ff90350b7d33bb47acdef762ad79668a93fb0273742f84833fc1cbd69172f2d9

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-09-2024 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae1cfa268a4cc25b6fa6ecc734aa77d0N.exe
Size

1.3MB
MD5

ae1cfa268a4cc25b6fa6ecc734aa77d0
SHA1

92d8e10bc85c09f7e614916a1424e8f63a465a54
SHA256

ff90350b7d33bb47acdef762ad79668a93fb0273742f84833fc1cbd69172f2d9
SHA512

f6f8da3b4eb39b3105e5bbc2a000b55ca267826de10cc66ab1a38a178b6b1f7c89c6246515b8291115c5dbaeaf85636d5759f2837a21a0d86d2067699bc3271d
SSDEEP

24576:xMfWxJYVOx+5UQaotIc8nqs2L90nTv3f7YBtVpbaLcS6t3tiKE+NkT5MOJe:mfWxJYVO0re/nqBITv3kvpKng3j5CMO8

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3680	GIFÂ¼ÖÆ¹¤¾ß.exe

Loads dropped DLL 9 IoCs

pid	Process
3680	GIFÂ¼ÖÆ¹¤¾ß.exe
3680	GIFÂ¼ÖÆ¹¤¾ß.exe
3680	GIFÂ¼ÖÆ¹¤¾ß.exe
3680	GIFÂ¼ÖÆ¹¤¾ß.exe
3680	GIFÂ¼ÖÆ¹¤¾ß.exe
3680	GIFÂ¼ÖÆ¹¤¾ß.exe
3680	GIFÂ¼ÖÆ¹¤¾ß.exe
3680	GIFÂ¼ÖÆ¹¤¾ß.exe
3680	GIFÂ¼ÖÆ¹¤¾ß.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3680-38-0x0000000002330000-0x000000000236D000-memory.dmp	upx
behavioral2/memory/3680-26-0x0000000002330000-0x000000000236D000-memory.dmp	upx
behavioral2/memory/3680-19-0x0000000002330000-0x000000000236D000-memory.dmp	upx
behavioral2/memory/3680-56-0x0000000002330000-0x000000000236D000-memory.dmp	upx
behavioral2/memory/3680-65-0x0000000002330000-0x000000000236D000-memory.dmp	upx
behavioral2/memory/3680-64-0x0000000002330000-0x000000000236D000-memory.dmp	upx
behavioral2/memory/3680-63-0x0000000002330000-0x000000000236D000-memory.dmp	upx
behavioral2/memory/3680-60-0x0000000002330000-0x000000000236D000-memory.dmp	upx
behavioral2/memory/3680-54-0x0000000002330000-0x000000000236D000-memory.dmp	upx
behavioral2/memory/3680-52-0x0000000002330000-0x000000000236D000-memory.dmp	upx
behavioral2/memory/3680-50-0x0000000002330000-0x000000000236D000-memory.dmp	upx
behavioral2/memory/3680-48-0x0000000002330000-0x000000000236D000-memory.dmp	upx
behavioral2/memory/3680-46-0x0000000002330000-0x000000000236D000-memory.dmp	upx
behavioral2/memory/3680-44-0x0000000002330000-0x000000000236D000-memory.dmp	upx
behavioral2/memory/3680-42-0x0000000002330000-0x000000000236D000-memory.dmp	upx
behavioral2/memory/3680-40-0x0000000002330000-0x000000000236D000-memory.dmp	upx
behavioral2/memory/3680-36-0x0000000002330000-0x000000000236D000-memory.dmp	upx
behavioral2/memory/3680-35-0x0000000002330000-0x000000000236D000-memory.dmp	upx
behavioral2/memory/3680-32-0x0000000002330000-0x000000000236D000-memory.dmp	upx
behavioral2/memory/3680-30-0x0000000002330000-0x000000000236D000-memory.dmp	upx
behavioral2/memory/3680-28-0x0000000002330000-0x000000000236D000-memory.dmp	upx
behavioral2/memory/3680-24-0x0000000002330000-0x000000000236D000-memory.dmp	upx
behavioral2/memory/3680-22-0x0000000002330000-0x000000000236D000-memory.dmp	upx
behavioral2/memory/3680-21-0x0000000002330000-0x000000000236D000-memory.dmp	upx
behavioral2/memory/3680-20-0x0000000002330000-0x000000000236D000-memory.dmp	upx
behavioral2/memory/3680-17-0x0000000002330000-0x000000000236D000-memory.dmp	upx
behavioral2/memory/3680-58-0x0000000002330000-0x000000000236D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae1cfa268a4cc25b6fa6ecc734aa77d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GIFÂ¼ÖÆ¹¤¾ß.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
3680	GIFÂ¼ÖÆ¹¤¾ß.exe
3680	GIFÂ¼ÖÆ¹¤¾ß.exe
3680	GIFÂ¼ÖÆ¹¤¾ß.exe
3680	GIFÂ¼ÖÆ¹¤¾ß.exe
3680	GIFÂ¼ÖÆ¹¤¾ß.exe
3680	GIFÂ¼ÖÆ¹¤¾ß.exe
3680	GIFÂ¼ÖÆ¹¤¾ß.exe
3680	GIFÂ¼ÖÆ¹¤¾ß.exe
3680	GIFÂ¼ÖÆ¹¤¾ß.exe
3680	GIFÂ¼ÖÆ¹¤¾ß.exe
3680	GIFÂ¼ÖÆ¹¤¾ß.exe
3680	GIFÂ¼ÖÆ¹¤¾ß.exe
3680	GIFÂ¼ÖÆ¹¤¾ß.exe
3680	GIFÂ¼ÖÆ¹¤¾ß.exe
3680	GIFÂ¼ÖÆ¹¤¾ß.exe
3680	GIFÂ¼ÖÆ¹¤¾ß.exe
3680	GIFÂ¼ÖÆ¹¤¾ß.exe
3680	GIFÂ¼ÖÆ¹¤¾ß.exe
3680	GIFÂ¼ÖÆ¹¤¾ß.exe
3680	GIFÂ¼ÖÆ¹¤¾ß.exe
3680	GIFÂ¼ÖÆ¹¤¾ß.exe
3680	GIFÂ¼ÖÆ¹¤¾ß.exe
3680	GIFÂ¼ÖÆ¹¤¾ß.exe
3680	GIFÂ¼ÖÆ¹¤¾ß.exe
3680	GIFÂ¼ÖÆ¹¤¾ß.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 3680	3604	ae1cfa268a4cc25b6fa6ecc734aa77d0N.exe	85
PID 3604 wrote to memory of 3680	3604	ae1cfa268a4cc25b6fa6ecc734aa77d0N.exe	85
PID 3604 wrote to memory of 3680	3604	ae1cfa268a4cc25b6fa6ecc734aa77d0N.exe	85

