72aa5f272ea13b79395d04910a7bf2289a539f831c1fde289ae7202784d5b3b2

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09-09-2024 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72aa5f272ea13b79395d04910a7bf2289a539f831c1fde289ae7202784d5b3b2.exe
Size

2.1MB
MD5

79f5030955d0aa6443185249ac438364
SHA1

6943022b1b0e2c4b0a95ccb06d16877b60ee31fc
SHA256

72aa5f272ea13b79395d04910a7bf2289a539f831c1fde289ae7202784d5b3b2
SHA512

aa463ce881f09c606ebd5b709f22d4246af715948fb2e80313f0fc0baecb42334743d50e37e7db474dda44eb3f898b8fbb7ac2be2770cac5f586202f413ab780
SSDEEP

12288:GGzQYR4IeaAVB6ETW82Ku8UKfdndrboYjumm:G8lgaAVB6evW8UKlndr

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2776	ywbmqwv.exe

Loads dropped DLL 2 IoCs

pid	Process
1644	72aa5f272ea13b79395d04910a7bf2289a539f831c1fde289ae7202784d5b3b2.exe
1644	72aa5f272ea13b79395d04910a7bf2289a539f831c1fde289ae7202784d5b3b2.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1644-0-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/files/0x000500000001951c-13.dat	upx
behavioral1/memory/2776-64-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/files/0x000100000000002a-48.dat	upx
behavioral1/memory/1644-65-0x0000000000400000-0x000000000046F000-memory.dmp	upx

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\system32\spool\DRIVERS\W32X86\3\txcaxwd\txcaxwd.exe	72aa5f272ea13b79395d04910a7bf2289a539f831c1fde289ae7202784d5b3b2.exe
File created	C:\Windows\SysWOW64\Help\upbiran.ini	72aa5f272ea13b79395d04910a7bf2289a539f831c1fde289ae7202784d5b3b2.exe
File created	C:\Windows\SysWOW64\Help\1.dtxcaxw	72aa5f272ea13b79395d04910a7bf2289a539f831c1fde289ae7202784d5b3b2.exe
File created	C:\Windows\SysWOW64\Help\2.dtxcaxw	72aa5f272ea13b79395d04910a7bf2289a539f831c1fde289ae7202784d5b3b2.exe
File created	C:\Windows\SysWOW64\dtxcaxw\dtxcaxw\pnxdimq\m.ini	72aa5f272ea13b79395d04910a7bf2289a539f831c1fde289ae7202784d5b3b2.exe
File created	C:\Windows\SysWOW64\dtxcaxw\dtxcaxw\pnxdimq\ywbmqwv.exe	72aa5f272ea13b79395d04910a7bf2289a539f831c1fde289ae7202784d5b3b2.exe
File opened for modification	C:\Windows\SysWOW64\dtxcaxw\dtxcaxw\pnxdimq\ywbmqwv.exe	72aa5f272ea13b79395d04910a7bf2289a539f831c1fde289ae7202784d5b3b2.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2776 set thread context of 2912	2776	ywbmqwv.exe	32

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Help\dtxcaxw.hlp	72aa5f272ea13b79395d04910a7bf2289a539f831c1fde289ae7202784d5b3b2.exe
File created	C:\Windows\2.ini	72aa5f272ea13b79395d04910a7bf2289a539f831c1fde289ae7202784d5b3b2.exe
File opened for modification	C:\Windows\	72aa5f272ea13b79395d04910a7bf2289a539f831c1fde289ae7202784d5b3b2.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ywbmqwv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	72aa5f272ea13b79395d04910a7bf2289a539f831c1fde289ae7202784d5b3b2.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1644	72aa5f272ea13b79395d04910a7bf2289a539f831c1fde289ae7202784d5b3b2.exe
1644	72aa5f272ea13b79395d04910a7bf2289a539f831c1fde289ae7202784d5b3b2.exe
1644	72aa5f272ea13b79395d04910a7bf2289a539f831c1fde289ae7202784d5b3b2.exe
1644	72aa5f272ea13b79395d04910a7bf2289a539f831c1fde289ae7202784d5b3b2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1644	72aa5f272ea13b79395d04910a7bf2289a539f831c1fde289ae7202784d5b3b2.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 2776	1644	72aa5f272ea13b79395d04910a7bf2289a539f831c1fde289ae7202784d5b3b2.exe	30
PID 1644 wrote to memory of 2776	1644	72aa5f272ea13b79395d04910a7bf2289a539f831c1fde289ae7202784d5b3b2.exe	30
PID 1644 wrote to memory of 2776	1644	72aa5f272ea13b79395d04910a7bf2289a539f831c1fde289ae7202784d5b3b2.exe	30
PID 1644 wrote to memory of 2776	1644	72aa5f272ea13b79395d04910a7bf2289a539f831c1fde289ae7202784d5b3b2.exe	30
PID 2776 wrote to memory of 2912	2776	ywbmqwv.exe	32
PID 2776 wrote to memory of 2912	2776	ywbmqwv.exe	32
PID 2776 wrote to memory of 2912	2776	ywbmqwv.exe	32
PID 2776 wrote to memory of 2912	2776	ywbmqwv.exe	32
PID 2776 wrote to memory of 2912	2776	ywbmqwv.exe	32
PID 2776 wrote to memory of 2912	2776	ywbmqwv.exe	32

C:\Users\Admin\AppData\Local\Temp\72aa5f272ea13b79395d04910a7bf2289a539f831c1fde289ae7202784d5b3b2.exe
"C:\Users\Admin\AppData\Local\Temp\72aa5f272ea13b79395d04910a7bf2289a539f831c1fde289ae7202784d5b3b2.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\SysWOW64\dtxcaxw\dtxcaxw\pnxdimq\ywbmqwv.exe
  C:\Windows\system32\dtxcaxw\dtxcaxw\pnxdimq\ywbmqwv.exe -close
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe -NetworkService
    3⤵
    PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Help\1.dtxcaxw

Filesize
26B

MD5
8f5744cb125d0563d3205ccf891cd52a

SHA1
cb6a7903eddcf74aacba41e7f274694d6addd743

SHA256
5d4cabac736de269fc4773db150feebbcb0e98a3f7d335d80f5ece002aee6236

SHA512
dea445da4bcd65c88c903651a725a7082684accf0081fa08bca4772a9811390fd46b74ab10fd21f25b3868236e07d2630e512d51c94b17a3e929ba7abfd8b27e

Download Submit
C:\Windows\SysWOW64\Help\2.dtxcaxw

Filesize
18B

MD5
8c2ed41b4e89a4885c30ebdb072ecaaa

SHA1
67adb68af4fb045f7cb16f075f3b644446b0c008

SHA256
b7364f848a2fcfd874eca5fba9a4e2d8a3ad57b44a9d04e767a389047feef0a9

SHA512
48ae7eacbbf7a318a90377148918b42bb6704c567449025d1ceee47fc1d58180fb361009dcca40ba010e65def043d6e05b2121b94f1a1a8d9d9228d520e9ed9f

Download Submit
C:\Windows\SysWOW64\Help\upbiran.ini

Filesize
18B

MD5
a8b8827bbc33b6487dbc75f49e5a4e75

SHA1
356a544b104bb5f28e22e7dcb8b503e10fd723bb

SHA256
3672df834704d5f6de89349a5c2132a96b219d8c5a9765b9ab88b762efa6f7e2

SHA512
ca3508c854949528f5c85a04fb66c8af5eb387022168a9e29335c843e8e96427bcc69c344805ef11fb761852e6dba21e123384327654a8c68d2bce13f03ae120

Download Submit
C:\Windows\SysWOW64\dtxcaxw\dtxcaxw\pnxdimq\m.ini

Filesize
128B

MD5
8d5b02949083e4f1caaa7f46031effb7

SHA1
2a4b2cf589ceab0cf3f02291502c148276bd3677

SHA256
b2870bf76ed2f01a621b019d81725bec25361a420a03807aed45dd9f810ac239

SHA512
97628bc660a3d08a9996001330be953f60b52263fc661ef8606620cb57f78fb86af5050e750ad202128ddd178a79eaa2fafb68989efeba87305b4dfb69a86f73

Download Submit
C:\Windows\SysWOW64\dtxcaxw\dtxcaxw\pnxdimq\ywbmqwv.exe

Filesize
7.4MB

MD5
07deb17fd03f2cc358a6e18103671d7e

SHA1
8164ae85aaaefef8878afe49ffd4ab9dffca0568

SHA256
d854cd03560588f656b47d5049cea6434a72c53105ccac74c76d10e02026af61

SHA512
a1c9e55cbdfa601b47ea7781a5b7b10afbae1c1c8b5dcc6fb0c140b142b0550772b7120ff977ed7e1f2ad6234646ead0e49c568943835bfe61a8db4ca0653fe9

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\txcaxwd\txcaxwd000.IMD

Filesize
218KB

MD5
11be3635d247cfebb0519c5d65e7b935

SHA1
fe6a56eee0ad1e8438f3697906c4729c51176a70

SHA256
29254e3c9903825496a1bb229c3bbf5d3d454e4fc0ebea730a5ec19d51265baa

SHA512
9d8e6c13c00b556ffcaa828ad2d893836058b99ae5f6f3361c2ead541b6a834727eef252ef1e8dc0552b44eb7540736e9d63ed08c5f10019457b669b24ebd1c6

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\txcaxwd\txcaxwd001.IMD

Filesize
218KB

MD5
e787aef75794298da5076794d980dc70

SHA1
12adfc1cf5c0ab5b54de4cad2b75ac3ce2e8565f

SHA256
1106ad501ee688cf3793ea105f93c3b212d50254e3b44a7790541379b2006692

SHA512
8f361544fbd572031e7fd5309b71dd65e80caaee09cd58ba8cbb03dedf8ab21d5ac1261bcd93fed0cef74ce4ce664d979f09a4022597bbd154d43ed7aed3f910

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\txcaxwd\txcaxwd002.IMD

Filesize
218KB

MD5
6d4a7035d4e14ba7f97f68b6545475a9

SHA1
5e5bc27e4cc17f05ad7d77ec0ceb05cec1d04e08

SHA256
89c25e2a2d64f07a3cb82591d636616337ad5e4b1ba51d0abf88cb7615daa714

SHA512
8c8616ab12a92ea5964fb8ee5dce4db8a4f50f0bd81fda169cd8a3e3cbb4c3bc811ef2824e57f5a317c3e5d0406e9a7660947ae35aacecacd9559a86c6ccff05

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\txcaxwd\txcaxwd003.IMD

Filesize
218KB

MD5
fab2bdf72a9d8e04be16704fc355cb1b

SHA1
dafe9454e932723d218a046d3931032e6b1d1b1d

SHA256
a335065b204d213b7095ee913491d63ec8ada707a3dd4ccc03a82278465d0228

SHA512
c0082a47cb6d2ade8a4bc240ce1b5ba3c13b042dfd359400217191e5774c5461b6d2e3966587de36fbe339a822ffd532fef12f046c011490e9ca6775ef51ad0e

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\txcaxwd\txcaxwd004.IMD

Filesize
218KB

MD5
4aa4ab7d2cac04689fbe24fbe7b6244d

SHA1
85685671a21ff49dede97d9bda0794e57eabe9c6

SHA256
eae03a5c09d3bd9ef76c703ea35864ce762f8a0cb26fd417a7fa7e3af04b8467

SHA512
216c907b30a2ef763afe3b016682abf16a1aaac4db8580c923ea82e53a7518c36ba53d17e679ff35ec5043169fcaef31cf7e5ad64db204c11f0b8490e4aa6d04

