6a25db19aa98ce6b4f9366959a57409f4549bb7d93678d6a4d35657822725227741b9e3d289b4526bfae2d8
SSDEEP

6144:FMooVQnnOBccnskYPmTpUxrr1XRA7WHxWoN+J0EafCUSYibN6WG8M:+QnO/s1mTpG5bUo4bafVibv3M

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1904-1-0x0000000000400000-0x0000000001C5B000-memory.dmp	upx
behavioral2/memory/1904-2-0x0000000000400000-0x0000000001C5B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2428	cmd.exe
5000	PING.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2720	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5000	PING.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 2428	1904	58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd.exe	86
PID 1904 wrote to memory of 2428	1904	58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd.exe	86
PID 1904 wrote to memory of 2428	1904	58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd.exe	86
PID 2428 wrote to memory of 2720	2428	cmd.exe	88
PID 2428 wrote to memory of 2720	2428	cmd.exe	88
PID 2428 wrote to memory of 2720	2428	cmd.exe	88
PID 2428 wrote to memory of 5000	2428	cmd.exe	92
PID 2428 wrote to memory of 5000	2428	cmd.exe	92
PID 2428 wrote to memory of 5000	2428	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd.exe
"C:\Users\Admin\AppData\Local\Temp\58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c systeminfo>>C:\Windows\temp\setup_gitlog.txt&ping 8.8.8.8>>C:\Windows\temp\setup_gitlog.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\SysWOW64\systeminfo.exe
    systeminfo
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers system information
    PID:2720
- - C:\Windows\SysWOW64\PING.EXE
    ping 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\temp\setup_gitlog.txt

Filesize
33B

MD5
346bbdef8e66561ce4c33013160d7c75

SHA1
023e40d5eb04b2d7e8346ea0c9a62b05d372abec

SHA256
ce357dc9d96cbb6933f7895d5fee9052b72733c2db9fc32b1555761b1bd0c277

SHA512
f2fd0412846455ee0f47f9e88192ea4c6ee60c3118be40a44c9b626566652ed46b1c3a0708a7ec6feba7a9cafc61091a2a1c6cb864a99a081bb842625040594f

Download Submit
memory/1904-1-0x0000000000400000-0x0000000001C5B000-memory.dmp

Filesize
24.4MB

Download
memory/1904-2-0x0000000000400000-0x0000000001C5B000-memory.dmp

Filesize
24.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads