742c1febeb55eb98b4deb688bcd8601ccdd0634650fe388c29cd7c4bf7d5742d

Analysis

max time kernel
91s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
10/10/2024, 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DupInOutDuplicateFinderPortable/App/ProgramFiles/DupInOut.exe
Size

1.2MB
MD5

adf4ee26aa02f6e13b96e0e63bab6c76
SHA1

40bc393a1cc8a2a4aad8d4923218374a09eade54
SHA256

79ceafcd892910b8bedb9176e511ddfdeef5fd35383eb3a305795a82f75a846a
SHA512

6ee054170ce71bb411ed65d9520ea71bf7162aa0ded965d8add393ab0d49aeec8b3aa3ca97093277bca9c4d34b65f51a567b62f9db61a0a65c0a62bac7371bf6
SSDEEP

24576:267YNVenV3DUHmXF+Z3iSj3zHV/huMXLPLF7CAvMLn7VFMzFvuicg+fdYkPtEth:F7/3D3V+Z3iSj3zHV/huMXLPLF7CAvMQ

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation	DupInOut.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	DupInOut.exe
File opened (read-only)	\??\Q:	DupInOut.exe
File opened (read-only)	\??\R:	DupInOut.exe
File opened (read-only)	\??\T:	DupInOut.exe
File opened (read-only)	\??\U:	DupInOut.exe
File opened (read-only)	\??\V:	DupInOut.exe
File opened (read-only)	\??\Y:	DupInOut.exe
File opened (read-only)	\??\Z:	DupInOut.exe
File opened (read-only)	\??\W:	DupInOut.exe
File opened (read-only)	\??\A:	DupInOut.exe
File opened (read-only)	\??\B:	DupInOut.exe
File opened (read-only)	\??\J:	DupInOut.exe
File opened (read-only)	\??\K:	DupInOut.exe
File opened (read-only)	\??\O:	DupInOut.exe
File opened (read-only)	\??\P:	DupInOut.exe
File opened (read-only)	\??\S:	DupInOut.exe
File opened (read-only)	\??\E:	DupInOut.exe
File opened (read-only)	\??\G:	DupInOut.exe
File opened (read-only)	\??\H:	DupInOut.exe
File opened (read-only)	\??\I:	DupInOut.exe
File opened (read-only)	\??\L:	DupInOut.exe
File opened (read-only)	\??\N:	DupInOut.exe
File opened (read-only)	\??\X:	DupInOut.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DupInOut.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\directory\shell\Find duplicates using DupInOut\command	DupInOut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\directory\shell\Find duplicates using DupInOut\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\DupInOutDuplicateFinderPortable\\App\\ProgramFiles\\DupInOut.exe\" \"%L\""	DupInOut.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\directory\shell\Find duplicates using DupInOut	DupInOut.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\directory	DupInOut.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\directory\shell	DupInOut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\directory\shell\Find duplicates using DupInOut\Icon = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\DupInOutDuplicateFinderPortable\\App\\ProgramFiles\\DupInOut.exe\""	DupInOut.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2216	DupInOut.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2216	DupInOut.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2216	DupInOut.exe

C:\Users\Admin\AppData\Local\Temp\DupInOutDuplicateFinderPortable\App\ProgramFiles\DupInOut.exe
"C:\Users\Admin\AppData\Local\Temp\DupInOutDuplicateFinderPortable\App\ProgramFiles\DupInOut.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DupInOut\DupInOut.exe_Url_xqxizentoy2l5jvp4cit5xxnyy4lxxth\1.1.3.5\nnwzmhmm.newcfg

Filesize
165KB

MD5
2fda0a5311a9f3632dfacc5d0990aa2c

SHA1
e247da7967ec52e4cb0a53d98dc38844f9bc2126

SHA256
6fa3abe85a6d743edd4b68dd5052bb3d8a48e2995212c5f31337d73666066cc0

SHA512
de00182ff15da98e54cfb823e551a65ab36a9228e564431187fc95ea987f21feb5da4d0af40704a9c6ed7c3d717aa3b62423b1ce32fe649e4170ae6ac482b892

Download Submit
C:\Users\Admin\AppData\Local\DupInOut\DupInOut.exe_Url_xqxizentoy2l5jvp4cit5xxnyy4lxxth\1.1.3.5\user.config

Filesize
125KB

MD5
fb6439e7a0d27564b2a2d3cf73225991

SHA1
99ded4b82b1bd1fe6df3e0e723e4226c27d3c2ab

SHA256
3668cd4c478eb3c889a383c66733ad900c03ab3385e66a851975971f914dfb41

SHA512
0d10d13e76a587287d6eb67895adfc0b8189632cbfde8ffb8bd2c05861876ca1722e4954ffd0f6791e4cbed87f0a05bb3fea45062aa3190654a9d07e0deeb313

Download Submit
C:\Users\Admin\AppData\Local\DupInOut\DupInOut.exe_Url_xqxizentoy2l5jvp4cit5xxnyy4lxxth\1.1.3.5\user.config

Filesize
163KB

MD5
43b1e9d1aa66b9408ed7f2bc5851fb19

SHA1
e9d3eee45abd2098653a38902c1dcdfa72bd7b5c

SHA256
b69ac60f1bd7146f84f7dae73340ada3f4fbb3c5221f4040b394a3187e5cc191

SHA512
9167dbb1b3fd8f57e4b9a68ce12e7ae90ffe27f7f09ef06960b6df8104ccfa0df94a7680543fd8c7d6f87dee69fe7b96ca50d0d422eca05b686a7df1a1849e48

Download Submit
C:\Users\Admin\AppData\Local\DupInOut\DupInOut.exe_Url_xqxizentoy2l5jvp4cit5xxnyy4lxxth\1.1.3.5\user.config

Filesize
166KB

MD5
7f57581bf1acb1bf7527fddb3c18f1ee

SHA1
25a25aee9891c5d06628b19bcd1391c2814909f3

SHA256
2eb8c7cdd5fe41c0b22d2a3591ef62a9cb53df657f24ca5c0e8272623f6775cb

SHA512
b0fdb6d34092faed5ed8842ddc151fdcc725ccc5524a7018611f31bb5407cc4b8bd643891a9f0bb26d48d7006a9b8eb73825a410d5e721211297b2c11d645dd8

Download Submit
memory/2216-4-0x00000000048A0000-0x00000000048E4000-memory.dmp

Filesize
272KB

Download
memory/2216-6-0x0000000000470000-0x000000000047A000-memory.dmp

Filesize
40KB

Download
memory/2216-5-0x0000000000470000-0x000000000047A000-memory.dmp

Filesize
40KB

Download
memory/2216-3-0x0000000004800000-0x0000000004874000-memory.dmp

Filesize
464KB

Download
memory/2216-2-0x0000000074210000-0x00000000748FE000-memory.dmp

Filesize
6.9MB

Download
memory/2216-22-0x0000000074210000-0x00000000748FE000-memory.dmp

Filesize
6.9MB

Download
memory/2216-1-0x0000000000FF0000-0x000000000112A000-memory.dmp

Filesize
1.2MB

Download
memory/2216-36-0x0000000074210000-0x00000000748FE000-memory.dmp

Filesize
6.9MB

Download
memory/2216-0-0x000000007421E000-0x000000007421F000-memory.dmp

Filesize
4KB

Download
memory/2216-49-0x000000007421E000-0x000000007421F000-memory.dmp

Filesize
4KB

Download
memory/2216-50-0x0000000074210000-0x00000000748FE000-memory.dmp

Filesize
6.9MB

Download
memory/2216-51-0x0000000000470000-0x000000000047A000-memory.dmp

Filesize
40KB

Download