2e402d9779e3b3399479a69016a0912d2b5f705f33c2aa98dd2c819ac0829e28

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-11-2024 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17-10-2024 #20/app stroe.exe
Size

752KB
MD5

50b1390fe325207d2a96fc991b065030
SHA1

ee5f6c76400f1eafec18a674774e31faad150009
SHA256

eb2714d855c5896df7f2bb2c09e1db57c38e7e154c07cb96c5c9e4ec7f9422f2
SHA512

c77b1ceb70553f8250ec09e89a76c9e89c4df6bad444887559adda45effbdb6d80bf1de000d7468f2bdfd16f3015e84cfbd3070d359ed444284ca0e3d369660a
SSDEEP

12288:zhDMjlZ8RZ7QwkMSiakDdUlftrIzoJ3fVR1hj8bgn8mYvTbV9rwvjlDtghOcv:5PRZAiakEfdSQhCgn85vTJ9iwOcv

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	app stroe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	~DFA277.tmp

Executes dropped EXE 3 IoCs

pid	Process
1756	quxevyk.exe
2092	~DFA277.tmp
1636	yzymdak.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	app stroe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	quxevyk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~DFA277.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yzymdak.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe
1636	yzymdak.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2092	~DFA277.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 1756	2132	app stroe.exe	85
PID 2132 wrote to memory of 1756	2132	app stroe.exe	85
PID 2132 wrote to memory of 1756	2132	app stroe.exe	85
PID 1756 wrote to memory of 2092	1756	quxevyk.exe	87
PID 1756 wrote to memory of 2092	1756	quxevyk.exe	87
PID 1756 wrote to memory of 2092	1756	quxevyk.exe	87
PID 2132 wrote to memory of 1860	2132	app stroe.exe	88
PID 2132 wrote to memory of 1860	2132	app stroe.exe	88
PID 2132 wrote to memory of 1860	2132	app stroe.exe	88
PID 2092 wrote to memory of 1636	2092	~DFA277.tmp	106
PID 2092 wrote to memory of 1636	2092	~DFA277.tmp	106
PID 2092 wrote to memory of 1636	2092	~DFA277.tmp	106

C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\app stroe.exe
"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\app stroe.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\quxevyk.exe
  C:\Users\Admin\AppData\Local\Temp\quxevyk.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Users\Admin\AppData\Local\Temp\~DFA277.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA277.tmp OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Users\Admin\AppData\Local\Temp\yzymdak.exe
      "C:\Users\Admin\AppData\Local\Temp\yzymdak.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
276B

MD5
fa241bb53d778e95e5d451463e580d58

SHA1
9f6a150272a3d231fd8f22befca20ce8ce285075

SHA256
1970ccc2659cbe5a7b9b3693ae82b69ead9014a14bfe9c566c09bda1ddb053f7

SHA512
c21b676da6372a06d30bb821dec597bc323edcc580ca6c34d1ca982d2b4a067a606301226a5bf7274267f49657084168a75b167502bb76e44206147bdf3adb95

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
d68790deef9c319c28ab55f382d0f58a

SHA1
2eae1310049b800ef7122b972c70fc15bcff6753

SHA256
d1ff4ceae2ae163622fb73a2e73335983acc4552bc8ba9f6555d08411df0cacf

SHA512
4a0efb23467bc643b6a8452dd4e3aba32f6e2f438315288379df61b4283cf207dd35996c794ebc24e10711cb0f71fda2e272ff9ca7a0d2db24c71ae054abcca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\quxevyk.exe

Filesize
753KB

MD5
cb399a631f49e6deaf5c823969bbde6c

SHA1
a6c84328f7ba2f9f67cc8aa267a1dbd5ef29287a

SHA256
61796bfb0195fcec587e823538afec4e9a91ef1d4f6e75d357b315ae8584319c

SHA512
5e9099907c55b09d2be8cc014d41ecda4fd6206478f5f0271e6cd50ca746219b8646b0a759d5c7c7aed05034ce76b0fde1cbdb63ac3cf5c68477caac713935f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yzymdak.exe

Filesize
404KB

MD5
25a878f3522cf3819bfe4c0561fce967

SHA1
a0e29f02406f9bca6aaf3faf37698d1e310675b8

SHA256
0ad6a9b72cbd668dbdf08dcbb7d7c94faa34177fdf6141b079f12c5038f5230f

SHA512
c79620b1696a052ad2b0900c81c4abebd3363ae0509dfd7f041e6aba1ecc9775d4515fdd3dfa2cfbabb714d1d48a7a199a25e4b4679c7c5ca41eff903be39f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA277.tmp

Filesize
754KB

MD5
f37a871176367bebaf2b096546a7041c

SHA1
641a6b7e5b54f3e60fe29b396257f842b1bab337

SHA256
ee7eca8422de3efade075befb9b5c5522bade8d2a849a70725030225cd53640f

SHA512
6cb5a347479c5632eb351eac34670c38422672ab39d96b44bb9b001db3f984fd451fc2984f5a68bd5799da70280f0141ea41da5f5f5381c0db694fa663cd8bd1

Download Submit
memory/1636-36-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1636-38-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/1636-42-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/1636-41-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1756-19-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2092-21-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2092-40-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2132-0-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2132-16-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download