aed66d9a146292ca3ca2abbb4bc772c9ac4f1c5cd05635ee4ead40b8f6f15295

Analysis

max time kernel
112s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2024, 10:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aed66d9a146292ca3ca2abbb4bc772c9ac4f1c5cd05635ee4ead40b8f6f15295N.exe
Size

96KB
MD5

9a21e81a61422fe2921271d4044a8700
SHA1

044d7b4b43ceee8dc5d4a3cfe101e22435912e1a
SHA256

aed66d9a146292ca3ca2abbb4bc772c9ac4f1c5cd05635ee4ead40b8f6f15295
SHA512

5c327ddcb62aafc41fc0680a0e9b301c716d9219b2708ea129233cc8596048e6745ea6dc7fd6e789e121b1b1309e6ea382af665ca0502d7c428f58be71a75885
SSDEEP

3072:lbjgjXxdWBhMwRFy2Rk/kcIAebPph/ATvYKyUDI7LurZ:lfAXxd0qf2L/ATvryOI7aZ

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	cmd.exe

Deletes itself 1 IoCs

pid	Process
3884	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
3404	rMX.exe
5104	rMX.exe.exe
936	rMX.exe
1608	rMX.exe
2060	rMX.exe
4248	rMX.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 936 set thread context of 1608	936	rMX.exe	93
PID 936 set thread context of 2060	936	rMX.exe	94
PID 936 set thread context of 4248	936	rMX.exe	95

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1608-23-0x0000000010000000-0x000000001002A000-memory.dmp	upx
behavioral2/memory/1608-28-0x0000000010000000-0x000000001002A000-memory.dmp	upx
behavioral2/memory/1608-21-0x0000000010000000-0x000000001002A000-memory.dmp	upx
behavioral2/memory/1608-20-0x0000000010000000-0x000000001002A000-memory.dmp	upx
behavioral2/memory/1608-34-0x0000000010000000-0x000000001002A000-memory.dmp	upx
behavioral2/memory/1608-35-0x0000000010000000-0x000000001002A000-memory.dmp	upx

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\VWFLH\rMX.exe	aed66d9a146292ca3ca2abbb4bc772c9ac4f1c5cd05635ee4ead40b8f6f15295N.exe
File opened for modification	C:\WINDOWS\VWFLH\rMX.exe.exe	rMX.exe
File created	C:\WINDOWS\VWFLH\rMX.exe	rMX.exe.exe
File opened for modification	C:\WINDOWS\VWFLH\rMX.exe	rMX.exe.exe
File created	\??\c:\windows\rMX.exe.bat	rMX.exe
File created	C:\WINDOWS\VWFLH\rMX.exe	aed66d9a146292ca3ca2abbb4bc772c9ac4f1c5cd05635ee4ead40b8f6f15295N.exe
File created	C:\WINDOWS\VWFLH\rMX.exe.exe	rMX.exe
File opened for modification	\??\c:\windows\nk.txt	cmd.exe
File created	\??\c:\windows\rMX.exe.bat	rMX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1904	4248	WerFault.exe	95
2520	2060	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rMX.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rMX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rMX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rMX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aed66d9a146292ca3ca2abbb4bc772c9ac4f1c5cd05635ee4ead40b8f6f15295N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1608	rMX.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 3640 wrote to memory of 3404	3640	aed66d9a146292ca3ca2abbb4bc772c9ac4f1c5cd05635ee4ead40b8f6f15295N.exe	84
PID 3640 wrote to memory of 3404	3640	aed66d9a146292ca3ca2abbb4bc772c9ac4f1c5cd05635ee4ead40b8f6f15295N.exe	84
PID 3640 wrote to memory of 3404	3640	aed66d9a146292ca3ca2abbb4bc772c9ac4f1c5cd05635ee4ead40b8f6f15295N.exe	84
PID 3404 wrote to memory of 2288	3404	rMX.exe	85
PID 3404 wrote to memory of 2288	3404	rMX.exe	85
PID 3404 wrote to memory of 2288	3404	rMX.exe	85
PID 3404 wrote to memory of 1372	3404	rMX.exe	86
PID 3404 wrote to memory of 1372	3404	rMX.exe	86
PID 3404 wrote to memory of 1372	3404	rMX.exe	86
PID 3640 wrote to memory of 3748	3640	aed66d9a146292ca3ca2abbb4bc772c9ac4f1c5cd05635ee4ead40b8f6f15295N.exe	88
PID 3640 wrote to memory of 3748	3640	aed66d9a146292ca3ca2abbb4bc772c9ac4f1c5cd05635ee4ead40b8f6f15295N.exe	88
PID 3640 wrote to memory of 3748	3640	aed66d9a146292ca3ca2abbb4bc772c9ac4f1c5cd05635ee4ead40b8f6f15295N.exe	88
PID 1372 wrote to memory of 5104	1372	cmd.exe	91
PID 1372 wrote to memory of 5104	1372	cmd.exe	91
PID 1372 wrote to memory of 5104	1372	cmd.exe	91
PID 5104 wrote to memory of 936	5104	rMX.exe.exe	92
PID 5104 wrote to memory of 936	5104	rMX.exe.exe	92
PID 5104 wrote to memory of 936	5104	rMX.exe.exe	92
PID 936 wrote to memory of 1608	936	rMX.exe	93
PID 936 wrote to memory of 1608	936	rMX.exe	93
PID 936 wrote to memory of 1608	936	rMX.exe	93
PID 936 wrote to memory of 1608	936	rMX.exe	93
PID 936 wrote to memory of 1608	936	rMX.exe	93
PID 936 wrote to memory of 1608	936	rMX.exe	93
PID 936 wrote to memory of 1608	936	rMX.exe	93
PID 936 wrote to memory of 1608	936	rMX.exe	93
PID 936 wrote to memory of 2060	936	rMX.exe	94
PID 936 wrote to memory of 2060	936	rMX.exe	94
PID 936 wrote to memory of 2060	936	rMX.exe	94
PID 936 wrote to memory of 2060	936	rMX.exe	94
PID 936 wrote to memory of 4248	936	rMX.exe	95
PID 936 wrote to memory of 4248	936	rMX.exe	95
PID 936 wrote to memory of 4248	936	rMX.exe	95
PID 936 wrote to memory of 4248	936	rMX.exe	95
PID 5104 wrote to memory of 4572	5104	rMX.exe.exe	97
PID 5104 wrote to memory of 4572	5104	rMX.exe.exe	97
PID 5104 wrote to memory of 4572	5104	rMX.exe.exe	97
PID 3748 wrote to memory of 3884	3748	cmd.exe	103
PID 3748 wrote to memory of 3884	3748	cmd.exe	103
PID 3748 wrote to memory of 3884	3748	cmd.exe	103
PID 4572 wrote to memory of 5092	4572	cmd.exe	104
PID 4572 wrote to memory of 5092	4572	cmd.exe	104
PID 4572 wrote to memory of 5092	4572	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\aed66d9a146292ca3ca2abbb4bc772c9ac4f1c5cd05635ee4ead40b8f6f15295N.exe
"C:\Users\Admin\AppData\Local\Temp\aed66d9a146292ca3ca2abbb4bc772c9ac4f1c5cd05635ee4ead40b8f6f15295N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3640
- C:\WINDOWS\VWFLH\rMX.exe
  C:\WINDOWS\VWFLH\rMX.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3404
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo 0>>c:\windows\nk.txt
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2288
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\WINDOWS\VWFLH\rMX.exe.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\WINDOWS\VWFLH\rMX.exe.exe
      C:\WINDOWS\VWFLH\rMX.exe.exe
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5104
    - - C:\WINDOWS\VWFLH\rMX.exe
        
        C:\WINDOWS\VWFLH\rMX.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:936
      - C:\WINDOWS\VWFLH\rMX.exe
        
        C:\WINDOWS\VWFLH\rMX.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
      - C:\WINDOWS\VWFLH\rMX.exe
        
        C:\WINDOWS\VWFLH\rMX.exe
        6⤵
        Executes dropped EXE
        
        PID:2060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 80
        7⤵
        Program crash
        
        PID:2520
      - C:\WINDOWS\VWFLH\rMX.exe
        
        C:\WINDOWS\VWFLH\rMX.exe
        6⤵
        Executes dropped EXE
        
        PID:4248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 80
        7⤵
        Program crash
        
        PID:1904
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\33.vbs
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4572
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\33.vbs"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5092
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\25.vbs
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3748
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\25.vbs"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4248 -ip 4248
1⤵
PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2060 -ip 2060
1⤵
PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\25.vbs

Filesize
237B

MD5
3a5b03cfd2ca6c5cb8b7a6be82037935

SHA1
4c639a833c35d914b4d7937337b7985fd1ceb87e

SHA256
e7c0077aea3ce90cca3fba568786c82ee2b8a0cf2777fc7cd189e7177eb17bc2

SHA512
f3e8df5bc7241db1cf6eda4b00e7ce14ec17efe07ec6f0f7264c6271633d5aaeb544c46c1ecf049e6f6868a8320191dca4d418fa542adbe33634598e2c164e50

Download Submit
C:\33.vbs

Filesize
162B

MD5
b1abc8316fd4d69d1af9230e8158def3

SHA1
6f7b2bf3c4e847ce2891bdfe06bfe89f6716f1b9

SHA256
37fc60b597b16db1a8b03cae17c0832c86c03cf5681d5e3e2589674ab7b82df0

SHA512
2f23af371eedd6c823a4c98313b7e04f2e1b4f916a9467aa02c5e56b37dc054e2eee6ef82a1e14fe6798b4d3ff38db31879c4f752d468692eeabf30af835deee

Download Submit
C:\Windows\VWFLH\rMX.exe

Filesize
96KB

MD5
9a21e81a61422fe2921271d4044a8700

SHA1
044d7b4b43ceee8dc5d4a3cfe101e22435912e1a

SHA256
aed66d9a146292ca3ca2abbb4bc772c9ac4f1c5cd05635ee4ead40b8f6f15295

SHA512
5c327ddcb62aafc41fc0680a0e9b301c716d9219b2708ea129233cc8596048e6745ea6dc7fd6e789e121b1b1309e6ea382af665ca0502d7c428f58be71a75885

Download Submit
C:\Windows\VWFLH\rMX.exe.exe

Filesize
96KB

MD5
e7fc57d854a26e3f1dce3ffe3cd33bbb

SHA1
5132388dab7aa9f22867a21fe1618b1133b3d28c

SHA256
be6113c5a154e0fc0739841acee44d68b36efe67381c96a925285394c474184c

SHA512
38eedee217142909a261e030e79ae2467588576c2d2893d183116d9fbb5533e9a3f0922769864caae480da74d076ea82b9745c0b262020ae937fa2a2f6d07134

Download Submit
memory/936-32-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download
memory/1608-20-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/1608-28-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/1608-21-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/1608-23-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/1608-34-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/1608-35-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/3404-9-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download
memory/3640-10-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download
memory/5104-33-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download