6b9b530191671bafbd7bb7c3bcfac219d9dd368d92c4c4ee0ea91c651cc7b357

Analysis

max time kernel
149s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b9b530191671bafbd7bb7c3bcfac219d9dd368d92c4c4ee0ea91c651cc7b357.exe
Size

88KB
MD5

b627909eafe9c51d960fd04e5d803a4f
SHA1

e6ffe056728f95f8774c9d2111eb52a56703dd9d
SHA256

6b9b530191671bafbd7bb7c3bcfac219d9dd368d92c4c4ee0ea91c651cc7b357
SHA512

465f8de24f299edfcc551492c46ec9c69531caf182809f709f719e1a0d62ec6a438fb48c879531b8f158d4669bc31552beebc863d5a4acd156ea186b0a3e8b30
SSDEEP

1536:ahUDofByDJWbMGcEFLPEPKOJUsy1+VMA:aIofBHbKMP0PvMA

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	6b9b530191671bafbd7bb7c3bcfac219d9dd368d92c4c4ee0ea91c651cc7b357.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
832	explorer.exe
664	explorer.exe
4540	explorer.exe
4584	explorer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Video Driver = "C:\\Users\\Admin\\AppData\\Roaming\\config\\explorer.exe"	reg.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4292 set thread context of 1208	4292	6b9b530191671bafbd7bb7c3bcfac219d9dd368d92c4c4ee0ea91c651cc7b357.exe	84
PID 832 set thread context of 664	832	explorer.exe	90
PID 832 set thread context of 4540	832	explorer.exe	91
PID 4540 set thread context of 4584	4540	explorer.exe	92

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1208-13-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1208-16-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1208-20-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1208-19-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1208-59-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1208-65-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/664-95-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6b9b530191671bafbd7bb7c3bcfac219d9dd368d92c4c4ee0ea91c651cc7b357.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6b9b530191671bafbd7bb7c3bcfac219d9dd368d92c4c4ee0ea91c651cc7b357.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe
Token: SeDebugPrivilege	664	explorer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4292	6b9b530191671bafbd7bb7c3bcfac219d9dd368d92c4c4ee0ea91c651cc7b357.exe
1208	6b9b530191671bafbd7bb7c3bcfac219d9dd368d92c4c4ee0ea91c651cc7b357.exe
832	explorer.exe
664	explorer.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4292 wrote to memory of 1208	4292	6b9b530191671bafbd7bb7c3bcfac219d9dd368d92c4c4ee0ea91c651cc7b357.exe	84
PID 4292 wrote to memory of 1208	4292	6b9b530191671bafbd7bb7c3bcfac219d9dd368d92c4c4ee0ea91c651cc7b357.exe	84
PID 4292 wrote to memory of 1208	4292	6b9b530191671bafbd7bb7c3bcfac219d9dd368d92c4c4ee0ea91c651cc7b357.exe	84
PID 4292 wrote to memory of 1208	4292	6b9b530191671bafbd7bb7c3bcfac219d9dd368d92c4c4ee0ea91c651cc7b357.exe	84
PID 4292 wrote to memory of 1208	4292	6b9b530191671bafbd7bb7c3bcfac219d9dd368d92c4c4ee0ea91c651cc7b357.exe	84
PID 4292 wrote to memory of 1208	4292	6b9b530191671bafbd7bb7c3bcfac219d9dd368d92c4c4ee0ea91c651cc7b357.exe	84
PID 4292 wrote to memory of 1208	4292	6b9b530191671bafbd7bb7c3bcfac219d9dd368d92c4c4ee0ea91c651cc7b357.exe	84
PID 4292 wrote to memory of 1208	4292	6b9b530191671bafbd7bb7c3bcfac219d9dd368d92c4c4ee0ea91c651cc7b357.exe	84
PID 1208 wrote to memory of 1184	1208	6b9b530191671bafbd7bb7c3bcfac219d9dd368d92c4c4ee0ea91c651cc7b357.exe	85
PID 1208 wrote to memory of 1184	1208	6b9b530191671bafbd7bb7c3bcfac219d9dd368d92c4c4ee0ea91c651cc7b357.exe	85
PID 1208 wrote to memory of 1184	1208	6b9b530191671bafbd7bb7c3bcfac219d9dd368d92c4c4ee0ea91c651cc7b357.exe	85
PID 1184 wrote to memory of 4932	1184	cmd.exe	88
PID 1184 wrote to memory of 4932	1184	cmd.exe	88
PID 1184 wrote to memory of 4932	1184	cmd.exe	88
PID 1208 wrote to memory of 832	1208	6b9b530191671bafbd7bb7c3bcfac219d9dd368d92c4c4ee0ea91c651cc7b357.exe	89
PID 1208 wrote to memory of 832	1208	6b9b530191671bafbd7bb7c3bcfac219d9dd368d92c4c4ee0ea91c651cc7b357.exe	89
PID 1208 wrote to memory of 832	1208	6b9b530191671bafbd7bb7c3bcfac219d9dd368d92c4c4ee0ea91c651cc7b357.exe	89
PID 832 wrote to memory of 664	832	explorer.exe	90
PID 832 wrote to memory of 664	832	explorer.exe	90
PID 832 wrote to memory of 664	832	explorer.exe	90
PID 832 wrote to memory of 664	832	explorer.exe	90
PID 832 wrote to memory of 664	832	explorer.exe	90
PID 832 wrote to memory of 664	832	explorer.exe	90
PID 832 wrote to memory of 664	832	explorer.exe	90
PID 832 wrote to memory of 664	832	explorer.exe	90
PID 832 wrote to memory of 4540	832	explorer.exe	91
PID 832 wrote to memory of 4540	832	explorer.exe	91
PID 832 wrote to memory of 4540	832	explorer.exe	91
PID 832 wrote to memory of 4540	832	explorer.exe	91
PID 832 wrote to memory of 4540	832	explorer.exe	91
PID 832 wrote to memory of 4540	832	explorer.exe	91
PID 832 wrote to memory of 4540	832	explorer.exe	91
PID 4540 wrote to memory of 4584	4540	explorer.exe	92
PID 4540 wrote to memory of 4584	4540	explorer.exe	92
PID 4540 wrote to memory of 4584	4540	explorer.exe	92
PID 4540 wrote to memory of 4584	4540	explorer.exe	92
PID 4540 wrote to memory of 4584	4540	explorer.exe	92
PID 4540 wrote to memory of 4584	4540	explorer.exe	92
PID 4540 wrote to memory of 4584	4540	explorer.exe	92

C:\Users\Admin\AppData\Local\Temp\6b9b530191671bafbd7bb7c3bcfac219d9dd368d92c4c4ee0ea91c651cc7b357.exe
"C:\Users\Admin\AppData\Local\Temp\6b9b530191671bafbd7bb7c3bcfac219d9dd368d92c4c4ee0ea91c651cc7b357.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4292
- C:\Users\Admin\AppData\Local\Temp\6b9b530191671bafbd7bb7c3bcfac219d9dd368d92c4c4ee0ea91c651cc7b357.exe
  "C:\Users\Admin\AppData\Local\Temp\6b9b530191671bafbd7bb7c3bcfac219d9dd368d92c4c4ee0ea91c651cc7b357.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IHVCL.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1184
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Video Driver" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\config\explorer.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:4932
- - C:\Users\Admin\AppData\Roaming\config\explorer.exe
    "C:\Users\Admin\AppData\Roaming\config\explorer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:832
  - - C:\Users\Admin\AppData\Roaming\config\explorer.exe
      "C:\Users\Admin\AppData\Roaming\config\explorer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:664
  - - C:\Users\Admin\AppData\Roaming\config\explorer.exe
      "C:\Users\Admin\AppData\Roaming\config\explorer.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4540
    - - C:\Users\Admin\AppData\Roaming\config\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\config\explorer.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cxz.exe

Filesize
294B

MD5
1fcb8fb4dddf889ec45f1c7f7c12de43

SHA1
ffe836c5d2efc1d5ad87c178f3621e28c6ac1789

SHA256
0dab0c7a993df45964ce9197428efe8663aad9f438eb04a9b5dfa37e1e0424ca

SHA512
38d5939efa17daa672bc37d0e4fe904544878c2d8d840a3d2557094955b862d989730eec030605ace1a682ed34ed737ccebc6d3c0d6c6bd4b3ff042a85a07612

Download Submit
C:\Users\Admin\AppData\Local\Temp\IHVCL.txt

Filesize
149B

MD5
fc1798b7c7938454220fda837a76f354

SHA1
b232912930b2bc24ff18bf7ecd58f872bbe01ea0

SHA256
7f0a5917b5aca9c5beb153aad0ef95bf0aeafb83768da5b086c3f029ba42d7c8

SHA512
d1abdd45a8e5d33893b9d19424174a07feed145d2e6b4be318ab5fde503f850579a4a101a010f30e16ecde2c7123f45357a8341214655321ee0f0097ca911331

Download Submit
C:\Users\Admin\AppData\Roaming\config\explorer.exe

Filesize
88KB

MD5
0305cd4adb5438251225ce59e6052b58

SHA1
d900ae557252c36f82257f1161b6bc147da47071

SHA256
12316ac62f735fda9d354d9f28f7a2b194d722292d7bc331317aef9af8c52e37

SHA512
b6b89d95bd14d1a22a9710e18455bc6cce07d8ddef4064457601c1d5b0f13e756fa2c74da7fdcf7740475ed321b23d2abae300c2a14f4bb7eb15c59220e5d832

Download Submit
memory/664-95-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/832-62-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/832-46-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/832-47-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/832-48-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1208-19-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1208-20-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1208-65-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1208-13-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1208-16-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1208-59-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4292-18-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/4292-9-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/4292-2-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/4292-11-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/4292-12-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/4292-5-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/4292-17-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/4292-3-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/4292-10-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/4292-8-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/4292-6-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/4292-7-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/4292-4-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/4540-52-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4540-68-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4540-58-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4540-57-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4584-66-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/4584-71-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/4584-93-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads