ab606cdd7bb2c1bdad233f6c62e88d112d3cc6db271a74845c6395358fdb1ab0

Analysis

max time kernel
140s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2024 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

screen-recorder.exe
Size

2.0MB
MD5

d3081627c17f7d24258a1b0a5f2a5d07
SHA1

35fdfe0cceb60716c5f9f1232bc1bbe4e38216ec
SHA256

ab606cdd7bb2c1bdad233f6c62e88d112d3cc6db271a74845c6395358fdb1ab0
SHA512

cd24057780c876bbd241de5e0c240a2304431b866b0956bb02bc55a0e2a1daf024e3a8e80860e99dec56f9f1c840ec2134e6f07fe32792f0b7bdf2c86fbd8a88
SSDEEP

49152:UaPtdvmQgbVKIBze15oKAFFvqF1ooLO+D502EmP4b6IiO5Q2cM:9cVKIBze4pFFiw0O+D502YbNfH

Score

6^/10

discovery upx

Malware Config

Signatures

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-api.com

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1420-0-0x0000000000400000-0x000000000078F000-memory.dmp	upx
behavioral2/memory/1420-50-0x0000000000400000-0x000000000078F000-memory.dmp	upx

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3500	sc.exe
452	sc.exe
4108	sc.exe
400	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	screen-recorder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3480	wmic.exe
Token: SeSecurityPrivilege	3480	wmic.exe
Token: SeTakeOwnershipPrivilege	3480	wmic.exe
Token: SeLoadDriverPrivilege	3480	wmic.exe
Token: SeSystemProfilePrivilege	3480	wmic.exe
Token: SeSystemtimePrivilege	3480	wmic.exe
Token: SeProfSingleProcessPrivilege	3480	wmic.exe
Token: SeIncBasePriorityPrivilege	3480	wmic.exe
Token: SeCreatePagefilePrivilege	3480	wmic.exe
Token: SeBackupPrivilege	3480	wmic.exe
Token: SeRestorePrivilege	3480	wmic.exe
Token: SeShutdownPrivilege	3480	wmic.exe
Token: SeDebugPrivilege	3480	wmic.exe
Token: SeSystemEnvironmentPrivilege	3480	wmic.exe
Token: SeRemoteShutdownPrivilege	3480	wmic.exe
Token: SeUndockPrivilege	3480	wmic.exe
Token: SeManageVolumePrivilege	3480	wmic.exe
Token: 33	3480	wmic.exe
Token: 34	3480	wmic.exe
Token: 35	3480	wmic.exe
Token: 36	3480	wmic.exe
Token: SeIncreaseQuotaPrivilege	3480	wmic.exe
Token: SeSecurityPrivilege	3480	wmic.exe
Token: SeTakeOwnershipPrivilege	3480	wmic.exe
Token: SeLoadDriverPrivilege	3480	wmic.exe
Token: SeSystemProfilePrivilege	3480	wmic.exe
Token: SeSystemtimePrivilege	3480	wmic.exe
Token: SeProfSingleProcessPrivilege	3480	wmic.exe
Token: SeIncBasePriorityPrivilege	3480	wmic.exe
Token: SeCreatePagefilePrivilege	3480	wmic.exe
Token: SeBackupPrivilege	3480	wmic.exe
Token: SeRestorePrivilege	3480	wmic.exe
Token: SeShutdownPrivilege	3480	wmic.exe
Token: SeDebugPrivilege	3480	wmic.exe
Token: SeSystemEnvironmentPrivilege	3480	wmic.exe
Token: SeRemoteShutdownPrivilege	3480	wmic.exe
Token: SeUndockPrivilege	3480	wmic.exe
Token: SeManageVolumePrivilege	3480	wmic.exe
Token: 33	3480	wmic.exe
Token: 34	3480	wmic.exe
Token: 35	3480	wmic.exe
Token: 36	3480	wmic.exe
Token: SeIncreaseQuotaPrivilege	1900	wmic.exe
Token: SeSecurityPrivilege	1900	wmic.exe
Token: SeTakeOwnershipPrivilege	1900	wmic.exe
Token: SeLoadDriverPrivilege	1900	wmic.exe
Token: SeSystemProfilePrivilege	1900	wmic.exe
Token: SeSystemtimePrivilege	1900	wmic.exe
Token: SeProfSingleProcessPrivilege	1900	wmic.exe
Token: SeIncBasePriorityPrivilege	1900	wmic.exe
Token: SeCreatePagefilePrivilege	1900	wmic.exe
Token: SeBackupPrivilege	1900	wmic.exe
Token: SeRestorePrivilege	1900	wmic.exe
Token: SeShutdownPrivilege	1900	wmic.exe
Token: SeDebugPrivilege	1900	wmic.exe
Token: SeSystemEnvironmentPrivilege	1900	wmic.exe
Token: SeRemoteShutdownPrivilege	1900	wmic.exe
Token: SeUndockPrivilege	1900	wmic.exe
Token: SeManageVolumePrivilege	1900	wmic.exe
Token: 33	1900	wmic.exe
Token: 34	1900	wmic.exe
Token: 35	1900	wmic.exe
Token: 36	1900	wmic.exe
Token: SeIncreaseQuotaPrivilege	1900	wmic.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 1216	1420	screen-recorder.exe	82
PID 1420 wrote to memory of 1216	1420	screen-recorder.exe	82
PID 1420 wrote to memory of 1216	1420	screen-recorder.exe	82
PID 1216 wrote to memory of 4108	1216	cmd.exe	84
PID 1216 wrote to memory of 4108	1216	cmd.exe	84
PID 1216 wrote to memory of 4108	1216	cmd.exe	84
PID 1420 wrote to memory of 3480	1420	screen-recorder.exe	85
PID 1420 wrote to memory of 3480	1420	screen-recorder.exe	85
PID 1420 wrote to memory of 3480	1420	screen-recorder.exe	85
PID 1420 wrote to memory of 1892	1420	screen-recorder.exe	88
PID 1420 wrote to memory of 1892	1420	screen-recorder.exe	88
PID 1420 wrote to memory of 1892	1420	screen-recorder.exe	88
PID 1892 wrote to memory of 400	1892	cmd.exe	90
PID 1892 wrote to memory of 400	1892	cmd.exe	90
PID 1892 wrote to memory of 400	1892	cmd.exe	90
PID 1420 wrote to memory of 1900	1420	screen-recorder.exe	91
PID 1420 wrote to memory of 1900	1420	screen-recorder.exe	91
PID 1420 wrote to memory of 1900	1420	screen-recorder.exe	91
PID 1420 wrote to memory of 2620	1420	screen-recorder.exe	93
PID 1420 wrote to memory of 2620	1420	screen-recorder.exe	93
PID 1420 wrote to memory of 2620	1420	screen-recorder.exe	93
PID 2620 wrote to memory of 3500	2620	cmd.exe	95
PID 2620 wrote to memory of 3500	2620	cmd.exe	95
PID 2620 wrote to memory of 3500	2620	cmd.exe	95
PID 1420 wrote to memory of 4004	1420	screen-recorder.exe	96
PID 1420 wrote to memory of 4004	1420	screen-recorder.exe	96
PID 1420 wrote to memory of 4004	1420	screen-recorder.exe	96
PID 1420 wrote to memory of 4772	1420	screen-recorder.exe	98
PID 1420 wrote to memory of 4772	1420	screen-recorder.exe	98
PID 1420 wrote to memory of 4772	1420	screen-recorder.exe	98
PID 4772 wrote to memory of 452	4772	cmd.exe	100
PID 4772 wrote to memory of 452	4772	cmd.exe	100
PID 4772 wrote to memory of 452	4772	cmd.exe	100
PID 1420 wrote to memory of 1232	1420	screen-recorder.exe	101
PID 1420 wrote to memory of 1232	1420	screen-recorder.exe	101
PID 1420 wrote to memory of 1232	1420	screen-recorder.exe	101

C:\Users\Admin\AppData\Local\Temp\screen-recorder.exe
"C:\Users\Admin\AppData\Local\Temp\screen-recorder.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C sc start winmgmt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Windows\SysWOW64\sc.exe
    sc start winmgmt
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4108
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic BaseBoard get SerialNumber
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C sc start winmgmt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Windows\SysWOW64\sc.exe
    sc start winmgmt
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:400
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic BaseBoard get SerialNumber
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C sc start winmgmt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\SysWOW64\sc.exe
    sc start winmgmt
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3500
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic BaseBoard get SerialNumber
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C sc start winmgmt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Windows\SysWOW64\sc.exe
    sc start winmgmt
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:452
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic BaseBoard get SerialNumber
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cloud

Filesize
248B

MD5
cfa12c7d21b31f5260c161c0eb8f7ae0

SHA1
01379477bd1e50db4cdcf202f04bfa0505a73dc2

SHA256
f710b7439fcf2e43aee94b5aa997ae046110027a5e8609fddf05103f1cab4e4f

SHA512
42eabb13ca8dd341528760e48d7518759277ffab7218cc3633edd08d0d2d0f5830d00e045386e2757ddb044a85517bd071bd491abbb255905942672c1c4ad9af

Download Submit
memory/1420-0-0x0000000000400000-0x000000000078F000-memory.dmp

Filesize
3.6MB

Download
memory/1420-50-0x0000000000400000-0x000000000078F000-memory.dmp

Filesize
3.6MB

Download