040a46dda816173d7955e1b170fd5a71cae4826db70dd0e38ae7ef116995c6fd

Analysis

max time kernel
119s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 03:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

040a46dda816173d7955e1b170fd5a71cae4826db70dd0e38ae7ef116995c6fdN.exe
Size

88KB
MD5

465c3f8ebf81e1f989a2a679daa8ec60
SHA1

3d88c902d8f95b16600dc287ec93876056dacd74
SHA256

040a46dda816173d7955e1b170fd5a71cae4826db70dd0e38ae7ef116995c6fd
SHA512

29fed2480db38e07b0bec416bbfb1d5902d8c210cc1e3f2b7b0f67b4ad6d7aa2386d53d8055ac744b961bb00811933b20d6013062a1eee3878cb29b7c7dd7ecc
SSDEEP

1536:ahUDofByDJWbMGcEFLPEPKOJUsy1+VMAh:aIofBHbKMP0PvMAh

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	040a46dda816173d7955e1b170fd5a71cae4826db70dd0e38ae7ef116995c6fdN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
3784	explorer.exe
4148	explorer.exe
4816	explorer.exe
4648	explorer.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3668-17-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3668-19-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3668-20-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3668-65-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4148-95-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Video Driver = "C:\\Users\\Admin\\AppData\\Roaming\\config\\explorer.exe"	reg.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3232 set thread context of 3668	3232	040a46dda816173d7955e1b170fd5a71cae4826db70dd0e38ae7ef116995c6fdN.exe	82
PID 3784 set thread context of 4148	3784	explorer.exe	90
PID 3784 set thread context of 4816	3784	explorer.exe	91
PID 4816 set thread context of 4648	4816	explorer.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	040a46dda816173d7955e1b170fd5a71cae4826db70dd0e38ae7ef116995c6fdN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	040a46dda816173d7955e1b170fd5a71cae4826db70dd0e38ae7ef116995c6fdN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe
Token: SeDebugPrivilege	4148	explorer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3232	040a46dda816173d7955e1b170fd5a71cae4826db70dd0e38ae7ef116995c6fdN.exe
3668	040a46dda816173d7955e1b170fd5a71cae4826db70dd0e38ae7ef116995c6fdN.exe
3784	explorer.exe
4148	explorer.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 3232 wrote to memory of 3668	3232	040a46dda816173d7955e1b170fd5a71cae4826db70dd0e38ae7ef116995c6fdN.exe	82
PID 3232 wrote to memory of 3668	3232	040a46dda816173d7955e1b170fd5a71cae4826db70dd0e38ae7ef116995c6fdN.exe	82
PID 3232 wrote to memory of 3668	3232	040a46dda816173d7955e1b170fd5a71cae4826db70dd0e38ae7ef116995c6fdN.exe	82
PID 3232 wrote to memory of 3668	3232	040a46dda816173d7955e1b170fd5a71cae4826db70dd0e38ae7ef116995c6fdN.exe	82
PID 3232 wrote to memory of 3668	3232	040a46dda816173d7955e1b170fd5a71cae4826db70dd0e38ae7ef116995c6fdN.exe	82
PID 3232 wrote to memory of 3668	3232	040a46dda816173d7955e1b170fd5a71cae4826db70dd0e38ae7ef116995c6fdN.exe	82
PID 3232 wrote to memory of 3668	3232	040a46dda816173d7955e1b170fd5a71cae4826db70dd0e38ae7ef116995c6fdN.exe	82
PID 3232 wrote to memory of 3668	3232	040a46dda816173d7955e1b170fd5a71cae4826db70dd0e38ae7ef116995c6fdN.exe	82
PID 3668 wrote to memory of 3200	3668	040a46dda816173d7955e1b170fd5a71cae4826db70dd0e38ae7ef116995c6fdN.exe	83
PID 3668 wrote to memory of 3200	3668	040a46dda816173d7955e1b170fd5a71cae4826db70dd0e38ae7ef116995c6fdN.exe	83
PID 3668 wrote to memory of 3200	3668	040a46dda816173d7955e1b170fd5a71cae4826db70dd0e38ae7ef116995c6fdN.exe	83
PID 3200 wrote to memory of 2884	3200	cmd.exe	86
PID 3200 wrote to memory of 2884	3200	cmd.exe	86
PID 3200 wrote to memory of 2884	3200	cmd.exe	86
PID 3668 wrote to memory of 3784	3668	040a46dda816173d7955e1b170fd5a71cae4826db70dd0e38ae7ef116995c6fdN.exe	87
PID 3668 wrote to memory of 3784	3668	040a46dda816173d7955e1b170fd5a71cae4826db70dd0e38ae7ef116995c6fdN.exe	87
PID 3668 wrote to memory of 3784	3668	040a46dda816173d7955e1b170fd5a71cae4826db70dd0e38ae7ef116995c6fdN.exe	87
PID 3784 wrote to memory of 4148	3784	explorer.exe	90
PID 3784 wrote to memory of 4148	3784	explorer.exe	90
PID 3784 wrote to memory of 4148	3784	explorer.exe	90
PID 3784 wrote to memory of 4148	3784	explorer.exe	90
PID 3784 wrote to memory of 4148	3784	explorer.exe	90
PID 3784 wrote to memory of 4148	3784	explorer.exe	90
PID 3784 wrote to memory of 4148	3784	explorer.exe	90
PID 3784 wrote to memory of 4148	3784	explorer.exe	90
PID 3784 wrote to memory of 4816	3784	explorer.exe	91
PID 3784 wrote to memory of 4816	3784	explorer.exe	91
PID 3784 wrote to memory of 4816	3784	explorer.exe	91
PID 3784 wrote to memory of 4816	3784	explorer.exe	91
PID 3784 wrote to memory of 4816	3784	explorer.exe	91
PID 3784 wrote to memory of 4816	3784	explorer.exe	91
PID 3784 wrote to memory of 4816	3784	explorer.exe	91
PID 4816 wrote to memory of 4648	4816	explorer.exe	94
PID 4816 wrote to memory of 4648	4816	explorer.exe	94
PID 4816 wrote to memory of 4648	4816	explorer.exe	94
PID 4816 wrote to memory of 4648	4816	explorer.exe	94
PID 4816 wrote to memory of 4648	4816	explorer.exe	94
PID 4816 wrote to memory of 4648	4816	explorer.exe	94
PID 4816 wrote to memory of 4648	4816	explorer.exe	94

C:\Users\Admin\AppData\Local\Temp\040a46dda816173d7955e1b170fd5a71cae4826db70dd0e38ae7ef116995c6fdN.exe
"C:\Users\Admin\AppData\Local\Temp\040a46dda816173d7955e1b170fd5a71cae4826db70dd0e38ae7ef116995c6fdN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3232
- C:\Users\Admin\AppData\Local\Temp\040a46dda816173d7955e1b170fd5a71cae4826db70dd0e38ae7ef116995c6fdN.exe
  "C:\Users\Admin\AppData\Local\Temp\040a46dda816173d7955e1b170fd5a71cae4826db70dd0e38ae7ef116995c6fdN.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JNTAG.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3200
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Video Driver" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\config\explorer.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2884
- - C:\Users\Admin\AppData\Roaming\config\explorer.exe
    "C:\Users\Admin\AppData\Roaming\config\explorer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3784
  - - C:\Users\Admin\AppData\Roaming\config\explorer.exe
      "C:\Users\Admin\AppData\Roaming\config\explorer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4148
  - - C:\Users\Admin\AppData\Roaming\config\explorer.exe
      "C:\Users\Admin\AppData\Roaming\config\explorer.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4816
    - - C:\Users\Admin\AppData\Roaming\config\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\config\explorer.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cxz.exe

Filesize
294B

MD5
0372094e64239acc12b7ea5057914b99

SHA1
5b3517e86f7952f1629547a5b4de85cd088cdff4

SHA256
eff4cee0459e2a86d70073f40c79ddd095fdc73b9970d398bdfd20db94d03b39

SHA512
65966b6a4e53f7c768996d97a7f3066737aeacb7ec94e261bdd1931a0085713aa67ebf6448d84dd66c7ed30d55e8cfb03df433169014a9a88a319f4771f5d76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JNTAG.txt

Filesize
149B

MD5
fc1798b7c7938454220fda837a76f354

SHA1
b232912930b2bc24ff18bf7ecd58f872bbe01ea0

SHA256
7f0a5917b5aca9c5beb153aad0ef95bf0aeafb83768da5b086c3f029ba42d7c8

SHA512
d1abdd45a8e5d33893b9d19424174a07feed145d2e6b4be318ab5fde503f850579a4a101a010f30e16ecde2c7123f45357a8341214655321ee0f0097ca911331

Download Submit
C:\Users\Admin\AppData\Roaming\config\explorer.exe

Filesize
88KB

MD5
60f6da0ed12026086467b0c2ea6aa025

SHA1
f61e9e644aedfa19c69c0c3b2eb5532f0e03b462

SHA256
51e8d17fe08acf34dd763a8fc236a1d6bb52adaaab7d9041968bafb7833e0f06

SHA512
caa2e5aec33be3536386e41d111a062b12590246a7e1769b01d0214bbf6549183fb58b1070f19287b6a622be715d42f7e4a88130616c1b9fa2432767d1046559

Download Submit
memory/3232-14-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/3232-12-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/3232-2-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/3232-16-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/3232-15-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/3232-4-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/3232-13-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/3232-3-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/3232-11-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

Filesize
4KB

Download
memory/3232-10-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/3232-9-0x0000000002BC0000-0x0000000002BC1000-memory.dmp

Filesize
4KB

Download
memory/3232-8-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/3232-6-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/3232-5-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/3232-7-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/3668-19-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3668-17-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3668-20-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3668-65-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3784-62-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3784-46-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3784-48-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3784-47-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4148-95-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4648-71-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/4648-66-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/4648-93-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/4816-53-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4816-68-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4816-58-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4816-59-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4816-57-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads