3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2024, 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe
Size

2.4MB
MD5

0ecdd86710ca82bc0c8007884a9c7281
SHA1

00c6b7ff5fcaf83ae28473e2ea5defc91ae1822c
SHA256

3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4
SHA512

bb6337d9da0f72fff758ca587434d7bfa8e1472a196d7681b26a68188a50a37d8fe38a6a4e0cf261c2fe2c67d20a2651be1610fb3ddd3769895dd90656f949a4
SSDEEP

49152:wvca+D+IB1yiQLSvuhGkgFjQeC6qpoPJDZ39U/FpgvBXvI:wvdJIGSGskUGXIZsp

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 9 IoCs

pid	Process
2908	Èí¼þ¸üÐÂ.exe
4548	Èí¼þ¸üÐÂ.exe
3988	empty.exe
1788	empty.exe
2980	Èí¼þ¸üÐÂ.exe
3100	empty.exe
4716	Èí¼þ¸üÐÂ.exe
452	empty.exe
1848	Èí¼þ¸üÐÂ.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2964-0-0x0000000000400000-0x00000000008E4000-memory.dmp	upx
behavioral2/memory/2964-1-0x0000000002810000-0x0000000002834000-memory.dmp	upx
behavioral2/memory/2964-4-0x0000000002810000-0x0000000002834000-memory.dmp	upx
behavioral2/memory/2964-2-0x0000000010000000-0x0000000010018000-memory.dmp	upx
behavioral2/memory/2964-6-0x0000000000400000-0x00000000008E4000-memory.dmp	upx
behavioral2/memory/2964-8-0x0000000000400000-0x00000000008E4000-memory.dmp	upx
behavioral2/memory/2964-12-0x0000000000400000-0x00000000008E4000-memory.dmp	upx
behavioral2/memory/2964-41-0x0000000000400000-0x00000000008E4000-memory.dmp	upx
behavioral2/memory/2964-50-0x0000000000400000-0x00000000008E4000-memory.dmp	upx
behavioral2/memory/2964-51-0x0000000000400000-0x00000000008E4000-memory.dmp	upx
behavioral2/memory/2964-56-0x0000000000400000-0x00000000008E4000-memory.dmp	upx
behavioral2/memory/2964-62-0x0000000000400000-0x00000000008E4000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Èí¼þ¸üÐÂ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	empty.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Èí¼þ¸üÐÂ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	empty.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Èí¼þ¸üÐÂ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Èí¼þ¸üÐÂ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	empty.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	empty.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Èí¼þ¸üÐÂ.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2964	3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe
2964	3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe
2908	Èí¼þ¸üÐÂ.exe
2908	Èí¼þ¸üÐÂ.exe
4548	Èí¼þ¸üÐÂ.exe
4548	Èí¼þ¸üÐÂ.exe
2980	Èí¼þ¸üÐÂ.exe
2980	Èí¼þ¸üÐÂ.exe
4716	Èí¼þ¸üÐÂ.exe
4716	Èí¼þ¸üÐÂ.exe
1848	Èí¼þ¸üÐÂ.exe
1848	Èí¼þ¸üÐÂ.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3988	empty.exe
Token: SeDebugPrivilege	1788	empty.exe
Token: SeDebugPrivilege	3100	empty.exe
Token: SeDebugPrivilege	452	empty.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2964	3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2964	3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2964	3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe
2964	3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe
2908	Èí¼þ¸üÐÂ.exe
2908	Èí¼þ¸üÐÂ.exe
4548	Èí¼þ¸üÐÂ.exe
4548	Èí¼þ¸üÐÂ.exe
2980	Èí¼þ¸üÐÂ.exe
2980	Èí¼þ¸üÐÂ.exe
4716	Èí¼þ¸üÐÂ.exe
4716	Èí¼þ¸üÐÂ.exe
1848	Èí¼þ¸üÐÂ.exe
1848	Èí¼þ¸üÐÂ.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2908	2964	3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe	84
PID 2964 wrote to memory of 2908	2964	3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe	84
PID 2964 wrote to memory of 2908	2964	3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe	84
PID 2964 wrote to memory of 4548	2964	3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe	100
PID 2964 wrote to memory of 4548	2964	3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe	100
PID 2964 wrote to memory of 4548	2964	3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe	100
PID 2964 wrote to memory of 3988	2964	3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe	99
PID 2964 wrote to memory of 3988	2964	3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe	99
PID 2964 wrote to memory of 3988	2964	3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe	99
PID 2964 wrote to memory of 2980	2964	3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe	104
PID 2964 wrote to memory of 1788	2964	3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe	103
PID 2964 wrote to memory of 2980	2964	3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe	104
PID 2964 wrote to memory of 2980	2964	3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe	104
PID 2964 wrote to memory of 1788	2964	3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe	103
PID 2964 wrote to memory of 1788	2964	3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe	103
PID 2964 wrote to memory of 3100	2964	3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe	110
PID 2964 wrote to memory of 3100	2964	3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe	110
PID 2964 wrote to memory of 3100	2964	3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe	110
PID 2964 wrote to memory of 4716	2964	3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe	109
PID 2964 wrote to memory of 4716	2964	3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe	109
PID 2964 wrote to memory of 4716	2964	3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe	109
PID 2964 wrote to memory of 452	2964	3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe	119
PID 2964 wrote to memory of 452	2964	3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe	119
PID 2964 wrote to memory of 452	2964	3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe	119
PID 2964 wrote to memory of 1848	2964	3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe	118
PID 2964 wrote to memory of 1848	2964	3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe	118
PID 2964 wrote to memory of 1848	2964	3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe	118

C:\Users\Admin\AppData\Local\Temp\3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe
"C:\Users\Admin\AppData\Local\Temp\3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Users\Admin\AppData\Local\Temp\Èí¼þ¸üÐÂ.exe
  Èí¼þ¸üÐÂ.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2908
- C:\Users\Admin\AppData\Local\Temp\empty.exe
  empty 3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3988
- C:\Users\Admin\AppData\Local\Temp\Èí¼þ¸üÐÂ.exe
  Èí¼þ¸üÐÂ.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4548
- C:\Users\Admin\AppData\Local\Temp\empty.exe
  empty 3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1788
- C:\Users\Admin\AppData\Local\Temp\Èí¼þ¸üÐÂ.exe
  Èí¼þ¸üÐÂ.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2980
- C:\Users\Admin\AppData\Local\Temp\Èí¼þ¸üÐÂ.exe
  Èí¼þ¸üÐÂ.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4716
- C:\Users\Admin\AppData\Local\Temp\empty.exe
  empty 3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3100
- C:\Users\Admin\AppData\Local\Temp\Èí¼þ¸üÐÂ.exe
  Èí¼þ¸üÐÂ.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1848
- C:\Users\Admin\AppData\Local\Temp\empty.exe
  empty 3137a555f94c59109b6b80da1bd85c5c0695d9699add33bf893cafaf5224baa4.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\config.ini

Filesize
61B

MD5
a8b2a2d569c6e311465c3d1562023146

SHA1
ba3b852064b50aeec8037e645067db03f011dd0d

SHA256
96f0fa8617d14504b463d1d6e2996cd32b881a5c74b3dbcfde0b537fa9ef08ee

SHA512
8c9a02c81f305b18400b0cf00b871404422a00dda6496da1a3cbccaadf2cda95000ea1ca8d6ac8ca117ff9f5f7e5a2bac0f28c605ba97ea3dc9a9c6807fcee8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\empty.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Èí¼þ¸üÐÂ.exe

Filesize
840KB

MD5
a30f9aae86e8b10a852c062b73876f97

SHA1
35c9e085e97de87656c8e43c43023b03b06de8b4

SHA256
aad3973d83acf3c37e6121c81007848f429a6b94cd3cd8e0ae916825150007db

SHA512
25a4f5de7b2e77c0fc5dc0f765b3199cedc52a1006e8d7d5c15232878cc878907f26ff68931944fd66a7b5b1bb4b1bb809f0e86c09f5611dbc489203039ceb1c

Download Submit
memory/2908-13-0x0000000000400000-0x000000000050F000-memory.dmp

Filesize
1.1MB

Download
memory/2908-16-0x0000000000400000-0x000000000050F000-memory.dmp

Filesize
1.1MB

Download
memory/2964-3-0x0000000036600000-0x0000000036610000-memory.dmp

Filesize
64KB

Download
memory/2964-1-0x0000000002810000-0x0000000002834000-memory.dmp

Filesize
144KB

Download
memory/2964-8-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/2964-5-0x000000000040F000-0x0000000000410000-memory.dmp

Filesize
4KB

Download
memory/2964-12-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/2964-0-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/2964-2-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/2964-4-0x0000000002810000-0x0000000002834000-memory.dmp

Filesize
144KB

Download
memory/2964-6-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/2964-41-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/2964-62-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/2964-50-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/2964-51-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/2964-56-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/2980-58-0x0000000000400000-0x000000000050F000-memory.dmp

Filesize
1.1MB

Download
memory/4548-52-0x0000000000400000-0x000000000050F000-memory.dmp

Filesize
1.1MB

Download
memory/4548-47-0x0000000000400000-0x000000000050F000-memory.dmp

Filesize
1.1MB

Download
memory/4716-64-0x0000000000400000-0x000000000050F000-memory.dmp

Filesize
1.1MB

Download