ab606cdd7bb2c1bdad233f6c62e88d112d3cc6db271a74845c6395358fdb1ab0

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/09/2024, 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

screen-recorder.exe
Size

2.0MB
MD5

d3081627c17f7d24258a1b0a5f2a5d07
SHA1

35fdfe0cceb60716c5f9f1232bc1bbe4e38216ec
SHA256

ab606cdd7bb2c1bdad233f6c62e88d112d3cc6db271a74845c6395358fdb1ab0
SHA512

cd24057780c876bbd241de5e0c240a2304431b866b0956bb02bc55a0e2a1daf024e3a8e80860e99dec56f9f1c840ec2134e6f07fe32792f0b7bdf2c86fbd8a88
SSDEEP

49152:UaPtdvmQgbVKIBze15oKAFFvqF1ooLO+D502EmP4b6IiO5Q2cM:9cVKIBze4pFFiw0O+D502YbNfH

Score

6^/10

discovery upx

Malware Config

Signatures

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2184-0-0x0000000000400000-0x000000000078F000-memory.dmp	upx
behavioral1/memory/2184-210-0x0000000000400000-0x000000000078F000-memory.dmp	upx

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2956	sc.exe
2264	sc.exe
1016	sc.exe
1856	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	screen-recorder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1896	wmic.exe
Token: SeSecurityPrivilege	1896	wmic.exe
Token: SeTakeOwnershipPrivilege	1896	wmic.exe
Token: SeLoadDriverPrivilege	1896	wmic.exe
Token: SeSystemProfilePrivilege	1896	wmic.exe
Token: SeSystemtimePrivilege	1896	wmic.exe
Token: SeProfSingleProcessPrivilege	1896	wmic.exe
Token: SeIncBasePriorityPrivilege	1896	wmic.exe
Token: SeCreatePagefilePrivilege	1896	wmic.exe
Token: SeBackupPrivilege	1896	wmic.exe
Token: SeRestorePrivilege	1896	wmic.exe
Token: SeShutdownPrivilege	1896	wmic.exe
Token: SeDebugPrivilege	1896	wmic.exe
Token: SeSystemEnvironmentPrivilege	1896	wmic.exe
Token: SeRemoteShutdownPrivilege	1896	wmic.exe
Token: SeUndockPrivilege	1896	wmic.exe
Token: SeManageVolumePrivilege	1896	wmic.exe
Token: 33	1896	wmic.exe
Token: 34	1896	wmic.exe
Token: 35	1896	wmic.exe
Token: SeIncreaseQuotaPrivilege	1896	wmic.exe
Token: SeSecurityPrivilege	1896	wmic.exe
Token: SeTakeOwnershipPrivilege	1896	wmic.exe
Token: SeLoadDriverPrivilege	1896	wmic.exe
Token: SeSystemProfilePrivilege	1896	wmic.exe
Token: SeSystemtimePrivilege	1896	wmic.exe
Token: SeProfSingleProcessPrivilege	1896	wmic.exe
Token: SeIncBasePriorityPrivilege	1896	wmic.exe
Token: SeCreatePagefilePrivilege	1896	wmic.exe
Token: SeBackupPrivilege	1896	wmic.exe
Token: SeRestorePrivilege	1896	wmic.exe
Token: SeShutdownPrivilege	1896	wmic.exe
Token: SeDebugPrivilege	1896	wmic.exe
Token: SeSystemEnvironmentPrivilege	1896	wmic.exe
Token: SeRemoteShutdownPrivilege	1896	wmic.exe
Token: SeUndockPrivilege	1896	wmic.exe
Token: SeManageVolumePrivilege	1896	wmic.exe
Token: 33	1896	wmic.exe
Token: 34	1896	wmic.exe
Token: 35	1896	wmic.exe
Token: SeIncreaseQuotaPrivilege	1772	wmic.exe
Token: SeSecurityPrivilege	1772	wmic.exe
Token: SeTakeOwnershipPrivilege	1772	wmic.exe
Token: SeLoadDriverPrivilege	1772	wmic.exe
Token: SeSystemProfilePrivilege	1772	wmic.exe
Token: SeSystemtimePrivilege	1772	wmic.exe
Token: SeProfSingleProcessPrivilege	1772	wmic.exe
Token: SeIncBasePriorityPrivilege	1772	wmic.exe
Token: SeCreatePagefilePrivilege	1772	wmic.exe
Token: SeBackupPrivilege	1772	wmic.exe
Token: SeRestorePrivilege	1772	wmic.exe
Token: SeShutdownPrivilege	1772	wmic.exe
Token: SeDebugPrivilege	1772	wmic.exe
Token: SeSystemEnvironmentPrivilege	1772	wmic.exe
Token: SeRemoteShutdownPrivilege	1772	wmic.exe
Token: SeUndockPrivilege	1772	wmic.exe
Token: SeManageVolumePrivilege	1772	wmic.exe
Token: 33	1772	wmic.exe
Token: 34	1772	wmic.exe
Token: 35	1772	wmic.exe
Token: SeIncreaseQuotaPrivilege	1772	wmic.exe
Token: SeSecurityPrivilege	1772	wmic.exe
Token: SeTakeOwnershipPrivilege	1772	wmic.exe
Token: SeLoadDriverPrivilege	1772	wmic.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 1868	2184	screen-recorder.exe	28
PID 2184 wrote to memory of 1868	2184	screen-recorder.exe	28
PID 2184 wrote to memory of 1868	2184	screen-recorder.exe	28
PID 2184 wrote to memory of 1868	2184	screen-recorder.exe	28
PID 1868 wrote to memory of 2956	1868	cmd.exe	30
PID 1868 wrote to memory of 2956	1868	cmd.exe	30
PID 1868 wrote to memory of 2956	1868	cmd.exe	30
PID 1868 wrote to memory of 2956	1868	cmd.exe	30
PID 2184 wrote to memory of 1896	2184	screen-recorder.exe	31
PID 2184 wrote to memory of 1896	2184	screen-recorder.exe	31
PID 2184 wrote to memory of 1896	2184	screen-recorder.exe	31
PID 2184 wrote to memory of 1896	2184	screen-recorder.exe	31
PID 2184 wrote to memory of 2648	2184	screen-recorder.exe	34
PID 2184 wrote to memory of 2648	2184	screen-recorder.exe	34
PID 2184 wrote to memory of 2648	2184	screen-recorder.exe	34
PID 2184 wrote to memory of 2648	2184	screen-recorder.exe	34
PID 2648 wrote to memory of 2264	2648	cmd.exe	36
PID 2648 wrote to memory of 2264	2648	cmd.exe	36
PID 2648 wrote to memory of 2264	2648	cmd.exe	36
PID 2648 wrote to memory of 2264	2648	cmd.exe	36
PID 2184 wrote to memory of 1772	2184	screen-recorder.exe	37
PID 2184 wrote to memory of 1772	2184	screen-recorder.exe	37
PID 2184 wrote to memory of 1772	2184	screen-recorder.exe	37
PID 2184 wrote to memory of 1772	2184	screen-recorder.exe	37
PID 2184 wrote to memory of 2292	2184	screen-recorder.exe	40
PID 2184 wrote to memory of 2292	2184	screen-recorder.exe	40
PID 2184 wrote to memory of 2292	2184	screen-recorder.exe	40
PID 2184 wrote to memory of 2292	2184	screen-recorder.exe	40
PID 2292 wrote to memory of 1016	2292	cmd.exe	42
PID 2292 wrote to memory of 1016	2292	cmd.exe	42
PID 2292 wrote to memory of 1016	2292	cmd.exe	42
PID 2292 wrote to memory of 1016	2292	cmd.exe	42
PID 2184 wrote to memory of 688	2184	screen-recorder.exe	43
PID 2184 wrote to memory of 688	2184	screen-recorder.exe	43
PID 2184 wrote to memory of 688	2184	screen-recorder.exe	43
PID 2184 wrote to memory of 688	2184	screen-recorder.exe	43
PID 2184 wrote to memory of 1552	2184	screen-recorder.exe	45
PID 2184 wrote to memory of 1552	2184	screen-recorder.exe	45
PID 2184 wrote to memory of 1552	2184	screen-recorder.exe	45
PID 2184 wrote to memory of 1552	2184	screen-recorder.exe	45
PID 1552 wrote to memory of 1856	1552	cmd.exe	47
PID 1552 wrote to memory of 1856	1552	cmd.exe	47
PID 1552 wrote to memory of 1856	1552	cmd.exe	47
PID 1552 wrote to memory of 1856	1552	cmd.exe	47
PID 2184 wrote to memory of 1452	2184	screen-recorder.exe	48
PID 2184 wrote to memory of 1452	2184	screen-recorder.exe	48
PID 2184 wrote to memory of 1452	2184	screen-recorder.exe	48
PID 2184 wrote to memory of 1452	2184	screen-recorder.exe	48

C:\Users\Admin\AppData\Local\Temp\screen-recorder.exe
"C:\Users\Admin\AppData\Local\Temp\screen-recorder.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C sc start winmgmt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\SysWOW64\sc.exe
    sc start winmgmt
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2956
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic BaseBoard get SerialNumber
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C sc start winmgmt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\SysWOW64\sc.exe
    sc start winmgmt
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2264
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic BaseBoard get SerialNumber
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C sc start winmgmt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\SysWOW64\sc.exe
    sc start winmgmt
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1016
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic BaseBoard get SerialNumber
  2⤵
  - System Location Discovery: System Language Discovery
  PID:688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C sc start winmgmt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\SysWOW64\sc.exe
    sc start winmgmt
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1856
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic BaseBoard get SerialNumber
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab5BC8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5BEB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cloud.76592cf0.tmp

Filesize
248B

MD5
df6a579d46b4ed9b9671df44951b8bd2

SHA1
553c9fce12e9a51d4da8f3fa11549d3cf58622e1

SHA256
b2c9475cc2d8bd92d580ae4b84e3800646e629251e684400de2a0710f7367597

SHA512
ca6a60b3b0eda9b1ea68a2e5268affdf2273cae5b46e361c573f18db156afb631d0ccd7f8d0e8b11cc1f53c12c7cc5cd9fd650738f35164160742c81dce5898a

Download Submit
memory/2184-0-0x0000000000400000-0x000000000078F000-memory.dmp

Filesize
3.6MB

Download
memory/2184-210-0x0000000000400000-0x000000000078F000-memory.dmp

Filesize
3.6MB

Download