C:\Users\Admin\AppData\Local\Temp\ae1cfa268a4cc25b6fa6ecc734aa77d0N.exe
"C:\Users\Admin\AppData\Local\Temp\ae1cfa268a4cc25b6fa6ecc734aa77d0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Users\Admin\AppData\Roaming\soft\GIFÂ¼ÖÆ¹¤¾ß.exe
  C:\Users\Admin\AppData\Roaming\soft\GIFÂ¼ÖÆ¹¤¾ß.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\soft\GIFÂ¼ÖÆ¹¤¾ß.exe

Filesize
171KB

MD5
01f2aefd2cf91b2831d25a55f8ab9dbf

SHA1
725634b3430daec1b4795c398570f8bc8d6436a3

SHA256
e84be9f63c2661ac2df844b41c60164a5e948e0c0c0079b9a201d73b592ae89c

SHA512
cc1efc9cda3568e61376d149858e32984adfe31de1a5ac05fc562f3758e8b7508e43068c36598fa7fd8e440881a587ac3433e2a0aaeb058d6c37734ec033f08d

Download Submit
C:\Users\Admin\AppData\Roaming\soft\HtmlView.fne

Filesize
224KB

MD5
4242b8a1ddf4eaff4c18f9ef11e7b365

SHA1
6490f4f443fb49c38466390b9f9ea373ed7b9fa7

SHA256
4b2eb306298c48ae8da8d9685f0bd40a2ec18310fd1582a82d889171c114fc5d

SHA512
791a09dfce20279d4d99b971f6e2688e77bd0e67cddeecde032d99c117ae301d97b42d953182768f122279d2a8acadc30603859702a05c499febccc32ca50096

Download Submit
C:\Users\Admin\AppData\Roaming\soft\iext.fnr

Filesize
216KB

MD5
b666d864234e2586680de95a13259829

SHA1
bd6b1fa985e1bb4735c73cd6383e9c239493172a

SHA256
5f22e8d6a118fe48d37b3b83980d7dc8ea37ef6385bcede770c8e493df49635f

SHA512
10db4b6c571d1309502da04285b4280456bc951c5118f035a0be2a5c8800678371f4ed6754a38fe18928c2aa4f3efd685302751f7adef5f01e7952ff74f506f6

Download Submit
C:\Users\Admin\AppData\Roaming\soft\internet.fne

Filesize
188KB

MD5
b925098c6a6330410cffb3994ef36211

SHA1
7467bb63d47ea2fa6dbf3984ede8d9e04b8ce37a

SHA256
f25727ce196ac0ab4119ab7968cdfe18425170b55012fc7fb26a3f824514d82f

SHA512
955ab8e3eb661cf575db0db77ca81fca16cdb3e29ce49237b1df1377d6f2aaff3c6a12bbc98a720f0a67292b39451474b97de31f696688a93547181991fffe0e

Download Submit
C:\Users\Admin\AppData\Roaming\soft\krnln.fnr

Filesize
1.0MB

MD5
dde0681ba7a02bbb1c9b756af7e53fd2

SHA1
eb1310a5848614d89e71e76bf6beee497a068017

SHA256
f1efcaa3a7b5bf98819ec0076984f4af595d595c2553f4eec454e6d96f2bf080

SHA512
1f9892ea5727159e7f0ec836dac78bd6923f7b803e5f39113a14c27b4bea5353503a7b998088cdf8ad0f0920e66a241c588bec0b2cab6b02157b54ab4ce30ff1

Download Submit
C:\Users\Admin\AppData\Roaming\soft\xplib.fne

Filesize
76KB

MD5
33dc6efd3f3f23736c69ee3883edf94d

SHA1
57d02a0b73d48728c2b0569d32abe7ee3ac97f78

SHA256
78c1a0908251f9c2ab021afd9112e6333ec1b4bb63bd1210a69e64832505ea7e

SHA512
7b92c29f428d58f8124f22d0f99e523cb0a31c50669a3792190e2e94ce8e514e067797431e61593cab494f3d01d23f61b6851a0bd6839a4e756fd377653c83a1

Download Submit
memory/3680-44-0x0000000002330000-0x000000000236D000-memory.dmp

Filesize
244KB

Download
memory/3680-32-0x0000000002330000-0x000000000236D000-memory.dmp

Filesize
244KB

Download
memory/3680-56-0x0000000002330000-0x000000000236D000-memory.dmp

Filesize
244KB

Download
memory/3680-65-0x0000000002330000-0x000000000236D000-memory.dmp

Filesize
244KB

Download
memory/3680-64-0x0000000002330000-0x000000000236D000-memory.dmp

Filesize
244KB

Download
memory/3680-63-0x0000000002330000-0x000000000236D000-memory.dmp

Filesize
244KB

Download
memory/3680-60-0x0000000002330000-0x000000000236D000-memory.dmp

Filesize
244KB

Download
memory/3680-54-0x0000000002330000-0x000000000236D000-memory.dmp

Filesize
244KB

Download
memory/3680-52-0x0000000002330000-0x000000000236D000-memory.dmp

Filesize
244KB

Download
memory/3680-50-0x0000000002330000-0x000000000236D000-memory.dmp

Filesize
244KB

Download
memory/3680-48-0x0000000002330000-0x000000000236D000-memory.dmp

Filesize
244KB

Download
memory/3680-46-0x0000000002330000-0x000000000236D000-memory.dmp

Filesize
244KB

Download
memory/3680-19-0x0000000002330000-0x000000000236D000-memory.dmp

Filesize
244KB

Download
memory/3680-42-0x0000000002330000-0x000000000236D000-memory.dmp

Filesize
244KB

Download
memory/3680-40-0x0000000002330000-0x000000000236D000-memory.dmp

Filesize
244KB

Download
memory/3680-36-0x0000000002330000-0x000000000236D000-memory.dmp

Filesize
244KB

Download
memory/3680-35-0x0000000002330000-0x000000000236D000-memory.dmp

Filesize
244KB

Download
memory/3680-69-0x00000000024B0000-0x00000000024EB000-memory.dmp

Filesize
236KB

Download
memory/3680-30-0x0000000002330000-0x000000000236D000-memory.dmp

Filesize
244KB

Download
memory/3680-28-0x0000000002330000-0x000000000236D000-memory.dmp

Filesize
244KB

Download
memory/3680-24-0x0000000002330000-0x000000000236D000-memory.dmp

Filesize
244KB

Download
memory/3680-22-0x0000000002330000-0x000000000236D000-memory.dmp

Filesize
244KB

Download
memory/3680-21-0x0000000002330000-0x000000000236D000-memory.dmp

Filesize
244KB

Download
memory/3680-20-0x0000000002330000-0x000000000236D000-memory.dmp

Filesize
244KB

Download
memory/3680-17-0x0000000002330000-0x000000000236D000-memory.dmp

Filesize
244KB

Download
memory/3680-58-0x0000000002330000-0x000000000236D000-memory.dmp

Filesize
244KB

Download
memory/3680-26-0x0000000002330000-0x000000000236D000-memory.dmp

Filesize
244KB

Download
memory/3680-75-0x0000000002DB0000-0x0000000002DF4000-memory.dmp

Filesize
272KB

Download
memory/3680-38-0x0000000002330000-0x000000000236D000-memory.dmp

Filesize
244KB

Download
memory/3680-79-0x0000000004450000-0x000000000448E000-memory.dmp

Filesize
248KB

Download
memory/3680-14-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3680-84-0x0000000003140000-0x0000000003153000-memory.dmp

Filesize
76KB

Download
memory/3680-89-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download