9d096a6963565a9af0e16fa70602962e0edb4147965aa3467f82aa0b8bd65ae6

Analysis

max time kernel
142s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-08-2024 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MemClean.exe
Size

391KB
MD5

2f5ec4986f4c447e26275b732351d485
SHA1

bce4bdd6d376dde4d61b1aa1550ebd7cfcf499c1
SHA256

6475a455b9598df16a1f2b284fb2fc346d52dcb2ee871be14d260d40a3edb278
SHA512

764c21b0a9c18df1d604a449ebd21fd1a3e726d064f272faa6a865866c113382483520a03b106ab8aaeb9590a0b05419337f9d42a2b232b41850098185caf662
SSDEEP

12288:M9BvctM85t35JPNJj2WzoRLQYRYzmYhwxg:MD0tM85tbNJjldeYiYig

Score

7^/10

discovery upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/624-0-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/624-25-0x0000000000400000-0x00000000004C5000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/624-25-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MemClean.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
624	MemClean.exe

C:\Users\Admin\AppData\Local\Temp\MemClean.exe
"C:\Users\Admin\AppData\Local\Temp\MemClean.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\autBF77.tmp

Filesize
11KB

MD5
9b4896ced754aef1a41953b72ab3859a

SHA1
c70ab65b39b43f3bd782b6558a4f269db432d8d9

SHA256
fb7ea2531f60e8ef627c46f73cecdf3e9e43c77f55ffef8855e14133693023a8

SHA512
d7a43ecec1511b3c0a57639b4a5e0296bff80f5054306a74f1f8d1f80f43ffe8f4e3d0d9384fe3ae4ccecc3e229ac099d02952cf8f2d693faa51d4b0f98e5ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkj224\binstall

Filesize
7KB

MD5
6ffda145ca18317be7abd87d305ed33d

SHA1
e04a7dcd6d5fdfbc1f081dc4a7a4f6d5437e0b6a

SHA256
e6ad7fdb829874218cc0785d2cd6e8ae50e2e9021e15fa39c3827515955cece3

SHA512
11281ef03fd957bb925ed91d73d1eb47fc7fffc49e32626cd7a2baeb6b7c5b7ef1898fb6e8d539c059b920ee9cdc4088d234b765c23970353e99acdce842300c

Download Submit
memory/624-0-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/624-25-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download