3f0d1a3f474f03f5334e1800b308830eaa302b37d08fd5390176204f49ceae93

Analysis

max time kernel
133s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2024, 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

F1E546FE9D51DC96EB766EC61269EDFB.exe
Size

572KB
MD5

f1e546fe9d51dc96eb766ec61269edfb
SHA1

4edea5d41c6c5888f95f77a048982eae57612818
SHA256

a474534bf4185fc604b66396b69fb3a032c9f47b38bcf5ab4e9104d25cfe1054
SHA512

e9a9fbd99ef9f8463c4c3da914c0b77f5112ad0b97d51862a29cfb65848e7fd3e21f48603fe41c31e3a28bde013c4263244a3363806ead86b9b8931038825555
SSDEEP

12288:X81Ed0hYcVhrGFTlZaVXVYr92FFilE5AUJHPx6hhsH4u0Q7w:X81EdVcVhGNDyYr9Wi4NJccHM

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	F1E546FE9D51DC96EB766EC61269EDFB.exe

Executes dropped EXE 1 IoCs

pid	Process
5116	nvdasd.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral18/files/0x000b000000023470-38.dat	upx
behavioral18/memory/5116-45-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral18/memory/5116-56-0x0000000000400000-0x00000000004BE000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral18/memory/5116-56-0x0000000000400000-0x00000000004BE000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F1E546FE9D51DC96EB766EC61269EDFB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvdasd.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 5116	3484	F1E546FE9D51DC96EB766EC61269EDFB.exe	92
PID 3484 wrote to memory of 5116	3484	F1E546FE9D51DC96EB766EC61269EDFB.exe	92
PID 3484 wrote to memory of 5116	3484	F1E546FE9D51DC96EB766EC61269EDFB.exe	92

C:\Users\Admin\AppData\Local\Temp\F1E546FE9D51DC96EB766EC61269EDFB.exe
"C:\Users\Admin\AppData\Local\Temp\F1E546FE9D51DC96EB766EC61269EDFB.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\nvdasd.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\nvdasd.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\lang\portuguese.lng

Filesize
789B

MD5
3360897e67021409d9af186afd87402a

SHA1
12fc885e66ee0f979040453aec6969e234a45c30

SHA256
f739684c15081572f25f66afc44be80696e1072f60a0fc5a03650d407d039f38

SHA512
edf98d5ab94d67b22f65ea789f2e92c863bbd701f43ec0f6ce8eac7550dfa479f87b96da268f5d8f29f1848bb3beca3ec601e6e8c6beacee167ad731ef8af0df

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\nvdasd.exe

Filesize
403KB

MD5
34268d3ef6492f885dc2a3a7d4f89272

SHA1
219cfb6d8ae4ff44afb3da2beeb258bb2fc7e70f

SHA256
b77a0d1d979bac7df94edf045ebcdfc143d604675254396ac8371c24d0641300

SHA512
53c0b8d1d82bc0fdb75f124bac6f43b75a6656ccdaaf13bea690168f49ce6e2ca42ee2d822addd0175017409bf75ec338dfd30cb37a99445f31090f972c31f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\nvdasd.ini

Filesize
112B

MD5
9126ea7235e907f78e38447c1bb942e9

SHA1
9997f78d450ea240652a265890a808cc8e63e946

SHA256
3f2ddbcc7837cd0912a5a4f8eb85da5c223602f7450e46594d93cfaba05b390a

SHA512
ded28d9b913e24cba4acda44646fb2745c120ece59f4366df1c9831e284d028a020e941b173cafe4d7d6a46a8d7b576c14aabb27d5ffffe4b5c4a1e506628e5c

Download Submit
memory/5116-45-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/5116-56-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download