01880df7409a02cdd00a9d34992b93ccbed0db46ab4f9dddc1199e11c1f61fa9

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01880df7409a02cdd00a9d34992b93ccbed0db46ab4f9dddc1199e11c1f61fa9.exe
Size

96KB
MD5

055a7ec43353689f06dd3498947e1052
SHA1

e83a709c3fc729a8480ad40953c88db4ef51a2da
SHA256

01880df7409a02cdd00a9d34992b93ccbed0db46ab4f9dddc1199e11c1f61fa9
SHA512

485bdffb0c500cfa5c6d4e3570c97032160b1e6944ff43e18113994d272d4a0235e5b6763fd6df3afb78ad7a7df7d90d9288ec7d07b5d1a80382a4223f8dab37
SSDEEP

3072:lbjgjXxdWBhMwRFy2Rk/kcIAebPph/ATvYKyUDI7Lurc:lfAXxd0qf2L/ATvryOI7ac

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	cmd.exe

Deletes itself 1 IoCs

pid	Process
4596	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
1564	rMX.exe
2240	rMX.exe.exe
3956	rMX.exe
3560	rMX.exe
624	rMX.exe
2768	rMX.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3560-21-0x0000000010000000-0x000000001002A000-memory.dmp	upx
behavioral2/memory/3560-20-0x0000000010000000-0x000000001002A000-memory.dmp	upx
behavioral2/memory/3560-29-0x0000000010000000-0x000000001002A000-memory.dmp	upx
behavioral2/memory/3560-34-0x0000000010000000-0x000000001002A000-memory.dmp	upx
behavioral2/memory/3560-35-0x0000000010000000-0x000000001002A000-memory.dmp	upx
behavioral2/memory/3560-22-0x0000000010000000-0x000000001002A000-memory.dmp	upx

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3956 set thread context of 3560	3956	rMX.exe	94
PID 3956 set thread context of 624	3956	rMX.exe	95
PID 3956 set thread context of 2768	3956	rMX.exe	96

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\VWFLH\rMX.exe	rMX.exe.exe
File created	C:\WINDOWS\VWFLH\rMX.exe	01880df7409a02cdd00a9d34992b93ccbed0db46ab4f9dddc1199e11c1f61fa9.exe
File created	\??\c:\windows\rMX.exe.bat	rMX.exe
File created	C:\WINDOWS\VWFLH\rMX.exe	rMX.exe.exe
File opened for modification	\??\c:\windows\nk.txt	cmd.exe
File created	\??\c:\windows\rMX.exe.bat	rMX.exe
File opened for modification	C:\WINDOWS\VWFLH\rMX.exe	01880df7409a02cdd00a9d34992b93ccbed0db46ab4f9dddc1199e11c1f61fa9.exe
File created	C:\WINDOWS\VWFLH\rMX.exe.exe	rMX.exe
File opened for modification	C:\WINDOWS\VWFLH\rMX.exe.exe	rMX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4648	624	WerFault.exe	95
636	2768	WerFault.exe	96

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rMX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01880df7409a02cdd00a9d34992b93ccbed0db46ab4f9dddc1199e11c1f61fa9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rMX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rMX.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rMX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3560	rMX.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 1564	968	01880df7409a02cdd00a9d34992b93ccbed0db46ab4f9dddc1199e11c1f61fa9.exe	85
PID 968 wrote to memory of 1564	968	01880df7409a02cdd00a9d34992b93ccbed0db46ab4f9dddc1199e11c1f61fa9.exe	85
PID 968 wrote to memory of 1564	968	01880df7409a02cdd00a9d34992b93ccbed0db46ab4f9dddc1199e11c1f61fa9.exe	85
PID 1564 wrote to memory of 3008	1564	rMX.exe	86
PID 1564 wrote to memory of 3008	1564	rMX.exe	86
PID 1564 wrote to memory of 3008	1564	rMX.exe	86
PID 1564 wrote to memory of 5000	1564	rMX.exe	87
PID 1564 wrote to memory of 5000	1564	rMX.exe	87
PID 1564 wrote to memory of 5000	1564	rMX.exe	87
PID 968 wrote to memory of 2024	968	01880df7409a02cdd00a9d34992b93ccbed0db46ab4f9dddc1199e11c1f61fa9.exe	88
PID 968 wrote to memory of 2024	968	01880df7409a02cdd00a9d34992b93ccbed0db46ab4f9dddc1199e11c1f61fa9.exe	88
PID 968 wrote to memory of 2024	968	01880df7409a02cdd00a9d34992b93ccbed0db46ab4f9dddc1199e11c1f61fa9.exe	88
PID 5000 wrote to memory of 2240	5000	cmd.exe	92
PID 5000 wrote to memory of 2240	5000	cmd.exe	92
PID 5000 wrote to memory of 2240	5000	cmd.exe	92
PID 2240 wrote to memory of 3956	2240	rMX.exe.exe	93
PID 2240 wrote to memory of 3956	2240	rMX.exe.exe	93
PID 2240 wrote to memory of 3956	2240	rMX.exe.exe	93
PID 3956 wrote to memory of 3560	3956	rMX.exe	94
PID 3956 wrote to memory of 3560	3956	rMX.exe	94
PID 3956 wrote to memory of 3560	3956	rMX.exe	94
PID 3956 wrote to memory of 3560	3956	rMX.exe	94
PID 3956 wrote to memory of 3560	3956	rMX.exe	94
PID 3956 wrote to memory of 3560	3956	rMX.exe	94
PID 3956 wrote to memory of 3560	3956	rMX.exe	94
PID 3956 wrote to memory of 3560	3956	rMX.exe	94
PID 3956 wrote to memory of 624	3956	rMX.exe	95
PID 3956 wrote to memory of 624	3956	rMX.exe	95
PID 3956 wrote to memory of 624	3956	rMX.exe	95
PID 3956 wrote to memory of 624	3956	rMX.exe	95
PID 3956 wrote to memory of 2768	3956	rMX.exe	96
PID 3956 wrote to memory of 2768	3956	rMX.exe	96
PID 3956 wrote to memory of 2768	3956	rMX.exe	96
PID 3956 wrote to memory of 2768	3956	rMX.exe	96
PID 2240 wrote to memory of 2604	2240	rMX.exe.exe	98
PID 2240 wrote to memory of 2604	2240	rMX.exe.exe	98
PID 2240 wrote to memory of 2604	2240	rMX.exe.exe	98
PID 2024 wrote to memory of 4596	2024	cmd.exe	104
PID 2024 wrote to memory of 4596	2024	cmd.exe	104
PID 2024 wrote to memory of 4596	2024	cmd.exe	104
PID 2604 wrote to memory of 2288	2604	cmd.exe	105
PID 2604 wrote to memory of 2288	2604	cmd.exe	105
PID 2604 wrote to memory of 2288	2604	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\01880df7409a02cdd00a9d34992b93ccbed0db46ab4f9dddc1199e11c1f61fa9.exe
"C:\Users\Admin\AppData\Local\Temp\01880df7409a02cdd00a9d34992b93ccbed0db46ab4f9dddc1199e11c1f61fa9.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:968
- C:\WINDOWS\VWFLH\rMX.exe
  C:\WINDOWS\VWFLH\rMX.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo 0>>c:\windows\nk.txt
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:3008
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\WINDOWS\VWFLH\rMX.exe.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\WINDOWS\VWFLH\rMX.exe.exe
      C:\WINDOWS\VWFLH\rMX.exe.exe
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2240
    - - C:\WINDOWS\VWFLH\rMX.exe
        