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\txcaxwd\txcaxwd005.IMD

Filesize
218KB

MD5
5886ce5f51294d468f261308e60c507f

SHA1
4312a02fa2f1c55d4ee5ed28e76673e1ea533b36

SHA256
87c8be4ce5a3e2e19450c76a3b767dc173ff5155dca3df58289d35d04fc564f9

SHA512
ee34c9187e0d667aac4473eb687fa5de2da975c080ff5b4bb306ebefee1101b375041a247cbc25e258f67774e19ecddf5144a48ee7ceed0659652047cfb923b2

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\txcaxwd\txcaxwd006.IMD

Filesize
218KB

MD5
2d649f2960ff7599a51e7e696b9e2eec

SHA1
3443cc3d2ab57b94ad2eee1c7b8f5bb4047a64df

SHA256
b71f9c7042a5f80c7754fc1741ac0d307ad135cf3aa932f1efc820682a0d3c4e

SHA512
98cde8f5f33c7a7a87539c436a4ed3a9ae34bb35a3a03bf1c8dc4ca51d8a3ae6e46ebf529f30495a72431aa7c2542aaa74b0f3a008b5ff0ab9bdd8fbe0440716

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\txcaxwd\txcaxwd007.IMD

Filesize
218KB

MD5
bbe83f76d17e6c018f08311e58c319b9

SHA1
3a1cea04ae09672010826141511fd5bfe46b08b8

SHA256
3f170dac55b497f7fd8f3ef802cc7c166533e5f509950287f5a04044a767cd6c

SHA512
b985c8a905aa3e1ae3cd9a3a4e0a0523e4c5268228aca6738f046df6c9a17b688af64ec77f1be438d201a08c7859673d636f3828a1935f13f2077a33ed699e6b

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\txcaxwd\txcaxwd008.IMD

Filesize
218KB

MD5
24c692d999da84af5ee725835d2b8d76

SHA1
a5072c5a2b3527910e975e4f3a8b9a35e569ae0a

SHA256
29733f905685dc33c1446708fcd0eb3aaf1674ce9075be2e53ad84452fe8e11a

SHA512
9a7e951813959b2570574c350d6b7e98bb597a6a5bd3a7820b20a3831ad4143f87884025d521501f19eead822e67bfbd2b51c95ed9474391aa5b69453ac97bc4

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\txcaxwd\txcaxwd009.IMD

Filesize
218KB

MD5
b2b28c46e36aeefd1866ac99384fa39c

SHA1
4215fcc7d79c17c0ca6f8ebcb776c6f6d8d05c17

SHA256
7cc3a4f81a88d9efd138accc56e399b2091da50973b98fa2d7cf2fa637ee29a0

SHA512
d4918b1931259866392eb3f0d3e0bc1ae9a90b46e8e8421ad6724dd8bf39bd522656f9dd09ec5289bc88e8b791b17d7665204f04c470337a3e1d64f5e3fc4c56

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\txcaxwd\txcaxwd010.IMD

Filesize
5B

MD5
ca9c491ac66b2c62500882e93f3719a8

SHA1
a10909c2cdcaf5adb7e6b092a4faba558b62bd96

SHA256
8855508aade16ec573d21e6a485dfd0a7624085c1a14b5ecdd6485de0c6839a4

SHA512
65faa9d920e0e9cff43fc3f30ab02ba2e8cf6f4643b58f7c1e64583fbec8a268e677b0ec4d54406e748becb53fda210f5d4f39cf2a5014b1ca496b0805182649

Download Submit
memory/1644-42-0x00000000022D0000-0x000000000233F000-memory.dmp

Filesize
444KB

Download
memory/1644-0-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1644-41-0x00000000022D0000-0x000000000233F000-memory.dmp

Filesize
444KB

Download
memory/1644-65-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1644-66-0x00000000022D0000-0x000000000233F000-memory.dmp

Filesize
444KB

Download
memory/1644-67-0x00000000022D0000-0x000000000233F000-memory.dmp

Filesize
444KB

Download
memory/2776-64-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2912-59-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2912-61-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download