515ec1ce3e6c81c23dbd56cc782f93a8c770950f53a6a7689477568d7cf1ffe1

Analysis

max time kernel
119s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 02:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

515ec1ce3e6c81c23dbd56cc782f93a8c770950f53a6a7689477568d7cf1ffe1N.exe
Size

524KB
MD5

558477de7e2544d2677b45f9fc74cf40
SHA1

ca7254d58a4ca548e840ff9299b49dad8875aa9a
SHA256

515ec1ce3e6c81c23dbd56cc782f93a8c770950f53a6a7689477568d7cf1ffe1
SHA512

5b536c163dd3571af1130cd6a010644865dfad86884455b157e0ccfad26cc59114964ef2320ec0642b3c681ff82c82af569e01485b08a51adf1a6df572337246
SSDEEP

12288:LLS65eo7WOcg3kXaD5Ny6+KW78FCjIwQpe:LLS65eKWOpkXaLy6OECXQpe

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	515ec1ce3e6c81c23dbd56cc782f93a8c770950f53a6a7689477568d7cf1ffe1N.exe

Executes dropped EXE 2 IoCs

pid	Process
4436	WindowsService.exe
2488	WindowsService.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4848-4-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4848-6-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4848-7-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4848-8-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4848-34-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4848-45-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2488-47-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsService = "C:\\Users\\Admin\\AppData\\Roaming\\SystemWindowsWindowsService\\WindowsService.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2012 set thread context of 4848	2012	515ec1ce3e6c81c23dbd56cc782f93a8c770950f53a6a7689477568d7cf1ffe1N.exe	87
PID 4436 set thread context of 2488	4436	WindowsService.exe	95
PID 4436 set thread context of 0	4436	WindowsService.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	515ec1ce3e6c81c23dbd56cc782f93a8c770950f53a6a7689477568d7cf1ffe1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	515ec1ce3e6c81c23dbd56cc782f93a8c770950f53a6a7689477568d7cf1ffe1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsService.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe
Token: SeDebugPrivilege	2488	WindowsService.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2012	515ec1ce3e6c81c23dbd56cc782f93a8c770950f53a6a7689477568d7cf1ffe1N.exe
4848	515ec1ce3e6c81c23dbd56cc782f93a8c770950f53a6a7689477568d7cf1ffe1N.exe
4436	WindowsService.exe
2488	WindowsService.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 4848	2012	515ec1ce3e6c81c23dbd56cc782f93a8c770950f53a6a7689477568d7cf1ffe1N.exe	87
PID 2012 wrote to memory of 4848	2012	515ec1ce3e6c81c23dbd56cc782f93a8c770950f53a6a7689477568d7cf1ffe1N.exe	87
PID 2012 wrote to memory of 4848	2012	515ec1ce3e6c81c23dbd56cc782f93a8c770950f53a6a7689477568d7cf1ffe1N.exe	87
PID 2012 wrote to memory of 4848	2012	515ec1ce3e6c81c23dbd56cc782f93a8c770950f53a6a7689477568d7cf1ffe1N.exe	87
PID 2012 wrote to memory of 4848	2012	515ec1ce3e6c81c23dbd56cc782f93a8c770950f53a6a7689477568d7cf1ffe1N.exe	87
PID 2012 wrote to memory of 4848	2012	515ec1ce3e6c81c23dbd56cc782f93a8c770950f53a6a7689477568d7cf1ffe1N.exe	87
PID 2012 wrote to memory of 4848	2012	515ec1ce3e6c81c23dbd56cc782f93a8c770950f53a6a7689477568d7cf1ffe1N.exe	87
PID 2012 wrote to memory of 4848	2012	515ec1ce3e6c81c23dbd56cc782f93a8c770950f53a6a7689477568d7cf1ffe1N.exe	87
PID 4848 wrote to memory of 3436	4848	515ec1ce3e6c81c23dbd56cc782f93a8c770950f53a6a7689477568d7cf1ffe1N.exe	90
PID 4848 wrote to memory of 3436	4848	515ec1ce3e6c81c23dbd56cc782f93a8c770950f53a6a7689477568d7cf1ffe1N.exe	90
PID 4848 wrote to memory of 3436	4848	515ec1ce3e6c81c23dbd56cc782f93a8c770950f53a6a7689477568d7cf1ffe1N.exe	90
PID 3436 wrote to memory of 4440	3436	cmd.exe	93
PID 3436 wrote to memory of 4440	3436	cmd.exe	93
PID 3436 wrote to memory of 4440	3436	cmd.exe	93
PID 4848 wrote to memory of 4436	4848	515ec1ce3e6c81c23dbd56cc782f93a8c770950f53a6a7689477568d7cf1ffe1N.exe	94
PID 4848 wrote to memory of 4436	4848	515ec1ce3e6c81c23dbd56cc782f93a8c770950f53a6a7689477568d7cf1ffe1N.exe	94
PID 4848 wrote to memory of 4436	4848	515ec1ce3e6c81c23dbd56cc782f93a8c770950f53a6a7689477568d7cf1ffe1N.exe	94
PID 4436 wrote to memory of 2488	4436	WindowsService.exe	95
PID 4436 wrote to memory of 2488	4436	WindowsService.exe	95
PID 4436 wrote to memory of 2488	4436	WindowsService.exe	95
PID 4436 wrote to memory of 2488	4436	WindowsService.exe	95
PID 4436 wrote to memory of 2488	4436	WindowsService.exe	95
PID 4436 wrote to memory of 2488	4436	WindowsService.exe	95
PID 4436 wrote to memory of 2488	4436	WindowsService.exe	95
PID 4436 wrote to memory of 2488	4436	WindowsService.exe	95