        C:\WINDOWS\VWFLH\rMX.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3956
      - C:\WINDOWS\VWFLH\rMX.exe
        
        C:\WINDOWS\VWFLH\rMX.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3560
      - C:\WINDOWS\VWFLH\rMX.exe
        
        C:\WINDOWS\VWFLH\rMX.exe
        6⤵
        Executes dropped EXE
        
        PID:624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 80
        7⤵
        Program crash
        
        PID:4648
      - C:\WINDOWS\VWFLH\rMX.exe
        
        C:\WINDOWS\VWFLH\rMX.exe
        6⤵
        Executes dropped EXE
        
        PID:2768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 80
        7⤵
        Program crash
        
        PID:636
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\9.vbs
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2604
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\9.vbs"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\58.vbs
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\58.vbs"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2768 -ip 2768
1⤵
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 624 -ip 624
1⤵
PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\58.vbs

Filesize
236B

MD5
23724bb88fdd07c4a3995176d341a1d7

SHA1
b612b757f4a68fc173a691d839027e5d914e7999

SHA256
ca2ec47585ae2dacb4207daf002077fe0cfdedde8ba618ef41b8abcc995f8d9c

SHA512
5b85e8def8fb47839dc43dd223186ebddd5aa2fd159d2c5d94425bcbdc0184c38c24636e6e1cfb8920c8f436a98652293113c6470ecbd638cf7070729f24c560

Download Submit
C:\9.vbs

Filesize
161B

MD5
4e4644f520daa659c58890d94ab34448

SHA1
5508c4200279a0bc3e564aa522cd590fd8ceb2d5

SHA256
70f048a8521dd79a882117458bd49f008227c4e9d36996ad3bdc702e427cec0d

SHA512
886ee5f76304c9213d1a81840ebd0688a183b9d0a2f5bea4f76f91f94a583f7d3147db251886aa84b3b17cd49f7714d8b69877729241031aa349c2cd4704de0c

Download Submit
C:\Windows\VWFLH\rMX.exe

Filesize
96KB

MD5
055a7ec43353689f06dd3498947e1052

SHA1
e83a709c3fc729a8480ad40953c88db4ef51a2da

SHA256
01880df7409a02cdd00a9d34992b93ccbed0db46ab4f9dddc1199e11c1f61fa9

SHA512
485bdffb0c500cfa5c6d4e3570c97032160b1e6944ff43e18113994d272d4a0235e5b6763fd6df3afb78ad7a7df7d90d9288ec7d07b5d1a80382a4223f8dab37

Download Submit
C:\Windows\VWFLH\rMX.exe.exe

Filesize
96KB

MD5
ee556cb389dbd00cae550162309ae942

SHA1
809c29f23a01278dc3b07ecbdcb960a46ce5fadf

SHA256
a8be2a4247628cd5953ec59e730d7056f9a18d0e1d9e99d4361ff7ce1c3ba53a

SHA512
7935e9e171a79dfd62b448477384fcf3206d8f5989b2f8b13c68ec79f9deb1f134600f28c7c6ce8d86d4be08a1e9140a1c07f705bae1291f5af37005efa6bebd

Download Submit
memory/968-10-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download
memory/1564-9-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download
memory/2240-33-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download
memory/3560-29-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/3560-34-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/3560-35-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/3560-22-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/3560-20-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/3560-21-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/3956-32-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download