e573cdaa955a901ba822e21c65603a7cf17de7ce25a92840a92e2e84b1bfd858

Resubmissions

09-11-2024 10:24

241109-mfcc2svraj 8

09-11-2024 10:22

241109-mek9kasfpc 7

Analysis

max time kernel
1191s
max time network
1148s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
09-11-2024 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ERROR 422 Remastered/ERROR422.exe
Size

10.4MB
MD5

c15722d1f29b28fefac3a34c1d1a296a
SHA1

cf775816f832f08a024de89c96eb9311ef2a66c5
SHA256

c1d06468a2f089b4f6efbd51f4a140be40283e2efc76d25712e63471bca9f235
SHA512

11618e411a8c55eb0a6f7cea0a0c0a70c5df521652cadc09339d43dffcdb7da15155adb8d42bf8a214f542382f01c29086fb14258ea5eab91bb2335474a070ad
SSDEEP

196608:SoCIRHixqAPLu63SXYGXZJR3RSivHiW2VIfjZOlQoke6LOZBoA/wZaKWX:SnAiqAjyTl3jvCPmj8eokeQ4/EabX

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x001900000002ab79-80.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
448	ERR0R422.exe

Loads dropped DLL 1 IoCs

pid	Process
3136	java.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001000000002ab72-30.dat	upx
behavioral1/memory/448-58-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/files/0x001900000002ab79-80.dat	upx
behavioral1/memory/448-115-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ERROR422.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ERR0R422.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ERROR422.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3136	java.exe
3136	java.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 448	780	ERROR422.exe	79
PID 780 wrote to memory of 448	780	ERROR422.exe	79
PID 780 wrote to memory of 448	780	ERROR422.exe	79
PID 448 wrote to memory of 1372	448	ERR0R422.exe	80
PID 448 wrote to memory of 1372	448	ERR0R422.exe	80
PID 1372 wrote to memory of 3136	1372	cmd.exe	85
PID 1372 wrote to memory of 3136	1372	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\ERROR 422 Remastered\ERROR422.exe
"C:\Users\Admin\AppData\Local\Temp\ERROR 422 Remastered\ERROR422.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:780
- C:\Users\Admin\AppData\Local\Microsoft\Windows\54455354\ERR0R422.exe
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\54455354\ERR0R422.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BAC4.tmp\BAC5.tmp\BAC6.bat C:\Users\Admin\AppData\Local\Microsoft\Windows\54455354\ERR0R422.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
      java -Xmx1024M -Xms1024M -cp ERROR422.jar "-Dorg.lwjgl.librarypath=C:\Users\Admin\AppData\Local\Microsoft\Windows\54455354/natives" "-Dnet.java.games.input.librarypath=C:\Users\Admin\AppData\Local\Microsoft\Windows\54455354/natives" Start
      4⤵
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:3136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\54455354\ERR0R422.exe

Filesize
44KB

MD5
51ec46a22f2f8bea7c396f8f5fa4dca3

SHA1
cc260eade22bc79b82f04cc2fb70f1a529a537e0

SHA256
7a083b17aa3ddd054d5221bda285d75ed4a060fb3933f8461e178ccc647da7b5

SHA512
69907e7074c8a4bdf1b657a9daad3378ea8df1a92d4b8f5f1ed8a4b3a87b8f0351298d973c7b1827f7d2b04fb67ce672d065bfdf9c8feee65f520a27989513ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\54455354\ERROR422.jar

Filesize
10.0MB

MD5
8dc2b240b963e3fece100bd6b767033b

SHA1
a55caa359cb65ed9f0d8b186e2183266ff95afb6

SHA256
338d6fe860e9074fecdb7fd7370139aa4acabdd019a99d22cdeabee3bca808aa

SHA512
60f531315df75109def781a9fdd2e29e08b0b62d62410f6dd03243026a07627014f738ca644134b64613447639f67dd902376796fd35c4514f46a2b8d1157b07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\54455354\natives\lwjgl.dll

Filesize
188KB

MD5
517d0f050ebbf8a7d2c6a4def78218dd

SHA1
dbce970a2d4cf6485519ef1b730bd3246fa390d9

SHA256
a81e22e91c831bf3d60569b6a1d9b0e9bab283e20be819da8117dcbb731e07a2

SHA512
fc0bcb4cad490cf16239aaa381ba65817682bef36418347630df4d2df39c95b0280ecc2346baa561c5c4dcf6a952b315767276efc9c2969b6ea4e47ed0be945f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\54455354\natives\lwjgl64.dll

Filesize
267KB

MD5
10fe2f603bf0fc79da41711d28d71a3a

SHA1
ba7833cdbd9a942fc4213226d1a31158b70a6d77

SHA256
f81fafba810b85f697191e1d7eaf515498f5c5919db065418ef490f25bfdbea1

SHA512
9648b1309db35e0c90e8d0566198bd732ee4b26d0a1c9258e1eeca16fc70e8c32b4cdcda4a9788f75f390d22e11b130e30ca8914750797cf42351ee45badb322

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAC4.tmp\BAC5.tmp\BAC6.bat

Filesize
147B

MD5
c18d654820bb66f2a1c8d14177590758

SHA1
6d5d5b551f1d530e5538e534709605bb5f7a7ceb

SHA256
0a3bcb6f9e67056e8a69553c85a37eda4b27007c07b74891aa6de647ea4e8754

SHA512
2c172bbebac2c3bdafa81c440a0a4d66fad64a96acbc9084a7a977abb8d69c779206ff46cedea2f36686f43e5d168aca39a1bf6630b926337d05d8d4d5b1666a

Download Submit
memory/448-58-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/448-115-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/780-113-0x0000000000400000-0x0000000000E29000-memory.dmp

Filesize
10.2MB

Download
memory/3136-96-0x0000024E92F20000-0x0000024E92F21000-memory.dmp

Filesize
4KB

Download
memory/3136-107-0x0000024E92F20000-0x0000024E92F21000-memory.dmp

Filesize
4KB

Download
memory/3136-83-0x0000024E92F20000-0x0000024E92F21000-memory.dmp

Filesize
4KB

Download
memory/3136-73-0x0000024E92F20000-0x0000024E92F21000-memory.dmp

Filesize
4KB

Download
memory/3136-120-0x0000024E92F20000-0x0000024E92F21000-memory.dmp

Filesize
4KB

Download
memory/3136-121-0x0000024E92F20000-0x0000024E92F21000-memory.dmp

Filesize
4KB

Download
memory/3136-123-0x0000024E92F20000-0x0000024E92F21000-memory.dmp

Filesize
4KB

Download
memory/3136-122-0x0000024E92F20000-0x0000024E92F21000-memory.dmp

Filesize
4KB

Download