bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe
Size

1.1MB
MD5

829d20fa19b38f9aa8b6bc04ab13bf1d
SHA1

e15c1288661dc8d75dd978f283010e7190962619
SHA256

bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374
SHA512

7439af6225cb088ba16fc59ca4532d76ac64b7009176f94950bd339ce5353dcb9eac045f65e8812be9b1bb390a736a0ef44e5a7cd8ad5012bf713b912e00ee50
SSDEEP

12288:GGzQYR4IeaAVB6ETW82Ku8UKfdndrboYj+/lhRkZxBI+wY:G8lgaAVB6evW8UKlndr6/zRkVI+3

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2476	oduswva.exe

Loads dropped DLL 2 IoCs

pid	Process
2224	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe
2224	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2224-0-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/files/0x000500000001a494-13.dat	upx
behavioral1/memory/2476-44-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/files/0x000100000000002a-49.dat	upx
behavioral1/memory/2476-65-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/2224-66-0x0000000000400000-0x000000000046F000-memory.dmp	upx

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Help\1.pdtdxds	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe
File created	C:\Windows\SysWOW64\Help\2.pdtdxds	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe
File created	C:\Windows\SysWOW64\pdtdxds\pdtdxds\jtstqae\m.ini	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe
File created	C:\Windows\SysWOW64\pdtdxds\pdtdxds\jtstqae\oduswva.exe	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe
File opened for modification	C:\Windows\SysWOW64\pdtdxds\pdtdxds\jtstqae\oduswva.exe	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe
File created	C:\Windows\system32\spool\DRIVERS\W32X86\3\dtdxdsp\dtdxdsp.exe	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe
File created	C:\Windows\SysWOW64\Help\upbiran.ini	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2476 set thread context of 2656	2476	oduswva.exe	31

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Help\pdtdxds.hlp	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe
File created	C:\Windows\2.ini	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe
File opened for modification	C:\Windows\	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oduswva.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2224	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe
2224	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe
2224	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe
2224	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2224	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2476	2224	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe	30
PID 2224 wrote to memory of 2476	2224	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe	30
PID 2224 wrote to memory of 2476	2224	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe	30
PID 2224 wrote to memory of 2476	2224	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe	30
PID 2476 wrote to memory of 2656	2476	oduswva.exe	31
PID 2476 wrote to memory of 2656	2476	oduswva.exe	31
PID 2476 wrote to memory of 2656	2476	oduswva.exe	31
PID 2476 wrote to memory of 2656	2476	oduswva.exe	31
PID 2476 wrote to memory of 2656	2476	oduswva.exe	31
PID 2476 wrote to memory of 2656	2476	oduswva.exe	31

C:\Users\Admin\AppData\Local\Temp\bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe
"C:\Users\Admin\AppData\Local\Temp\bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\SysWOW64\pdtdxds\pdtdxds\jtstqae\oduswva.exe
  C:\Windows\system32\pdtdxds\pdtdxds\jtstqae\oduswva.exe -close
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe -NetworkService
    3⤵
    PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Help\1.pdtdxds

Filesize
26B

MD5
4ddebbbe09b30d6e00bbdacbf2ad5be3

SHA1
0fdb8227f9bb46ad8f9c27e1f8d22cb36bd2ef0b

SHA256
7f5e1b1b065b80a23c888cf9419df5d319059ba215df7a016ae9ad544300f1ff

SHA512
e571a415ede54abd22695db6e1c8dd85d3ea7ad0b725d96193e36138f29c9c30ad31cd5e6f2ace59903960d740728fbeffc6d991ce0699b697bd53035249a33a

Download Submit
C:\Windows\SysWOW64\Help\2.pdtdxds

Filesize
18B

MD5
dd07b409b0540454f6357c3e0f7480be

SHA1
107a6e2af19dd99ea68a80d5c94b1a453ad674c9

SHA256
ae19e9bdcb6183f5499c70e262c29d27d4d3c18764cb4a555668c4f55aabdabf

SHA512
7c93c3baa301318920113fa08807a00478d14a631c1be39ff266c64b1a9d6a9b1e5a4b8f1a6a8803bdf9e61c11ab48e0f46d3f13f784a030145597f855857d70

