96d2bb04174a2dfe53c2cdb4760188e6baa99066d5631c5b8c009652707adadb

Analysis

max time kernel
118s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-09-2024 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa1075c626abe4315050d7b9544dd3b0N.exe
Size

84KB
MD5

fa1075c626abe4315050d7b9544dd3b0
SHA1

2652e31f88810a74ac6260b5796bbedf9255cafa
SHA256

96d2bb04174a2dfe53c2cdb4760188e6baa99066d5631c5b8c009652707adadb
SHA512

b9ba435d0a7464908b82876ea3f1d33e8b3a637055a90924456ee7ae3640bb6aa94d8e092afd0cc0c2a056a5a5f585a6bd995d5398f959b130b0d0e6ec4425e5
SSDEEP

1536:1clIGFNMi+hJUneHoGTvvv4V9hqdhbtgS:+RMi+fUnCTvvv4V9hEhbCS

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	fa1075c626abe4315050d7b9544dd3b0N.exe

Executes dropped EXE 4 IoCs

pid	Process
4144	lsass.exe
3032	lsass.exe
2944	lsass.exe
4964	lsass.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4456-15-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4456-20-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4456-21-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4456-22-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4456-48-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3032-67-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4456-72-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3032-102-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audio Driver = "C:\\Users\\Admin\\AppData\\Roaming\\system\\lsass.exe"	reg.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3840 set thread context of 4456	3840	fa1075c626abe4315050d7b9544dd3b0N.exe	93
PID 4144 set thread context of 3032	4144	lsass.exe	101
PID 4144 set thread context of 2944	4144	lsass.exe	102
PID 2944 set thread context of 4964	2944	lsass.exe	103

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa1075c626abe4315050d7b9544dd3b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa1075c626abe4315050d7b9544dd3b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe
Token: SeDebugPrivilege	3032	lsass.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3840	fa1075c626abe4315050d7b9544dd3b0N.exe
4456	fa1075c626abe4315050d7b9544dd3b0N.exe
4144	lsass.exe
3032	lsass.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 3840 wrote to memory of 4456	3840	fa1075c626abe4315050d7b9544dd3b0N.exe	93
PID 3840 wrote to memory of 4456	3840	fa1075c626abe4315050d7b9544dd3b0N.exe	93
PID 3840 wrote to memory of 4456	3840	fa1075c626abe4315050d7b9544dd3b0N.exe	93
PID 3840 wrote to memory of 4456	3840	fa1075c626abe4315050d7b9544dd3b0N.exe	93
PID 3840 wrote to memory of 4456	3840	fa1075c626abe4315050d7b9544dd3b0N.exe	93
PID 3840 wrote to memory of 4456	3840	fa1075c626abe4315050d7b9544dd3b0N.exe	93
PID 3840 wrote to memory of 4456	3840	fa1075c626abe4315050d7b9544dd3b0N.exe	93
PID 3840 wrote to memory of 4456	3840	fa1075c626abe4315050d7b9544dd3b0N.exe	93
PID 4456 wrote to memory of 2164	4456	fa1075c626abe4315050d7b9544dd3b0N.exe	94
PID 4456 wrote to memory of 2164	4456	fa1075c626abe4315050d7b9544dd3b0N.exe	94
PID 4456 wrote to memory of 2164	4456	fa1075c626abe4315050d7b9544dd3b0N.exe	94
PID 2164 wrote to memory of 2448	2164	cmd.exe	97
PID 2164 wrote to memory of 2448	2164	cmd.exe	97
PID 2164 wrote to memory of 2448	2164	cmd.exe	97
PID 4456 wrote to memory of 4144	4456	fa1075c626abe4315050d7b9544dd3b0N.exe	98
PID 4456 wrote to memory of 4144	4456	fa1075c626abe4315050d7b9544dd3b0N.exe	98
PID 4456 wrote to memory of 4144	4456	fa1075c626abe4315050d7b9544dd3b0N.exe	98
PID 4144 wrote to memory of 3032	4144	lsass.exe	101
PID 4144 wrote to memory of 3032	4144	lsass.exe	101
PID 4144 wrote to memory of 3032	4144	lsass.exe	101
PID 4144 wrote to memory of 3032	4144	lsass.exe	101
PID 4144 wrote to memory of 3032	4144	lsass.exe	101
PID 4144 wrote to memory of 3032	4144	lsass.exe	101
PID 4144 wrote to memory of 3032	4144	lsass.exe	101
PID 4144 wrote to memory of 3032	4144	lsass.exe	101
PID 4144 wrote to memory of 2944	4144	lsass.exe	102
PID 4144 wrote to memory of 2944	4144	lsass.exe	102
PID 4144 wrote to memory of 2944	4144	lsass.exe	102
PID 4144 wrote to memory of 2944	4144	lsass.exe	102
PID 4144 wrote to memory of 2944	4144	lsass.exe	102
PID 4144 wrote to memory of 2944	4144	lsass.exe	102
PID 4144 wrote to memory of 2944	4144	lsass.exe	102
PID 2944 wrote to memory of 4964	2944	lsass.exe	103
PID 2944 wrote to memory of 4964	2944	lsass.exe	103
PID 2944 wrote to memory of 4964	2944	lsass.exe	103
PID 2944 wrote to memory of 4964	2944	lsass.exe	103
PID 2944 wrote to memory of 4964	2944	lsass.exe	103
PID 2944 wrote to memory of 4964	2944	lsass.exe	103
PID 2944 wrote to memory of 4964	2944	lsass.exe	103

