Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 14:56

General

  • Target

    a1cafe0d39cc17c0e36db2afdb4f640e3e81da7b2302c01e03c96348723ffdc9.exe

  • Size

    1.0MB

  • MD5

    7d8165e194302250d880425b1608e307

  • SHA1

    2688c9a6a3946fd7d93fd861c5f94c0dd67ae593

  • SHA256

    a1cafe0d39cc17c0e36db2afdb4f640e3e81da7b2302c01e03c96348723ffdc9

  • SHA512

    eb1c4dd9095dcd6a82616f7d4260e45ee686e4c80c0f046639fdae08fd5c70ead604be0d4cce09d01466b239726c93ec4de579222eb755c6cdf641fd902c415f

  • SSDEEP

    24576:hN/BUBb+tYjBFHNhM6FI9Dh7S95UqJXRX1zJ54D+q0lPBzkFd:jpUlRhPMn2owXRX1zJ5w+JPBAd

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a1cafe0d39cc17c0e36db2afdb4f640e3e81da7b2302c01e03c96348723ffdc9.exe
    "C:\Users\Admin\AppData\Local\Temp\a1cafe0d39cc17c0e36db2afdb4f640e3e81da7b2302c01e03c96348723ffdc9.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\wnrs.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1276
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c ipconfig /release
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4232
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig /release
          4⤵
          • System Location Discovery: System Language Discovery
          • Gathers network information
          PID:3544
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c oxhvi.msc bvqmcwxut.docx
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1908
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\oxhvi.msc
          oxhvi.msc bvqmcwxut.docx
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2184
          • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
            "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
            5⤵
            • Executes dropped EXE
            PID:552
          • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
            "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
            5⤵
            • Executes dropped EXE
            PID:2280
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 184
              6⤵
              • Program crash
              PID:3428
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c ipconfig /renew
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4532
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig /renew
          4⤵
          • System Location Discovery: System Language Discovery
          • Gathers network information
          PID:3092
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2280 -ip 2280
    1⤵
      PID:2856

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ahpskwthu.docx

      Filesize

      526B

      MD5

      56ae97a5897d70a0c7fade5f29767a43

      SHA1

      e6ed9186ab3b3211092508f8e4fbe46e058839f7

      SHA256

      96f922028e5673af15f9af520ba2f01496fefb7d6017b82b29946d2e09351704

      SHA512

      7cffa2028fdf0cb5f659c644f666a426aded46d06020faf6da8cf768f80960b6db02cdfa958ee6f746466f426d7420520980e34f33a0cfa07950edc1735016a8

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\aiccixqlw.exe

      Filesize

      578B

      MD5

      68925419289f46d376b8d0de41a64c99

      SHA1

      9c876267e22acb8881c7fcfc9006d97813822c95

      SHA256

      1449b0aefab21761cd54949134b02ffb7042ed3fb91e36032991922199722ec7

      SHA512

      e6e5a5498ada1e845ad2907fe040ed69cdac03f43702f21c8e11a666cbb4d9845ad8d6e7cfc078d2fc54b0190d261b90a580338279c94cc9b79da4751727edf2

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\amfmrpfqdh.msc

      Filesize

      34KB

      MD5

      c6d01ccb8a3f8c8a09db6445df46228c

      SHA1

      09163a20fe6c09e510a68087f5d3038458629226

      SHA256

      5c38856418567a83a31d0eeee38087be1047a7a98e79b02cba43907a1f0aee27

      SHA512

      602f96394261b554d5988815dd8e75e6040808c6d0acd1e0c66cd6b6756fa208bc1272a0834cdb4ad49816858b03e11a6923afd45f14aa173f84898706c6aff7

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\amfmrpfqdh.msc

      Filesize

      34KB

      MD5

      f8ec3a47a92f1c45b9f6582f7cf621c1

      SHA1

      452fb70c325ba60247ecf3eb7c05c188e576cc60

      SHA256

      771db32e8bdd02be6ac90f3d0902d08163c3f49cbf21f46b069bd8da32ed0c74

      SHA512

      dba6d256838dcd1a30e68c35bbc5e11b51b6aa05bfecc437ef70b67b8b89a05b9865f92c90aebc51f76832f8137ef28c4a11bdaa112519bd0419d18699937764

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\bhbdl.dll

      Filesize

      579B

      MD5

      f3372b55e755a70e9d39941a8af77bd7

      SHA1

      164a9d56bde91bf883f9a97d4203689c4ec13d5e

      SHA256

      fbfd9cd1320c29a7ad37207a415d1503f686185f901299ea0870420b8a4a66ae

      SHA512

      7cb1031aede051eb28be6e72bad4c66a5caea5c089bb73c2d2268f9d3db8b1412c15383e8a68760f1afe276b0b0a0901a4ed07a1da1c0a04943ca5dcd7de3ca6

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\btieiqt.wxc

      Filesize

      351KB

      MD5

      fae6ee35c0f5ac2dc4885c0de8e88032

      SHA1

      587bf6f4105d4420762c463ba33e9e3ba677e85f

      SHA256

      4db090b6f1cd2501c929b31c2e29d4d0a4ddf1e81be6800e763d8c45bea8744d

      SHA512

      1ce62d900017dd4545023acc3ca32daee7eb454a6144c99958d57e88838402013854f410b8be1fb5d607819c48ba72fefecc11d2c78a81408855bf3899e04b38

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\bwscnblc.msc

      Filesize

      598B

      MD5

      42872a8299c923636de82f9b8c4a9fd5

      SHA1

      34e35498029d6939bf99f3e67357fd8428383fb7

      SHA256

      cb7308beda6f9ff1679bf8adb0b0ab44dc160d20fabdd51a4ea47c1f3fefe17c

      SHA512

      8bd61efd02df1f69be68a7497f590d90b08f611d9b1503ec66a2f40c31258d0b1fc2cdf10df53a83f1cf6557f6866e9240b28382acd16f092082a51aa84e69a8

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\cahoackms.mp3

      Filesize

      603B

      MD5

      f9ebc2eb91660ba2f590171be17de8d7

      SHA1

      4c8184f056fafc7399dd772a8ff4098bc4d35145

      SHA256

      8e98a40279558b8377345897621d7e715614f02359fcf38c498643b103bdcc08

      SHA512

      cfb031109d1b759aba4fbf08497b5c9c2c2771dbaf1d11fa6dce839a84b867605cd6d17d207833172d7432b6e67ede6c77cfdab5af3bf729cf6dbee3004f66c3

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ceacdbp.pdf

      Filesize

      536B

      MD5

      46dcd7f3dc237b4507eb4899c1591cb3

      SHA1

      522503e702f8d76e31b2b24af1ffb1c39b28170b

      SHA256

      12cac5f80badc0292c5ded44cf86d69f016ff8a26702c48162dd8fd3fcf30189

      SHA512

      f9967b456c70e0fcd1405a544dc79de7aed339ddfa055fb774510dbf2bf09d0023e8e9a957b3ecc85762236dd16e751516d406a877c2ce59187d68dce7ef6e08

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\cmjr.msc

      Filesize

      591B

      MD5

      bcf3c4465032f6ee4c69baa6d9bd9290

      SHA1

      826e59fb2f690d3f30c915ddf4b14dfd9c68fe55

      SHA256

      41bdb0fab57c8147ad9f09c4f0d898b6dd43ef1cabb26f9122552b6e948500e5

      SHA512

      35fac351abcb29c2174d025a61804fed71ac9dca43130a6156736ab47280b729df0e2bc1b5f4d1d7272d49738b70b2012faddd6d76d86b1242b7f70b0050649c

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\coeheprrr.xl

      Filesize

      504B

      MD5

      97a1ae97f1350d07cadf8e0a010b216a

      SHA1

      3b5555139b866aecef0a2565ab47d7e555f7b097

      SHA256

      951dbcbeb27d6d73d66e6ec4ba14538a7c37c5b439cb02c114e891a9db9a34fc

      SHA512

      b4cf9489aa0a8c1e98c0ec326ccf75d7944e982eb46bb049da5034e1751261c987530a41485c593fe4acea7abe402a3f26d1a9db8af89347a59ca243eddc75be

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\cuumqdvjk.exe

      Filesize

      602B

      MD5

      382fb868bf2c280f0a67b8055efb9928

      SHA1

      c740ceb7a49fb1f77ec225529df364dd133d3675

      SHA256

      97f52eadd90e55427d8350f2e5585d9c15b8e00ba82cea1fd09ff95445d957d7

      SHA512

      1bb8bb9379e8ecfd3f7d90e2aa910825b91f6e29f9cc0d6aff3266d351acd3060497d2f8b59b4a285bb015cb893feb4920e79ef23f7e7139011c4dce4bc06805

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhnmu.das

      Filesize

      509B

      MD5

      c4b81747b551cf4fccc5c0e552252649

      SHA1

      8c6c293777a93b8752450437cba667b05c9e23f6

      SHA256

      b4b21fba0d3dba4ae00c9eb45e2e193e273547fa86b1e4c77c47a58dc80231ba

      SHA512

      49e5dc0e9a2dfc7f729a1f8f757fa7ecdc7bbce3c20b17dcffc45f04a14943da30758f55b43bd5a1270e07a8ccd848044834d05c89e65f2487117b8c810f6937

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\fljca.xl

      Filesize

      648B

      MD5

      fb7bc1e54a3a13c46abefb4b5894eafb

      SHA1

      6e1eb3df791408db1cd6428582f5f057c755b3e8

      SHA256

      1f5b7c71ad67bdfb5598d77f70cb9a7cafc02ab47af0140722da2a75f21de972

      SHA512

      9657589c71af1ca199e45a5b1f3a8bf225a12288d642ba476ae022c3d69cef30d29d8c797bba4f8fef0effa8262723e289417de394cb90c21c79231410c9acaf

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\jnfubqkpck.das

      Filesize

      686B

      MD5

      ad648c8818a74800cea50ca6d7afb649

      SHA1

      f146194d6b62fd61bb37b2a9a7df64f5bd6d7bb0

      SHA256

      c32b59e53fe7283d8fd4bbb2ba8fb9b68d27683fc4f773b7025aebd4e71e654b

      SHA512

      9885e22ff1b1666916bbdda72b8f40d8ed8cc7015ce6529ce552102f0c379d8352cb7f65176b9a55ad1d857fa50211b220cbbd2c81730e9297c8e03597ed083b

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\jrnfvrdb.pdf

      Filesize

      534B

      MD5

      44bccc48aea68f6c7601b4c28e13dffe

      SHA1

      2f6de537dfc7be56a1dde34817428effc89d09ad

      SHA256

      12df5c527a4fa33c11945127cae2b627fc904f903b3d5e1fa790fa5e93526dcf

      SHA512

      b36429d395d36654781659b544adfe26c99dfe0fbb579c24c6907287b7807bdb25967e06908779ee6f6ff324c863faf7a6c9162040c1d4cccc6649a7ecb5ad38

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\luscgxin.3gp

      Filesize

      508B

      MD5

      95ed1612d4995a1339883f3c2da20bed

      SHA1

      bba7feabf0182aaf1bf2b48314be515c9326a686

      SHA256

      b2ffd14ee25ffeace578f6fd512fc49005aff59fd057607d0fa2c600dafed696

      SHA512

      3b3ea03399c734a2c927ef41ffd971306504f672e4b5fa8ab7897cd54c5986ff2ec0bab0825860746ad262d8f89d59d0797ee5b13628e40b45f83f8256c4a266

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\mjupm.docx

      Filesize

      572B

      MD5

      fc495c99e26c918cccafe8a212355ee9

      SHA1

      15a87b4265da49fb5d9edade69111d49ba55b8da

      SHA256

      010e35603796229a5eea475725e2f191dfefcb0ae06306e8502045a84fca335f

      SHA512

      80ab91ee659bfc895f8aae514d63da5dd8f3f53cb2c16b91a24f0cbfd83d604026c18c5ff0237e8e8754242a96c74655cab215548fdea894eb56cb7c0fc8922b

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\mummtms.icm

      Filesize

      616B

      MD5

      95e90d53b6dd6501967d8e2d9bf0ef8b

      SHA1

      eb28d3148c97be0f2650972f6772e8ce84d86d51

      SHA256

      846e94f46d1201e4afdf32f0374c90ad4d1e23e89b5000c96ea124c80c8524da

      SHA512

      b2ea6242f7f2754f4d3d9b478ee97713d8f635393c681164a07ac5c475b623495f9ae0bc243964a591cfe540fddd4cd195323bb918a63e761ac23e0c4aded046

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\nfwlowj.mp3

      Filesize

      564B

      MD5

      bc4084b5a1c6b6d70d37a0d4d657fb84

      SHA1

      3011bc2e36349df995cc0440b9579829e4628402

      SHA256

      1581f7fd0889c340453e9a34846a61b899671fc59e8b2e67c98f628c290968a2

      SHA512

      004e366ac7b64d083e329d9ef91c0ebecd9e966f52d93b94c2293ef30cdfa793a6d18e73074fd3148fedd2fd4ef7e382046050503f1fee83e20856b9b8da64d4

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ojaqhh.exe

      Filesize

      569B

      MD5

      7399ad2ed1976a8af8fd293039757336

      SHA1

      1b60bb127972d76f4243310b05849c2937e4be76

      SHA256

      06e60d78dd1402360ed52dd46a1f09787b52cbc4cef80676f5600ca49ccbbb23

      SHA512

      446fa89e11d2d3ee7ece303273c573d37ae6a7d490f70101b8a174ae6f3fae859f51f0fc8d52588b6c6c00fe98c2943556fc8ba9a33d8324cbaa2f649371449b

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\oxhvi.msc

      Filesize

      925KB

      MD5

      0adb9b817f1df7807576c2d7068dd931

      SHA1

      4a1b94a9a5113106f40cd8ea724703734d15f118

      SHA256

      98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

      SHA512

      883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ukphwj.xl

      Filesize

      504B

      MD5

      35470d47483607bf2de0fdc542efd0a6

      SHA1

      c2085cf4a1a687201dcb2af61d7f2bb28473f664

      SHA256

      e72bf5652c4e6e6fccb590bfcb2e6081c4c6f540d61abde5ff168ba641d34c6f

      SHA512

      d95ffcc8458d3db253388cffc61db76331008aa0d9223e91b8acb2e1c60ad0c19501720fc67f5207b82b191ecfd8bc75e479c3f37ffba83493cac61b11680a36

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\wihpoq.mp2

      Filesize

      533B

      MD5

      18b3ca792233b183954d86380d53baf2

      SHA1

      fe7d78e2ef67b2b37bf608b7d8d2d9820a483322

      SHA256

      4e8d26fbd55bda61f1cbda0326439663f32b735d8b70b52d531150aacbe236c8

      SHA512

      6ce4a5adbb3f9c48c5b35a03188dd0ea9218d2d4a0e79ad19ddfc77ff882a5b39bc57e62c8ec7a4f289e8127e5520e9ff1465fc0502057d43eb61f100522e562

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\wlsraclfv.mp3

      Filesize

      578B

      MD5

      4c33ac9510e5f22aea359252392e7dc6

      SHA1

      d8f0d8c95a43043f68c1794ff7cef803ccdcb969

      SHA256

      5603cb963f200915eb60aceb7837edb35cb1be8ccff16fba9dd1eaf26272de06

      SHA512

      96610ac9ceb1040cf1f063d701148848289ed51e7a1a6c235dd684b4a75073fb7ba092686edd97afdeeaef8df390be88220633215c42325bffb141c03d0a98bf

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\wnrs.vbe

      Filesize

      73KB

      MD5

      e35fff73aee2e4616a02721a2bb87382

      SHA1

      493fb9ee1be78ee56afdaaa41b0c96470a20f491

      SHA256

      27bbc7baed22b649f4f9e5c8f07b46de15d18ab0d98ea38ff8b28d9690bf553c

      SHA512

      76a901a66e701c7c937aabef2d5b4f8e488e25d89c683da61e28b6419aaa75c322a9e5f66c9951388f876e89b485bcbc0ab2108f6fb58882205503e3fb08f4be

    • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

      Filesize

      44KB

      MD5

      9d352bc46709f0cb5ec974633a0c3c94

      SHA1

      1969771b2f022f9a86d77ac4d4d239becdf08d07

      SHA256

      2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

      SHA512

      13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b