Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/09/2024, 01:53

General

  • Target

    b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe

  • Size

    2.5MB

  • MD5

    dea2b172855474242e3607e18f7eb659

  • SHA1

    ce440d756e0bfe5593462d1a4b0c9f818d1f3623

  • SHA256

    b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4

  • SHA512

    42652c9dce689f9e2227651583cedb49dbe67c2c6845703ed35e1e8e502999ff7f1ff959ab7ef6b9ea0a8152a4539ae6b848e8aef4a88e6a9dca0d9c4f3b7e81

  • SSDEEP

    49152:V6i0cnlHeRrlG4g5ec8IBvKvYJC623msvD/DX+y4onCYDj:kPclHeRrlG4g5ea1g62WsvD/D+donCYn

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe
    "C:\Users\Admin\AppData\Local\Temp\b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4976
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2708
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ytmd.exe

    Filesize

    1.8MB

    MD5

    1a5f24c3ab345d5ed5f68409f442f205

    SHA1

    48c1eb761f9a8d66a341d871b4ff0b95b2109bfd

    SHA256

    5e958c2dbfbc49efa38eca532828b116577a152823439fa6ce064b2263e09a1c

    SHA512

    3f57ec3b0a3ec71cdf6c416c11ee1d6cd6ea8388030611027a6b02d93106b7f3b0fc478fa4fe5a0d86a58c3a2e8f4c28f039b3345eaf429e98ade9d657ee56bc

  • C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

    Filesize

    92B

    MD5

    16ae5830b2877dac7247f8c4154c9efd

    SHA1

    fe650b531d9eb8dd0d9d21b8b8c06f1246d397c6

    SHA256

    a85dd932dfa73597b1281b8ce99b149e1d92577a0daf3e2318b38d1df212e52b

    SHA512

    84da7c8064c911494893265cc9c4d44fb220711c7bce3f302707a3db3b0c05c2e72580482833221f8f3c5225c6e0ce523a50b883cac6c83b59d80d8388874d85

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    753B

    MD5

    ecc55219ef70298445bf9db69d87ad4d

    SHA1

    698f44c00e2591b996d18e124d35fe9f76492ae2

    SHA256

    307b4f33efbc06b1f80dfedf6296c53171ee5e4b8e11744623b0bff364bb9049

    SHA512

    ca519539166b0aab62a1e9d8866af0d696b655fd57cc682d91ebdb7fc0f48f991cc2ddc4cee33d1cc7ea9c5c05b55f196d77cdf9c76724fa480d16a56d0dd590

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    2.5MB

    MD5

    cbbde9443e09b0eb5e19b2e7f70b0be2

    SHA1

    c72c58798b8e5d3752c54fa60ae78a1657918100

    SHA256

    68aad98c19c886dd846829ac3f59b2c460ac5a9f9b4bc0f27c0c5a2091839390

    SHA512

    992dff3ef5499b93acda7cfcbcb2041908d8002598034ab50b91c39a769f70f59ef3a548802bf6f7635a55eb8e3c9eac764abe389a8e4cd4d2e3a8d55da4a1b0

  • memory/4976-0-0x0000000000400000-0x0000000000555000-memory.dmp

    Filesize

    1.3MB

  • memory/4976-25-0x0000000000400000-0x0000000000555000-memory.dmp

    Filesize

    1.3MB

  • memory/4976-28-0x0000000000400000-0x0000000000555000-memory.dmp

    Filesize

    1.3MB

  • memory/4976-31-0x0000000000400000-0x0000000000555000-memory.dmp

    Filesize

    1.3MB

  • memory/4976-35-0x0000000000400000-0x0000000000555000-memory.dmp

    Filesize

    1.3MB

  • memory/4976-38-0x0000000000400000-0x0000000000555000-memory.dmp

    Filesize

    1.3MB

  • memory/4976-41-0x0000000000400000-0x0000000000555000-memory.dmp

    Filesize

    1.3MB

  • memory/4976-44-0x0000000000400000-0x0000000000555000-memory.dmp

    Filesize

    1.3MB