C:\Users\Admin\AppData\Local\Temp\fa1075c626abe4315050d7b9544dd3b0N.exe
"C:\Users\Admin\AppData\Local\Temp\fa1075c626abe4315050d7b9544dd3b0N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3840
- C:\Users\Admin\AppData\Local\Temp\fa1075c626abe4315050d7b9544dd3b0N.exe
  "C:\Users\Admin\AppData\Local\Temp\fa1075c626abe4315050d7b9544dd3b0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VUIJE.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Audio Driver" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\lsass.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2448
- - C:\Users\Admin\AppData\Roaming\system\lsass.exe
    "C:\Users\Admin\AppData\Roaming\system\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4144
  - - C:\Users\Admin\AppData\Roaming\system\lsass.exe
      "C:\Users\Admin\AppData\Roaming\system\lsass.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3032
  - - C:\Users\Admin\AppData\Roaming\system\lsass.exe
      "C:\Users\Admin\AppData\Roaming\system\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Users\Admin\AppData\Roaming\system\lsass.exe
        
        "C:\Users\Admin\AppData\Roaming\system\lsass.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cxz.exe

Filesize
294B

MD5
bbf327f7d231d77e0b572935ddca1231

SHA1
154acf35a2e1d171ce28af0f91f22180db51d0d3

SHA256
a0e4f9c253249f57367f4a7aa5cd2aa2c603984a0de75de9bcf4bed4437b212b

SHA512
9558cd39891b2fc3a9950e1eacb05105a600fc6b4aef6893cf45237b0b9c48f3d46766f92878f50f01ec61614c4ed52daa8b815949cf79222cbff9813973fdd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\VUIJE.txt

Filesize
146B

MD5
c8cba0a9d4d5600b5f53c4c0681d1115

SHA1
0e5348e210ca70b2b0ffdc3ff7e6f611716df80c

SHA256
ca2b63f6d7bf17480415ae93e115bf9f9699335e84e62719eefdbcc5a78bd2e1

SHA512
a2ad6eb5ae2f6d57ca15363ac2f0c57ca3580474e94b9c010750948814cf4d5ffa0c3e7ef44634a3593da23f56011703ff220a3d7780f6f01785bf3b6676ced0

Download Submit
C:\Users\Admin\AppData\Roaming\system\lsass.exe

Filesize
84KB

MD5
05a258be922961efda57b652dd352c8f

SHA1
031808763917f208101fadc074718fc4909edf57

SHA256
9570abb5ae58877e904d16e260cccab5f3683e83deabdc98e8e5d043748d4666

SHA512
79bf73f645920638ec547b0c00471072bc4a45c491d277868b44daac33cbb4d7cae03d5f15533d0a4c6bc37bd0c9a30571fd767e58a1225b48085c1b372c36e8

Download Submit
memory/2944-74-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2944-66-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2944-68-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2944-58-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2944-62-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3032-67-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3032-102-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3840-2-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/3840-16-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/3840-5-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/3840-4-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/3840-18-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/3840-9-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/3840-17-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/3840-11-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/3840-3-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/3840-12-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/3840-13-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/3840-14-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

Filesize
4KB

Download
memory/3840-6-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/3840-8-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/3840-10-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/3840-7-0x0000000002B50000-0x0000000002B51000-memory.dmp

Filesize
4KB

Download
memory/4144-69-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4144-53-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4144-51-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4144-52-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4144-54-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4456-72-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4456-20-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4456-21-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4456-15-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4456-22-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4456-48-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4964-73-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/4964-78-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/4964-100-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads