Analysis

  • max time kernel
    149s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-09-2024 23:36

General

  • Target

    f16ef3fc3f101acfeb70a8f17f8802b9ae7c31227c69858b1b10661301016615.exe

  • Size

    1.8MB

  • MD5

    6a17d8dd4cbfddeb2054c738173e4f18

  • SHA1

    99d65d7d306682167f446526d1b0184bc92667ad

  • SHA256

    f16ef3fc3f101acfeb70a8f17f8802b9ae7c31227c69858b1b10661301016615

  • SHA512

    26e10fa641483690804bd61e5a9c25bf196521a003a7682807d5438be0f4bf43383682dbeae2df339c30545beef0e8b8719505ef286dc2b4c764d2ad143081d6

  • SSDEEP

    49152:RNMqQ0kwonLVkZep9nWrPWwONrRoODiGgDWAg2CPaSAnYvJW3BTSXff6YNQVWIP7:RiqQ0kwonLVkZep9nWrPWwONrRoODiGo

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 10 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f16ef3fc3f101acfeb70a8f17f8802b9ae7c31227c69858b1b10661301016615.exe
    "C:\Users\Admin\AppData\Local\Temp\f16ef3fc3f101acfeb70a8f17f8802b9ae7c31227c69858b1b10661301016615.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4936
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NMHVu.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2144
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Java Updater 3" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Firefox.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:852
    • C:\Users\Admin\AppData\Roaming\Firefox.exe
      "C:\Users\Admin\AppData\Roaming\Firefox.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3428
      • C:\Users\Admin\AppData\Roaming\Firefox.exe
        C:\Users\Admin\AppData\Roaming\Firefox.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2368
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2172
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:3300
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Firefox.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Firefox.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2472
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Firefox.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Firefox.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:628
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4852
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:4720
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1912
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:1768
      • C:\Users\Admin\AppData\Roaming\Firefox.exe
        C:\Users\Admin\AppData\Roaming\Firefox.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1104

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    soukchayt2.no-ip.org
    Firefox.exe
    Remote address:
    8.8.8.8:53
    Request
    soukchayt2.no-ip.org
    IN A
    Response
  • flag-us
    DNS
    140.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    140.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    soukchayt2.no-ip.org
    Firefox.exe
    Remote address:
    8.8.8.8:53
    Request
    soukchayt2.no-ip.org
    IN A
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    soukchayt2.no-ip.org
    Firefox.exe
    Remote address:
    8.8.8.8:53
    Request
    soukchayt2.no-ip.org
    IN A
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.135.221.88.in-addr.arpa
    IN PTR
    Response
    217.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-217deploystaticakamaitechnologiescom
  • flag-us
    DNS
    soukchayt2.no-ip.org
    Firefox.exe
    Remote address:
    8.8.8.8:53
    Request
    soukchayt2.no-ip.org
    IN A
    Response
  • flag-us
    DNS
    soukchayt2.no-ip.org
    Firefox.exe
    Remote address:
    8.8.8.8:53
    Request
    soukchayt2.no-ip.org
    IN A
    Response
  • flag-us
    DNS
    soukchayt2.no-ip.org
    Firefox.exe
    Remote address:
    8.8.8.8:53
    Request
    soukchayt2.no-ip.org
    IN A
    Response
  • flag-us
    DNS
    soukchayt2.no-ip.org
    Firefox.exe
    Remote address:
    8.8.8.8:53
    Request
    soukchayt2.no-ip.org
    IN A
    Response
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    soukchayt2.no-ip.org
    Firefox.exe
    Remote address:
    8.8.8.8:53
    Request
    soukchayt2.no-ip.org
    IN A
    Response
  • flag-us
    DNS
    soukchayt2.no-ip.org
    Firefox.exe
    Remote address:
    8.8.8.8:53
    Request
    soukchayt2.no-ip.org
    IN A
    Response
  • flag-us
    DNS
    soukchayt2.no-ip.org
    Firefox.exe
    Remote address:
    8.8.8.8:53
    Request
    soukchayt2.no-ip.org
    IN A
    Response
No results found
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    soukchayt2.no-ip.org
    dns
    Firefox.exe
    66 B
    126 B
    1
    1

    DNS Request

    soukchayt2.no-ip.org

  • 8.8.8.8:53
    140.32.126.40.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    140.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    soukchayt2.no-ip.org
    dns
    Firefox.exe
    66 B
    126 B
    1
    1

    DNS Request

    soukchayt2.no-ip.org

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
    156 B
    1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    soukchayt2.no-ip.org
    dns
    Firefox.exe
    66 B
    126 B
    1
    1

    DNS Request

    soukchayt2.no-ip.org

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    217.135.221.88.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    217.135.221.88.in-addr.arpa

  • 8.8.8.8:53
    soukchayt2.no-ip.org
    dns
    Firefox.exe
    66 B
    126 B
    1
    1

    DNS Request

    soukchayt2.no-ip.org

  • 8.8.8.8:53
    soukchayt2.no-ip.org
    dns
    Firefox.exe
    66 B
    126 B
    1
    1

    DNS Request

    soukchayt2.no-ip.org

  • 8.8.8.8:53
    soukchayt2.no-ip.org
    dns
    Firefox.exe
    66 B
    126 B
    1
    1

    DNS Request

    soukchayt2.no-ip.org

  • 8.8.8.8:53
    soukchayt2.no-ip.org
    dns
    Firefox.exe
    66 B
    126 B
    1
    1

    DNS Request

    soukchayt2.no-ip.org

  • 8.8.8.8:53
    14.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    14.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    soukchayt2.no-ip.org
    dns
    Firefox.exe
    66 B
    126 B
    1
    1

    DNS Request

    soukchayt2.no-ip.org

  • 8.8.8.8:53
    soukchayt2.no-ip.org
    dns
    Firefox.exe
    66 B
    126 B
    1
    1

    DNS Request

    soukchayt2.no-ip.org

  • 8.8.8.8:53
    soukchayt2.no-ip.org
    dns
    Firefox.exe
    66 B
    126 B
    1
    1

    DNS Request

    soukchayt2.no-ip.org

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\NMHVu.txt

    Filesize

    143B

    MD5

    962bc493b87f298696ad6e3eed7c7937

    SHA1

    985cc0c7e37e2465c4349abd528e120663ebd205

    SHA256

    c167e2faa5307ac291ff833b8a1f5f802eaa028d1aba8d1ad342ca84c07bdb01

    SHA512

    9dd2b755a404b74206b713ab17d2ddedacc48910e942dab71cf7e98d8d25322c24e32648f0881136e5425134aaccfbfd9bdc52ceb4519bd07e97c5564116f173

  • C:\Users\Admin\AppData\Roaming\Firefox.txt

    Filesize

    1.8MB

    MD5

    54d782abe69fd5aa4d0d3e1b4a10fb82

    SHA1

    974ef4adef5b2b8c152d4db9804c501e739a1fa2

    SHA256

    c8c8f3351e899d9fad27e3889c86041edcce0077a2887c62e5bbbe08cdb24d79

    SHA512

    13cb8c2e047c2e6dd28d4e6480e2daaa93617b9493b38b264b5a530d741de6be769c341bc9984f389a94524ba014ac56c693d9442b78d4ee0cc61a9f92fefdda

  • memory/1104-40-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/1104-51-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/1104-43-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/1104-45-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/2368-36-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/2368-34-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/2368-50-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/2368-31-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/2368-52-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/2368-54-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/2368-57-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/2368-59-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/2368-64-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/2368-80-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/4936-0-0x0000000000400000-0x00000000005CF000-memory.dmp

    Filesize

    1.8MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.