Analysis

  • max time kernel
    120s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 12:47

General

  • Target

    3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe

  • Size

    313KB

  • MD5

    bd372e095c037675ea4171add0520462

  • SHA1

    697a203cb99b4242d067d78860fac36d73644892

  • SHA256

    3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b

  • SHA512

    b2111d5ae527ae91a62aea3f307ed94a81b8af09dacfed1bdb1386b65ab459b8642fb3b93560bd54f87b99a9339c3904c1985368418a14615a40978e54ca5a4a

  • SSDEEP

    6144:ueHwXUU5EYCTvaBjDjWrLJKuKnGML5NjcxV:uyMUusvalag5NjaV

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Disables use of System Restore points 1 TTPs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 6 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 3 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 42 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 5 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe
    "C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1472
    • C:\Windows\FLR1S4G\service.exe
      "C:\Windows\FLR1S4G\service.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2056
    • C:\Windows\FLR1S4G\smss.exe
      "C:\Windows\FLR1S4G\smss.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:988
    • C:\Windows\FLR1S4G\system.exe
      "C:\Windows\FLR1S4G\system.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3512
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 1168
        3⤵
        • Program crash
        PID:832
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 1376
        3⤵
        • Program crash
        PID:5108
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 1404
        3⤵
        • Program crash
        PID:2924
    • C:\Windows\FLR1S4G\winlogon.exe
      "C:\Windows\FLR1S4G\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3436
    • C:\Windows\lsass.exe
      "C:\Windows\lsass.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4668
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3512 -ip 3512
    1⤵
      PID:4660
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3512 -ip 3512
      1⤵
        PID:452
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3512 -ip 3512
        1⤵
          PID:4804

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Windows\FLR1S4G\OGN3W1G.exe

                Filesize

                313KB

                MD5

                bd372e095c037675ea4171add0520462

                SHA1

                697a203cb99b4242d067d78860fac36d73644892

                SHA256

                3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b

                SHA512

                b2111d5ae527ae91a62aea3f307ed94a81b8af09dacfed1bdb1386b65ab459b8642fb3b93560bd54f87b99a9339c3904c1985368418a14615a40978e54ca5a4a

              • C:\Windows\FLR1S4G\OGN3W1G.exe

                Filesize

                313KB

                MD5

                199c63ea5c0db458d15522c47a5f629f

                SHA1

                17a8610280618ec3710d76ca67f2bec4602616c5

                SHA256

                389cb54684a1682a9f46b8bc538df4ce31a33de8f2314364735b9a70450f94d5

                SHA512

                29d2b92435d6d47661e895ef2d140a81d9038512d8d939fcf92f47090480edc4cd267f4b09e111f239203050861ab74f0eb0367028c056e6f3b4a3ab7142055b

              • C:\Windows\FLR1S4G\OGN3W1G.exe

                Filesize

                313KB

                MD5

                57e1f3ae7b7f2c75090a030c18218040

                SHA1

                99e899f66ba91819b89fb7cf72298ae957fae5a1

                SHA256

                52d891a83ca71ea90f590922af372b9e9790b940efd73fb20e2af55672a341a1

                SHA512

                9214fef6efbd66e9feec6117357d677a01829d9e10afc25d1dfbceca7751140428c51298a200c3ceda5bbb21a042ad08b807ec8279ed4b40e3d94d288a0f960b

              • C:\Windows\FLR1S4G\UXT1X8R.com

                Filesize

                313KB

                MD5

                06b5ea9ddc5503d52137fb909cc0210f

                SHA1

                d8bf80712eff604ab2843b9627c5f2e5cdae38d3

                SHA256

                c0166599756f9d522f65183cf57b98aa999633641b361bf7938b7bb609283c9d

                SHA512

                2b2956b890b0d87ee7aeffbc85eb8077c893763c29ea78a0db3bb76f3025b4013986b70a4e6e0030771b4823032a01a11f3da5bbc0fd72daffb4bb91fd78ab50

              • C:\Windows\FLR1S4G\regedit.cmd

                Filesize

                313KB

                MD5

                368235db7f39ee8a096397c1bbdc51ac

                SHA1

                2349aaf298e40c9bcee59accd7049e6a05e57d1f

                SHA256

                16ba71a8dc7ae99aac9a4c8a0c0bec44ce306dd035f61f2e0f438a6cd1339c0a

                SHA512

                a9c91269e70612997d4ac0113e056386d94eb9466fdcc7d335f50ac9795997d3ce33a499ed0f1968f12bb75371ba3a6028b615c5c74809cd6f28d44e0277cc8d

              • C:\Windows\FLR1S4G\regedit.cmd

                Filesize

                313KB

                MD5

                0102f0f1e9677f4b385178e20b84ef50

                SHA1

                98dcfe2b9eb3de89411603a22c4608b4b2281cbc

                SHA256

                5ca35fffc029e5af81cb09c3b8c9dc371583682b000f7b7c9f061b72df53b1ac

                SHA512

                680484a66648f8117a76b7ba356d2ac17fdad6fed2350fd9eef34496ffc7d37e4938cc96275e550fb1b0447eddc18b9f6b473411070704f54b327db69577eb0f

              • C:\Windows\FLR1S4G\regedit.cmd

                Filesize

                313KB

                MD5

                4487d18c55215cb3283c1e7a42922553

                SHA1

                c0751e09a543d04380a20968a67b1aae1d719395

                SHA256

                4de8c23e832a45f00a5f09599346bd9d55b2c783ee7d4bceb1c38bf008113862

                SHA512

                c4fc8fdbfb3f6d54accec62d5e6563b3494dd18e81c55177617824fba4437fd93af92cf42e0764a58ae5e1609de6ad910531f6c4a50d5a9bd73dadeba6e865f7

              • C:\Windows\FLR1S4G\regedit.cmd

                Filesize

                313KB

                MD5

                1edb736c351db3b75a27c5f83ef780b8

                SHA1

                fa8f6029460143d56855fbd66eab9fbeeaf9cbff

                SHA256

                c936ae12e9ef151c7fbe57be25184fccc92bcc6ccbd75eab67f2c1d2fee5164a

                SHA512

                1b29b1e90c261be0e1c8b30df9d5f7afe24a455a2cd64f03ed2bbca915dec4b6b3b3358e2bce6ade6c589684d60633635a2b7dec98d517df7b81209bbcf83f76

              • C:\Windows\FLR1S4G\service.exe

                Filesize

                313KB

                MD5

                1cc826448cf9163cd41c64ccde4e2cb3

                SHA1

                d26e4f9405d704064288f01feda21053804518b4

                SHA256

                49739dc6c520093b8ccf34cb06b8987354e36e0a7e8ba5dba1bb6c55fd1a1aa8

                SHA512

                a20e0e47375cd22fcfb3595a25cd95340cdc81c1f37c8589438041af8dbe707d6e659be7626e589c145b7e140421d946b1ad7b5aed97bc32cf7842c283bf3ed3

              • C:\Windows\FLR1S4G\smss.exe

                Filesize

                313KB

                MD5

                5fb78dc1b8ca953c092ec59cbc0c09c6

                SHA1

                52705bb92ebe0353a42b457c05c0d42fc3f46001

                SHA256

                d90b3f155cd47648083d2d2897ad3f1ac9debc5969628cdfcaf8def1a7cde3cc

                SHA512

                a32a3164d330284b9b12f21336fd4e1d2fb34354de54e2abea98d75b77455ba2a6a0fa3968daae8fd05e76d5b0eb4462675aced7f45f9bd3940885cb42c5ecc6

              • C:\Windows\FLR1S4G\system.exe

                Filesize

                313KB

                MD5

                d5566830fe21bc739effa10b9ffcfd77

                SHA1

                2ca8ec08fc5172ba6749d6cadeb97635d6a2f728

                SHA256

                890fb28d507ed1ec7323c2494712f84e45b7ff756b4e673da87652b33fb2f622

                SHA512

                ebac071a458049f6b3d36dc4599afc2e027b782d0d4dcaa43f979cfc74c4b12834992096d73d7f9279d4519b86029ade367be3a86a10c8bd36ecfd558034b45c

              • C:\Windows\FLR1S4G\winlogon.exe

                Filesize

                313KB

                MD5

                f0db78a6b00f01f9f89cc55302e772a0

                SHA1

                031a0bdec48375c324829c9d6a8132be5c36b3ce

                SHA256

                43f8142434e77cd84043829e4c05c4ddda5930f202396d3115008fdd770c57c3

                SHA512

                2ae3389cfb52c8d87459393340c0dcd07b423d7166b69ee954c26a5c5806522d051be66f5c1129b2397611f66fa6631d389f96c924b4a36c752b492cc796db8d

              • C:\Windows\SysWOW64\JDC6J2EFKT5O5N.exe

                Filesize

                313KB

                MD5

                ae5dedb6b5e3daac9a39d19e2812eb1b

                SHA1

                ae1e253523a0f293e5b739aab90ada57abe3eb30

                SHA256

                04cfcf8e451a9b0231c5063ca8507e4bed6489f0fb01367bea2cd3619caf4fd6

                SHA512

                1ff9ba9b7d8eda5425d8d3b21a0164e9afed2e839f6b36856c1dcb5b9225cfe100c0db0e0c64ec272bc2f866450a07fa58ef05e441fdaf705155c72565364666

              • C:\Windows\SysWOW64\systear.dll

                Filesize

                127B

                MD5

                f422e9aae4dd373496be5cb6250ea17f

                SHA1

                442a3b537eeaffb2cd1f6e518d263985993c0469

                SHA256

                94e2cbeaa7bd94a07bc1553ce9b364d52de24657471318b7834722bfef55027c

                SHA512

                34e5b383164cc2c8a06b45b8c0777b6d16ab11c4cf47a8792d009118072fa61b69079b1c1ea20a969c03c9143702b51e0f91454673fd82b7bae35e858bd733b0

              • C:\Windows\SysWOW64\systear.dll

                Filesize

                141B

                MD5

                5fc322327c1f94e05986422ea77f5400

                SHA1

                9d1475e52e0c0a4fb5f760424d2511b5e0abdf13

                SHA256

                474552b7055bc73b4b1d0e0eff23b5cfbb559d016942980d68cb89b3518f156a

                SHA512

                305bf6a35b2e4eeafc26f6aa54c53b774f1cc0fdb9c47fce1ac77ec854cfc63221b5c5285b59d0828a3df3e22c03aa886f2256f2f9cd48b69842cb6a49a76c35

              • C:\Windows\XCM1U3C.exe

                Filesize

                313KB

                MD5

                90072ec618888584c5c87a7054da3992

                SHA1

                0dbeaf7f24915b82e0f30457773c6983c6e09ed7

                SHA256

                a1c8067ed74231868846f0c1640c79050fb10453ba32b24f78d886e310e1a608

                SHA512

                64f319154be1dab81418749ff47573b666b34ea038e4042b60b20ed9ae2440f30c6adce1ec987f6039d9ae4d7b23eca90d2ae3cdf7135824dbdb1917eab4a278

              • C:\Windows\XCM1U3C.exe

                Filesize

                313KB

                MD5

                bdf2927626b061514e4c696eaf8fde74

                SHA1

                cc61eab7bac0807a3f40e6d730056397e0fbe9bd

                SHA256

                1cb4026142be72f6437039a5185ef2809495da404272a785f1a91034b0af8188

                SHA512

                868d2af3b2f1f1feaea26b82ec2640394d074725faf932ab71ae77a67138aa9d1ec29c1a5a33aafdd7643ae2ecaf93ab71a2dff8e90f29d030a394fbc1c70c53

              • C:\Windows\cypreg.dll

                Filesize

                361KB

                MD5

                45c87e723ef890963a244048007fafab

                SHA1

                724b8494460f10a8be3773aca69a904b1f9f6054

                SHA256

                1112c19bd06e331ad2a4ce38c0742528f9b92b6f1c7a757d38f32a83e26cf58e

                SHA512

                2fc969800f75b0ccd27a2c7817423ed81bd56e5eff03329ee485a5ca413c8d934614c32cf9b67b2b6d1e6312f0ae2030577987b7112945c7194efa3969376727

              • C:\Windows\cypreg.dll

                Filesize

                361KB

                MD5

                7d48fdf0c4cc365871c367d00f323b2f

                SHA1

                51ec4a45bf0e2a140d001126cae872ae24dce7fa

                SHA256

                8a4872dbf252c53d5eef62feaa616e9933f357b5dde182680baf182c424c4a19

                SHA512

                296dcf36cf5cc9fa9080737b80a5cc9c7340f2ffce64041cd484ee3a86468e05e51af39a981b57e8f81251e599ae6e3fee0c6b040e42add6d7dbcba00e39ec9a

              • C:\Windows\cypreg.dll

                Filesize

                361KB

                MD5

                a6679ff6d0b14ec2b1ef181feb1d9fef

                SHA1

                c5459a8aa055e4cbb9518d1ef5d411d48ef8de8f

                SHA256

                5f93083e889ae9ca1f498cdebe90ddef52315edf22fc201fe7d9eba4e1e2e9b9

                SHA512

                322229369f1b73c5c1be2bd54d574c84519625559ee4d7f355786f51c82f8b0d5101571807af54c755f6e3e8bceeda33a8e06490b2a805cd19d91e9e5b7d7563

              • C:\Windows\lsass.exe

                Filesize

                313KB

                MD5

                894883be9122eefe8e34dd77a1ae6976

                SHA1

                9b5708f4cdf49fe23b2d909bd91eea970969251e

                SHA256

                5d4539f31e7d1972bfc10d96d208460954558c87db37c0e4a15e580e16d8b0cf

                SHA512

                044bf18113a3107bb2fa1de92788499e2c7124237011ea8c015a479ca9961558fa4dc22cd30ee50160b13f76ccaf22c3b1e68735cdc3325fb54cbbed4e39621f

              • C:\Windows\lsass.exe

                Filesize

                313KB

                MD5

                026e7c3c870358292e69bc9b0e142e24

                SHA1

                37d07eb7653ed24af7b52fe7a837f67511da7da5

                SHA256

                c653690639b032162e7c4d402dc257147899ab1b1b805b2e2dd8e6f1d250e416

                SHA512

                cefe102a699adf553add26ac5a0c6e3602f9c59ec1f0b486a32103ad5c6a578caa966719c539228e663df56eebc375a49999e64e4822bb416ec3646ed785141e

              • C:\Windows\moonlight.dll

                Filesize

                65KB

                MD5

                8e6e31f8df128a746ff9a3a38f8f78c0

                SHA1

                e4da9aa336eb7e254592e585b29d8b4e23f3e4bd

                SHA256

                dc33796b634ea14ed80a492257f698d103a57e1a041ccab92945efa8201a65f7

                SHA512

                eddacadcb86d8ead42185af5ce779f35dcbf262b2e12dc1cb816c3c5e35563201a839b861eb4a2cda472a5a27b2dfb76a0310d6eb94b49e9d5b58af869ef22c6

              • C:\Windows\onceinabluemoon.mid

                Filesize

                8KB

                MD5

                0e528d000aad58b255c1cf8fd0bb1089

                SHA1

                2445d2cc0921aea9ae53b8920d048d6537940ec6

                SHA256

                c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae

                SHA512

                89ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116

              • C:\Windows\system\msvbvm60.dll

                Filesize

                1.4MB

                MD5

                c14d86b2aa572ba9973828133ffd9d83

                SHA1

                db863f0efc33b72522b228f25835826fad532d32

                SHA256

                86a9eb67eca6d722a633e967a25866b874560ba49a49d024e9584f3db5a1a14e

                SHA512

                9c0d57b0a6be0d6c4f81268f75f4032cf81e6287a781fdc7b0050d1ed31c1456d6650186b0e3bf1204d47c92b358b59707f260e7042837c78a8777692fd67d34

              • C:\Windows\system\msvbvm60.dll

                Filesize

                1.4MB

                MD5

                f2c0b2e1251d0bbced555c5d292c6e7a

                SHA1

                f660aab70472c3e480e27699d0d33b0a2d5520c9

                SHA256

                2f1075a0715c4f5c954c12ac69b396a32312c5bae8266291c50b0c7b69b7dcea

                SHA512

                c4ce8f3badef64a0280baed8eaf71dd3bab2b03d0933e7191c33d70476c32471e94e33875a72b266af4105973342903fcdc8af7f55a020b07d78e1b774b7daf9

              • C:\Windows\system\msvbvm60.dll

                Filesize

                1.4MB

                MD5

                d93921be0a8cc54b2914d59edda504ff

                SHA1

                61699b7bf5b7b3903ed8a99623367054f57a934a

                SHA256

                2160e45f6bb10d3e3a8765ffc01b42dd6a68159abf14c1a8dea2602365bb002d

                SHA512

                6dc0088e685920d63b7898a413d1351b37c5c431d02ffd04c3db42527ec09178641a94abefdaa2dd2a70792240d1caf25f943fe04ca4eb9556a52f9ed17e4a36

              • C:\Windows\system\msvbvm60.dll

                Filesize

                1.4MB

                MD5

                c6e72c1e418663017ccfea1bedf7eee7

                SHA1

                797a84957ebd22647d8e7ac62a81061496ea2ef2

                SHA256

                d6f15036a1fd7489d7c2a04dcb2be2f44dd9a0e752e5206698f7b462970f2e9a

                SHA512

                3f693de5fa31421e9a5c4ecf9182ac654a388a4934bc58b9e5e509419ea0e371d458ed8fe838f742003b3a250347e92ef9c23eac32f2cdca46fe494ff771191c

              • memory/988-310-0x0000000000400000-0x000000000045D000-memory.dmp

                Filesize

                372KB

              • memory/988-73-0x0000000000400000-0x000000000045D000-memory.dmp

                Filesize

                372KB

              • memory/1472-289-0x0000000000400000-0x000000000045D000-memory.dmp

                Filesize

                372KB

              • memory/1472-0-0x0000000000400000-0x000000000045D000-memory.dmp

                Filesize

                372KB

              • memory/2056-57-0x0000000000400000-0x000000000045D000-memory.dmp

                Filesize

                372KB

              • memory/2056-309-0x0000000000400000-0x000000000045D000-memory.dmp

                Filesize

                372KB

              • memory/3436-123-0x0000000000400000-0x000000000045D000-memory.dmp

                Filesize

                372KB

              • memory/3436-312-0x0000000000400000-0x000000000045D000-memory.dmp

                Filesize

                372KB

              • memory/3512-87-0x0000000000400000-0x000000000045D000-memory.dmp

                Filesize

                372KB

              • memory/3512-311-0x0000000000400000-0x000000000045D000-memory.dmp

                Filesize

                372KB

              • memory/3512-315-0x0000000010000000-0x0000000010075000-memory.dmp

                Filesize

                468KB

              • memory/4668-288-0x0000000000400000-0x000000000045D000-memory.dmp

                Filesize

                372KB

              • memory/4668-313-0x0000000000400000-0x000000000045D000-memory.dmp

                Filesize

                372KB