742c1febeb55eb98b4deb688bcd8601ccdd0634650fe388c29cd7c4bf7d5742d

Analysis

max time kernel
105s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2024, 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DupInOutDuplicateFinderPortable/App/ProgramFiles/DupInOut.exe
Size

1.2MB
MD5

adf4ee26aa02f6e13b96e0e63bab6c76
SHA1

40bc393a1cc8a2a4aad8d4923218374a09eade54
SHA256

79ceafcd892910b8bedb9176e511ddfdeef5fd35383eb3a305795a82f75a846a
SHA512

6ee054170ce71bb411ed65d9520ea71bf7162aa0ded965d8add393ab0d49aeec8b3aa3ca97093277bca9c4d34b65f51a567b62f9db61a0a65c0a62bac7371bf6
SSDEEP

24576:267YNVenV3DUHmXF+Z3iSj3zHV/huMXLPLF7CAvMLn7VFMzFvuicg+fdYkPtEth:F7/3D3V+Z3iSj3zHV/huMXLPLF7CAvMQ

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DupInOut.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	DupInOut.exe
File opened (read-only)	\??\K:	DupInOut.exe
File opened (read-only)	\??\N:	DupInOut.exe
File opened (read-only)	\??\Q:	DupInOut.exe
File opened (read-only)	\??\A:	DupInOut.exe
File opened (read-only)	\??\B:	DupInOut.exe
File opened (read-only)	\??\R:	DupInOut.exe
File opened (read-only)	\??\T:	DupInOut.exe
File opened (read-only)	\??\U:	DupInOut.exe
File opened (read-only)	\??\X:	DupInOut.exe
File opened (read-only)	\??\Y:	DupInOut.exe
File opened (read-only)	\??\Z:	DupInOut.exe
File opened (read-only)	\??\H:	DupInOut.exe
File opened (read-only)	\??\M:	DupInOut.exe
File opened (read-only)	\??\O:	DupInOut.exe
File opened (read-only)	\??\W:	DupInOut.exe
File opened (read-only)	\??\E:	DupInOut.exe
File opened (read-only)	\??\I:	DupInOut.exe
File opened (read-only)	\??\P:	DupInOut.exe
File opened (read-only)	\??\S:	DupInOut.exe
File opened (read-only)	\??\V:	DupInOut.exe
File opened (read-only)	\??\G:	DupInOut.exe
File opened (read-only)	\??\L:	DupInOut.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DupInOut.exe

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Directory\shell\Find duplicates using DupInOut\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\DupInOutDuplicateFinderPortable\\App\\ProgramFiles\\DupInOut.exe\" \"%L\""	DupInOut.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\directory\shell\Find duplicates using DupInOut	DupInOut.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\directory	DupInOut.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Directory\shell	DupInOut.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Directory\shell\Find duplicates using DupInOut	DupInOut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Directory\shell\Find duplicates using DupInOut\Icon = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\DupInOutDuplicateFinderPortable\\App\\ProgramFiles\\DupInOut.exe\""	DupInOut.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\directory\shell\Find duplicates using DupInOut\command	DupInOut.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3660	DupInOut.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3660	DupInOut.exe
Token: SeShutdownPrivilege	3660	DupInOut.exe
Token: SeCreatePagefilePrivilege	3660	DupInOut.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3660	DupInOut.exe

C:\Users\Admin\AppData\Local\Temp\DupInOutDuplicateFinderPortable\App\ProgramFiles\DupInOut.exe
"C:\Users\Admin\AppData\Local\Temp\DupInOutDuplicateFinderPortable\App\ProgramFiles\DupInOut.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DupInOut\DupInOut.exe_Url_xqxizentoy2l5jvp4cit5xxnyy4lxxth\1.1.3.5\0j10oytz.newcfg

Filesize
166KB

MD5
3482e49f5dbc707d63fa83aa46928ef5

SHA1
4afbdafcd6ba05b25f2a9377a9b5be6c86a5d082

SHA256
6f10c7aa5f9b212d41bff5ee0e8fae878e10440b34f684f43dc050a437feda8a

SHA512
894d7942db11910c582c811086a40c95bf48babac23f495ddb1e08ba8ab4f7015b401c7616c4bab10c746fc086144000d533339cc68d919834beb151204415d9

Download Submit
C:\Users\Admin\AppData\Local\DupInOut\DupInOut.exe_Url_xqxizentoy2l5jvp4cit5xxnyy4lxxth\1.1.3.5\user.config

Filesize
125KB

MD5
fb6439e7a0d27564b2a2d3cf73225991

SHA1
99ded4b82b1bd1fe6df3e0e723e4226c27d3c2ab

SHA256
3668cd4c478eb3c889a383c66733ad900c03ab3385e66a851975971f914dfb41

SHA512
0d10d13e76a587287d6eb67895adfc0b8189632cbfde8ffb8bd2c05861876ca1722e4954ffd0f6791e4cbed87f0a05bb3fea45062aa3190654a9d07e0deeb313

Download Submit
C:\Users\Admin\AppData\Local\DupInOut\DupInOut.exe_Url_xqxizentoy2l5jvp4cit5xxnyy4lxxth\1.1.3.5\user.config

Filesize
163KB

MD5
43b1e9d1aa66b9408ed7f2bc5851fb19

SHA1
e9d3eee45abd2098653a38902c1dcdfa72bd7b5c

SHA256
b69ac60f1bd7146f84f7dae73340ada3f4fbb3c5221f4040b394a3187e5cc191

SHA512
9167dbb1b3fd8f57e4b9a68ce12e7ae90ffe27f7f09ef06960b6df8104ccfa0df94a7680543fd8c7d6f87dee69fe7b96ca50d0d422eca05b686a7df1a1849e48

Download Submit
C:\Users\Admin\AppData\Local\DupInOut\DupInOut.exe_Url_xqxizentoy2l5jvp4cit5xxnyy4lxxth\1.1.3.5\user.config

Filesize
165KB

MD5
86d865c3a11a76bd34d83d33ea47f30d

SHA1
d80fc1d2c2fda9570f12c0385656cd9ad904dc66

SHA256
4a1beeb38372a104dcd11ac3768be05de4720e5dbd868e037c68b469b6b9bb30

SHA512
15bf11c4564b038b5c6f8f471153757e25fa9d6b9e36ecc11879ba02a164cbed1aaafdb1ef9c11e922052ce559e50d113c0689c1068e243d4702593d730f778f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
memory/3660-4-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/3660-3-0x0000000004F70000-0x0000000004FE4000-memory.dmp

Filesize
464KB

Download
memory/3660-7-0x00000000058B0000-0x00000000058E8000-memory.dmp

Filesize
224KB

Download
memory/3660-8-0x0000000005870000-0x000000000587E000-memory.dmp

Filesize
56KB

Download
memory/3660-9-0x0000000005890000-0x0000000005898000-memory.dmp

Filesize
32KB

Download
memory/3660-0-0x00000000752AE000-0x00000000752AF000-memory.dmp

Filesize
4KB

Download
memory/3660-5-0x00000000055D0000-0x0000000005614000-memory.dmp

Filesize
272KB

Download
memory/3660-6-0x0000000005750000-0x0000000005758000-memory.dmp

Filesize
32KB

Download
memory/3660-35-0x000000000D1C0000-0x000000000D226000-memory.dmp

Filesize
408KB

Download
memory/3660-36-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/3660-38-0x00000000081C0000-0x00000000081E2000-memory.dmp

Filesize
136KB

Download
memory/3660-2-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/3660-1-0x00000000002D0000-0x000000000040A000-memory.dmp

Filesize
1.2MB

Download
memory/3660-63-0x00000000752AE000-0x00000000752AF000-memory.dmp

Filesize
4KB

Download
memory/3660-64-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download