Download Submit
C:\Windows\SysWOW64\Help\upbiran.ini

Filesize
18B

MD5
cc56ef22cac8dd5b46dc6e31b14bc198

SHA1
278ce20ff9ea4a6a4292a76caa72fe66cd024b56

SHA256
915dc7043d9c5c25f63d429cc6530758e5363fecbcf3bcff37282a4386e3bcd9

SHA512
f85f4b7550af97dcbd4ae7f929724ac8e3886d25a99b37d401dc83230a0b0391118f732a57e558ae85c4e2b03adda623ff00379159a1571c145736577576f49a

Download Submit
C:\Windows\SysWOW64\pdtdxds\pdtdxds\jtstqae\m.ini

Filesize
128B

MD5
1f23ac3f347bf4835b2d431b581acf30

SHA1
05ac6b50f2fe4ffd18736bb44c499c851dc352ad

SHA256
b60314e3d74bbadcfacc1eb8e57dcbb271e5ab3e3e75aeaa99b593ceafa9ea71

SHA512
d86e13f08ae616571a43cebd3790cf412d4a33234941806a325797abb5dda963bc65390156ab966a9183b145e632beb34799a7548375c0acb0c741c774cd1013

Download Submit
C:\Windows\SysWOW64\pdtdxds\pdtdxds\jtstqae\oduswva.exe

Filesize
6.4MB

MD5
6b6e3c5591eeb9d0d0981026f8b2d737

SHA1
8d56aae6e65f42620c925c644e4fd5cd1745f24d

SHA256
a03739833004ef512d408407118ebb5fced303a9f8115bfacc1ed4c017dec392

SHA512
f5fa40c536fbb6cdf98f54a2296291da43ba56b764682ce65a32c3eea00061dd4d0608f6dfcdde95a88f1ac9e4804c76f1d394f32aa12b446370017a0b60e87a

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\dtdxdsp\dtdxdsp000.IMD

Filesize
112KB

MD5
d1f3fd64451c7f1547ab217bccdf4efb

SHA1
1c84e5e4b986f2c3e073bd634ab116c466150e3a

SHA256
dfd4ddf2620e32250d308193da29543aa0a328ef598cad4e2bfb7e141d099a02

SHA512
fd02cae93f3286cd7f33969a8db93ff00613a28c433f843f912a540ca6a7992fcaf8c2e2cdce76f0b1170a8d4bd7f7ea58b832992e8b2f5992f3ad8900e33d6a

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\dtdxdsp\dtdxdsp001.IMD

Filesize
112KB

MD5
c7697f8bed20beb9f36ce656d06e33ed

SHA1
39a70193549c2eff56a156f6865a800458358cd8

SHA256
dada6a560ccb42d109627262776aa72f8d30657530d8182b177d3aeccd5b1095

SHA512
ee1a8a97903d820887f0080dd99042e28d66b25294e41306116c914619d10ac0a1bdf42f02b695e3186aa5c72322153f0d55b1de32a961cfc4cabdee0f08fab3

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\dtdxdsp\dtdxdsp002.IMD

Filesize
112KB

MD5
cc2a32ee2cf17624f78c5003e4c5dfb4

SHA1
b273287977f5d8f9ee921eedbfa2d74955060ec8

SHA256
1fbb36e87b0922023a3aa6fc7f44eeb9a17a934385c02dde42b47f9f5330b482

SHA512
5f8ccb5a880c6b80ca83d6b9757e96735d743ffb78a7f5dfce5948e7f272816c59d75daf0c8cae7b2d69d0067ca6e8a4a0008eb355e8adf02016d80d2c805fda

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\dtdxdsp\dtdxdsp003.IMD

Filesize
112KB

MD5
901b863fbeae24bb646fdb1e6b13188d

SHA1
e2398e173a6d50935b8b84c31f33b541572d5add

SHA256
8e78dd9e10d1c56354a090b5ec140a77d54bdcb1ea55b00f74830863378f7566

SHA512
1c74dff0af7c6b168f767d86798152875be2e1ceb6e1080b5e126cb95593bb3e87e097ea561535855b846f35b95a09ad9ab2833957ea117dfcf23c745726a46c

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\dtdxdsp\dtdxdsp004.IMD

Filesize
112KB

MD5
f1499e3f03a4b4a98686c0e43c5e79fb

SHA1
28003a1b01ffc2501ad5d45ecbac742778435412

SHA256
ce07dc23f76d499f95000a23f39b2a8093d292c5c38b66545445b99cc945f6b3

SHA512
3e964c6492bc0b0527f9b9dd1668a9d79f3eff9ee7460c6e1d72d8310eb3f79e88e6529d8295485b2b865e2bbe4b5defcdd6e7a93bae7414bfe5e7f080d83ca2

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\dtdxdsp\dtdxdsp005.IMD

Filesize
112KB

MD5
25753489da4c26288c05c246d93aa907

SHA1
6460c70c0fa74b7cc2b0108853171f9feac2b6bc

SHA256
f9e53741b6c17ec9ff37449aa2e166c194329b5b46c79cea512581c68b90ab22

SHA512
fe131a686318b1ffbb6567b182e53aaa52d6dc84eafd42b29204f3397352afca3433d89c60697809c75e550acfc1ef6a3ad0292868f5270f13be17d952d56a90

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\dtdxdsp\dtdxdsp006.IMD

Filesize
112KB

MD5
94d6a5e3ed266479e7f73c879420949e

SHA1
2c7e3b68d7e80e1d98886b07dd01136140c4fcd2

SHA256
65acbf3e49ae7647ed654b83dac4e986e3aaa4f441da4044b32d80304b260772

SHA512
41f781cfd9229d41bb5626c7eac4282cf3c0aa8e1e059a2464ddf74f343a1572392f33129962f3c1b96733c3cb9881c4d8f6c26c8da27af20399453997ecfef3

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\dtdxdsp\dtdxdsp007.IMD

Filesize
112KB

MD5
d94b58147fe7430d607196d718dd8731

SHA1
71d0827973b5f7daa0bd90a965d2774eccfd701c

SHA256
a604e0d6094c7cdb74d8c7494532c465ef167701a4d932e12100303af4660b6e

SHA512
94b2b7a738bbad40946baf9c24185ac887625000ae5be271e966dc1dea31c5020fd79c3a35e43cb5f3a8ecc35ede5f920b6f02d079cffc22fcc2bf4b0aa4bb38

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\dtdxdsp\dtdxdsp008.IMD

Filesize
112KB

MD5
3bfd7144c6c393e987f3a481a46ab484

SHA1
cfca3c3c4dbb244964041ef810bd26e3acd88a41

SHA256
af2ff68c03c8c8305c13f64117e3410ae415dd23a429045bcb0d1f922d1ab16b

SHA512
bb58071c10480323b16482b6422c34158aa9018458e9bac37ac62afa6d9fc151ffcf4439a7fc4649cdb52097b3eb4df7af1f4012061bfb71af64a1a322b48053

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\dtdxdsp\dtdxdsp009.IMD

Filesize
112KB

MD5
28c44d1ee9e84359c97ba2a410c51026

SHA1
c2ddebe007ecb856f7102191360bfc222f7e991c

SHA256
0c6f4023362db58ffdcb8e131843bec9a6526f26e8336409dcc7090b39445c6b

SHA512
fe1079071ecad961aca0d1105b951a669ccf8d53212b68a0f5809a9814265fdfeac125f7e0331c6d3b2c673609ea44bd54d467b172bd1de8e9df1eac5746f9d9

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\dtdxdsp\dtdxdsp010.IMD

Filesize
1B

MD5
6f8f57715090da2632453988d9a1501b

SHA1
6b0d31c0d563223024da45691584643ac78c96e8

SHA256
62c66a7a5dd70c3146618063c344e531e6d4b59e379808443ce962b3abd63c5a

SHA512
f14aae6a0e050b74e4b7b9a5b2ef1a60ceccbbca39b132ae3e8bf88d3a946c6d8687f3266fd2b626419d8b67dcf1d8d7c0fe72d4919d9bd05efbd37070cfb41a

Download Submit
memory/2224-42-0x0000000001CA0000-0x0000000001D0F000-memory.dmp

Filesize
444KB

Download
memory/2224-41-0x0000000001CA0000-0x0000000001D0F000-memory.dmp

Filesize
444KB

Download
memory/2224-0-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2224-66-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2224-67-0x0000000001CA0000-0x0000000001D0F000-memory.dmp

Filesize
444KB

Download
memory/2224-68-0x0000000001CA0000-0x0000000001D0F000-memory.dmp

Filesize
444KB

Download
memory/2476-44-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2476-65-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2656-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2656-62-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download