C:\Users\Admin\AppData\Local\Temp\515ec1ce3e6c81c23dbd56cc782f93a8c770950f53a6a7689477568d7cf1ffe1N.exe
"C:\Users\Admin\AppData\Local\Temp\515ec1ce3e6c81c23dbd56cc782f93a8c770950f53a6a7689477568d7cf1ffe1N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\515ec1ce3e6c81c23dbd56cc782f93a8c770950f53a6a7689477568d7cf1ffe1N.exe
  "C:\Users\Admin\AppData\Local\Temp\515ec1ce3e6c81c23dbd56cc782f93a8c770950f53a6a7689477568d7cf1ffe1N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HJVWE.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3436
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsService" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SystemWindowsWindowsService\WindowsService.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:4440
- - C:\Users\Admin\AppData\Roaming\SystemWindowsWindowsService\WindowsService.exe
    "C:\Users\Admin\AppData\Roaming\SystemWindowsWindowsService\WindowsService.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4436
  - - C:\Users\Admin\AppData\Roaming\SystemWindowsWindowsService\WindowsService.exe
      "C:\Users\Admin\AppData\Roaming\SystemWindowsWindowsService\WindowsService.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HJVWE.txt

Filesize
178B

MD5
c2cc427c87f0a6e231266dbb4d5b6ac5

SHA1
e0849fc705f915d218b2dc2f744bb24157022355

SHA256
1b985a6f00b15b5eb13fd2b9c79f163e2c3ed1b8d4133e08f213dc6dc7850999

SHA512
be4d6b172b0c92d1ffa33b30c642db3ccbda637af92234853918ef5e3c6c40121ec10c42557c96ddbc234d0d539c47c6c5adc8bf4c77e9daf8204661215a8e37

Download Submit
C:\Users\Admin\AppData\Roaming\SystemWindowsWindowsService\WindowsService.exe

Filesize
524KB

MD5
37656cae01003ed38b90953c17565191

SHA1
e06b75948bb5615bd084e973142e12336ce6a6bc

SHA256
cf1fdfd4974f9a956c49439d15393fcabbfe36ab7ee7f76941bd9a940fae52e6

SHA512
d78429aae89cea71726deb32ab51bb1c567faad90fe0d0064bd139bcc98c657e4d54fa6b436b908c1e904b313880ed0c30a76e8c6c258418aa8a3b4cdbf2ac3a

Download Submit
memory/2012-2-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/2012-3-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/2488-47-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4436-36-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4436-43-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4848-8-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4848-7-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4848-34-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4848-6-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4848-45-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4848-4-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads