c999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491

Analysis

max time kernel
143s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491.exe
Size

106KB
MD5

35c29de908e04eca97b39b96b3cadc2d
SHA1

64cb5c3f2cbd238f7f1d707f99dd98713c539f11
SHA256

c999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491
SHA512

1bdd84e2ecd277086b626be3e37fc9a020db75843c2a16339d9266966d630228b059e84b41d675ec0bfe11c8838004243159e4106f00021e7e9308a3d48fa2cb
SSDEEP

1536:g5NDPN2/M8luKX6/M4iXYWq7tMsN7jVp1voxq3zy:g5NDPN2/tlD0liXYWq7tM8XV3oyzy

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491.exe

Executes dropped EXE 2 IoCs

pid	Process
3524	torunzip.exe
4080	tor.exe

Loads dropped DLL 6 IoCs

pid	Process
4080	tor.exe
4080	tor.exe
4080	tor.exe
4080	tor.exe
4080	tor.exe
4080	tor.exe

Drops file in Program Files directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Updates\Temp\Tor\libevent-2-0-5.dll	torunzip.exe
File created	C:\Program Files\Microsoft Updates\Tor\hidden_service\hostname.tmp	tor.exe
File opened for modification	C:\Program Files\Microsoft Updates\Temp\Tor\tor.exe	torunzip.exe
File opened for modification	C:\Program Files\Microsoft Updates\Temp\Tor\zlib1.dll	torunzip.exe
File opened for modification	C:\Program Files\Microsoft Updates\Temp\Tor\ssleay32.dll	torunzip.exe
File created	C:\Program Files\Microsoft Updates\installed.fgh	c999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491.exe
File created	C:\Program Files\Microsoft Updates\Temp\tor.zip	c999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491.exe
File opened for modification	C:\Program Files\Microsoft Updates\Temp\Data\Tor	torunzip.exe
File opened for modification	C:\Program Files\Microsoft Updates\Temp\Tor	torunzip.exe
File opened for modification	C:\Program Files\Microsoft Updates\Temp\Tor\libevent_core-2-0-5.dll	torunzip.exe
File opened for modification	C:\Program Files\Microsoft Updates\Temp\Tor\libgcc_s_sjlj-1.dll	torunzip.exe
File created	C:\Program Files\Microsoft Updates\Temp\Tor\libssp-0.dll	torunzip.exe
File created	C:\Program Files\Microsoft Updates\Temp\Tor\tor.exe	torunzip.exe
File created	C:\Program Files\Microsoft Updates\Tor\lock	tor.exe
File created	C:\Program Files\Microsoft Updates\svchost.exe	c999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491.exe
File opened for modification	C:\Program Files\Microsoft Updates\Temp\Data\Tor\geoip6	torunzip.exe
File created	C:\Program Files\Microsoft Updates\Temp\Tor\libevent-2-0-5.dll	torunzip.exe
File created	C:\Program Files\Microsoft Updates\Temp\Tor\libgcc_s_sjlj-1.dll	torunzip.exe
File created	C:\Program Files\Microsoft Updates\Temp\Tor\ssleay32.dll	torunzip.exe
File created	C:\Program Files\Microsoft Updates\Temp\Tor\zlib1.dll	torunzip.exe
File opened for modification	C:\Program Files\Microsoft Updates\Temp\Tor\libevent_extra-2-0-5.dll	torunzip.exe
File opened for modification	C:\Program Files\Microsoft Updates\svchost.exe	c999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491.exe
File created	C:\Program Files\Microsoft Updates\taskhost.exe	c999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491.exe
File created	C:\Program Files\Microsoft Updates\torunzip.exe	c999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491.exe
File created	C:\Program Files\Microsoft Updates\Temp\Data\Tor\geoip	torunzip.exe
File opened for modification	C:\Program Files\Microsoft Updates\Temp\Data\Tor\geoip	torunzip.exe
File created	C:\Program Files\Microsoft Updates\Temp\Tor\libeay32.dll	torunzip.exe
File created	C:\Program Files\Microsoft Updates\Temp\Tor\libevent_extra-2-0-5.dll	torunzip.exe
File opened for modification	C:\Program Files\Microsoft Updates\Temp\Tor\libssp-0.dll	torunzip.exe
File created	C:\Program Files\Microsoft Updates\Tor\state.tmp	tor.exe
File opened for modification	C:\Program Files\Microsoft Updates\Temp\Data	torunzip.exe
File created	C:\Program Files\Microsoft Updates\Temp\Data\Tor\geoip6	torunzip.exe
File created	C:\Program Files\Microsoft Updates\Tor\torrc	c999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491.exe
File created	C:\Program Files\Microsoft Updates\Tor\hidden_service\private_key.tmp	tor.exe
File opened for modification	C:\Program Files\Microsoft Updates\Temp\Tor\libeay32.dll	torunzip.exe
File created	C:\Program Files\Microsoft Updates\Temp\Tor\libevent_core-2-0-5.dll	torunzip.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	torunzip.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4080	tor.exe
4080	tor.exe
4080	tor.exe
4080	tor.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	212	c999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3524	torunzip.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3524	torunzip.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 3524	212	c999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491.exe	82
PID 212 wrote to memory of 3524	212	c999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491.exe	82
PID 212 wrote to memory of 3524	212	c999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491.exe	82
PID 212 wrote to memory of 4080	212	c999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491.exe	91
PID 212 wrote to memory of 4080	212	c999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491.exe	91
PID 212 wrote to memory of 4080	212	c999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491.exe	91

C:\Users\Admin\AppData\Local\Temp\c999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491.exe
"C:\Users\Admin\AppData\Local\Temp\c999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:212
- C:\Program Files\Microsoft Updates\torunzip.exe
  "C:\Program Files\Microsoft Updates\torunzip.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3524
- C:\Program Files\Microsoft Updates\Tor\tor.exe
  "C:\Program Files\Microsoft Updates\Tor\tor.exe" --defaults-torrc "C:\Program Files\Microsoft Updates\Tor\torrc"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Updates\Temp\tor.zip

Filesize
3.1MB

MD5
b0462790ed7fea5ee00655fb99fc05be

SHA1
d3321abc67aec350f064ed51b0cd0bfb48dc8209

SHA256
8d75ba8d8aac8f49c97c4b20256d0d3fd5d0e4aee89b6a77b6a5cc43421efc9f

SHA512
5c72c4478f1a8f5950278f0e9c5e787ebd40db22cc52e52639e64bacc730d508f0db449d61777402921485dabf2a939ea86337d295697a87fbee781882ef74b4

Download Submit
C:\Program Files\Microsoft Updates\Tor\libeay32.dll

Filesize
1.9MB

MD5
a9de9bb8b6e3fdd80d15a94d8b0afc38

SHA1
237e407ea2f2d9ae36bd222e4a6acfc9c5320e36

SHA256
e7d0ea96e99eb4c16130472b5809f235f5ec71ea17164aab9d0b391add404be6

SHA512
60f29db4a10b28a8d33ba0d1abac1c8d661844bd9d770670d89e1d23ec84866758a7d50e0ffa715439c05f03f8cea7d95a0829e328d29f79e1c266712c5e4ac4

Download Submit
C:\Program Files\Microsoft Updates\Tor\libevent-2-0-5.dll

Filesize
698KB

MD5
790520db3e65846b8f2528cf4426805d

SHA1
1ee1b33bcd9f285d8ab7645f403f0c99fd16b293

SHA256
2a81d85ee4e5f62b4bbfecf77a54ba220382f0faad5e3e005eb9884af6013e16

SHA512
d20c2c63305d6f52aa6eaa92907a3915997cd6d6a4c0385973ccd86d0aac6d127e91233785aba08386d1728b496953c42488ceabbe215209b5f264828a5a9d32

Download Submit
C:\Program Files\Microsoft Updates\Tor\libgcc_s_sjlj-1.dll

Filesize
507KB

MD5
c2489e22982e58e17bec24fac42013c4

SHA1
8bd860bea80c4f2317b4ab5b801b02dd39e665d5

SHA256
62687552035b81853f78b815a89c56cd0ab3d94ecc12782d6826db6863095a2b

SHA512
dc2d46a53e9579f6dc7ea55fcde66b0272416fb143801b21c73e2c982c43f698483a9055a9d2b4d6701a09d01d05aa75c9cc4b45a3fddac7244ebb793d7cbeea

Download Submit
C:\Program Files\Microsoft Updates\Tor\libssp-0.dll

Filesize
89KB

MD5
395d1f5b0c3c3a2a31dd438e1e43a996

SHA1
9b0684ebb1e3b92f4969660a9f765886360bb8ee

SHA256
c6fe18a639f766907ae13bb9dc427d5f75501a195c0ab1c6ee8ef9f794997ff6

SHA512
b09f39325b6c5173e2bd44cc052a990d355a949e5e2158d1cccfc237e08417b54dee3bc33d7f826b9878bb644973a7f151bc0b7f1c9a7ed17ba9ff735a91bd09

Download Submit
C:\Program Files\Microsoft Updates\Tor\ssleay32.dll

Filesize
411KB

MD5
cc3d440e0653af423c45c7066bc14a5e

SHA1
5eb863f37223064415056a64eab291ddd0a06984

SHA256
39c9def15ec2c4a5927a79e5294f8f33621d0e34a55186d62062b2a8f2d5d76b

SHA512
50d2881cc2373edbf102b04b959d4b140eb413f2887056963e34277cd6e6dc0f610ae0e41d139de80f9d64ca5a1cf076033a608eb9d59461944aac6914ea2c67

Download Submit
C:\Program Files\Microsoft Updates\Tor\tor.exe

Filesize
1.9MB

MD5
181f58c4f7345819bccd7ddd8c698421

SHA1
4557de8c8e0923c0efbe7efca2db1d96dcf18f79

SHA256
f559149ed963ce9219f65f447b27ac68e68b42ddc7f0360456a2ceb95b5a0396

SHA512
6394c13ab2414fe33d02721afa14011626ecc366ed27687e41c9a53d843a218da860297e85048e785ec8fcd32f31e94b05680dca150f9dbb1fefe16584512cdf

Download Submit
C:\Program Files\Microsoft Updates\Tor\torrc

Filesize
250B

MD5
5e6696bfeee9c9a37942f7d03be5bff9

SHA1
7504f2226c47c2a5bfcbbecfb5d202a08bd32ca3

SHA256
31661bdff6a889889793fb543b15e0ea8d17c9ead1f4bf8de2527ee3ce02b57a

SHA512
3bd4aac53fc96c918c8b8a362d5f72faf9e1bca5de54af0eeadd5a2548c8c344a5f05bdf0e78ae3a30f64dccbae6981614c1469fc673ec2397179b063e81db77

Download Submit
C:\Program Files\Microsoft Updates\Tor\zlib1.dll

Filesize
108KB

MD5
8f6451bcdfe45e2ab4268a47d62e3584

SHA1
7e9cdec5eb82fce078f61c3f8337f9b60db07cc0

SHA256
4109dbcf8a81a925211a5903a8826179d7ca56f7e48bc2fd4a5348b1025bac14

SHA512
5d44719066aee2bfcf77972fc08eac6b6d445dfb02c984133e105523ab8d2cf07b70bb96a0c9e62dafa0ffb525993e8d70e5ee79be98e417ac98525541ec2862

Download Submit
C:\Program Files\Microsoft Updates\torunzip.exe

Filesize
20KB

MD5
f2a5bea9843cfd088c062685be32154f

SHA1
10ca494259e42812e1495d96902285838bc4657f

SHA256
23eeb35780faf868a7b17b8e8da364d71bae0e46c1ababddddddecbdbd2c2c64

SHA512
36880f9d53a2e4a046d0134f1f8ad81d39f6ca76709580470f047455a80203fd3eb4317ce0e8ac1e174c20dd1ce1a41ef54f8b258adcdb24ed119b5014016a26

Download Submit
memory/212-57-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/212-56-0x0000000074802000-0x0000000074803000-memory.dmp

Filesize
4KB

Download
memory/212-2-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/212-0-0x0000000074802000-0x0000000074803000-memory.dmp

Filesize
4KB

Download
memory/212-1-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/4080-78-0x0000000071B31000-0x0000000071B75000-memory.dmp

Filesize
272KB

Download
memory/4080-88-0x00000000002B0000-0x0000000000499000-memory.dmp

Filesize
1.9MB

Download
memory/4080-79-0x0000000071B30000-0x0000000071BB3000-memory.dmp

Filesize
524KB

Download
memory/4080-76-0x0000000071800000-0x0000000071823000-memory.dmp

Filesize
140KB

Download
memory/4080-77-0x00000000002B0000-0x0000000000499000-memory.dmp

Filesize
1.9MB

Download
memory/4080-74-0x0000000071B30000-0x0000000071BB3000-memory.dmp

Filesize
524KB

Download
memory/4080-87-0x0000000071B30000-0x0000000071BB3000-memory.dmp

Filesize
524KB

Download
memory/4080-90-0x0000000071B10000-0x0000000071B2C000-memory.dmp

Filesize
112KB

Download
memory/4080-94-0x0000000071800000-0x0000000071823000-memory.dmp

Filesize
140KB

Download
memory/4080-93-0x0000000071830000-0x000000007189E000-memory.dmp

Filesize
440KB

Download
memory/4080-91-0x0000000071A90000-0x0000000071B05000-memory.dmp

Filesize
468KB

Download
memory/4080-75-0x00000000718A0000-0x0000000071A8E000-memory.dmp

Filesize
1.9MB

Download
memory/4080-92-0x00000000718A0000-0x0000000071A8E000-memory.dmp

Filesize
1.9MB

Download
memory/4080-95-0x00000000002B0000-0x0000000000499000-memory.dmp

Filesize
1.9MB

Download
memory/4080-102-0x00000000002B0000-0x0000000000499000-memory.dmp

Filesize
1.9MB

Download
memory/4080-109-0x00000000002B0000-0x0000000000499000-memory.dmp

Filesize
1.9MB

Download
memory/4080-116-0x00000000002B0000-0x0000000000499000-memory.dmp

Filesize
1.9MB

Download
memory/4080-125-0x00000000002B0000-0x0000000000499000-memory.dmp

Filesize
1.9MB

Download
memory/4080-132-0x00000000002B0000-0x0000000000499000-memory.dmp

Filesize
1.9MB

Download
memory/4080-139-0x00000000002B0000-0x0000000000499000-memory.dmp

Filesize
1.9MB

Download
memory/4080-146-0x00000000002B0000-0x0000000000499000-memory.dmp

Filesize
1.9MB

Download