4cd2770019a6b3805f634040b15036302e59f8ab2002998c0a77515986d895a7

Resubmissions

21-11-2024 10:49

241121-mwpcjssblr 7

21-11-2024 10:37

241121-mnt8tswkbk 7

Analysis

max time kernel
606s
max time network
1635s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PYXXW.exe
Size

2.2MB
MD5

0c31c740de5447523acc97e4e5154169
SHA1

4e43466e669b8666ab87fc7e4ac2cc28512d8068
SHA256

4cd2770019a6b3805f634040b15036302e59f8ab2002998c0a77515986d895a7
SHA512

39616f98b1b1e1f24180fc0bfef247c249c51c6e823be1a9ce6f59e55e2997e850db192f3befb774421a530131e2b9436859372eca382e0dc7529a4fbeea1a6b
SSDEEP

24576:nawwKusHwEwSDMnWWTeXrzZw/BSCpC8Uy/BHNs6rkHOQQ8e4Vl03RMDF9E5WwYEI:3wREDDMtWw/Ex6sPO6V6GF9wYERyH

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	PYXXW.tmp

Executes dropped EXE 3 IoCs

pid	Process
3536	PYXXW.tmp
1596	AutoClicker.exe
1868	AutoClicker.exe

Drops file in Program Files directory 53 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\AutoClicker\Microsoft.Bcl.AsyncInterfaces.dll	PYXXW.tmp
File opened for modification	C:\Program Files\AutoClicker\Microsoft.Practices.Prism.dll	PYXXW.tmp
File opened for modification	C:\Program Files\AutoClicker\System.Numerics.Vectors.dll	PYXXW.tmp
File created	C:\Program Files\AutoClicker\is-MK4T3.tmp	PYXXW.tmp
File created	C:\Program Files\AutoClicker\is-0NC71.tmp	PYXXW.tmp
File created	C:\Program Files\AutoClicker\is-UF0A1.tmp	PYXXW.tmp
File opened for modification	C:\Program Files\AutoClicker\System.Windows.Interactivity.dll	PYXXW.tmp
File created	C:\Program Files\AutoClicker\is-JOLT5.tmp	PYXXW.tmp
File opened for modification	C:\Program Files\AutoClicker\System.Runtime.CompilerServices.Unsafe.dll	PYXXW.tmp
File created	C:\Program Files\AutoClicker\is-NDRJC.tmp	PYXXW.tmp
File opened for modification	C:\Program Files\AutoClicker\System.Text.Json.dll	PYXXW.tmp
File created	C:\Program Files\AutoClicker\is-ABQNG.tmp	PYXXW.tmp
File created	C:\Program Files\AutoClicker\Resources\Icons\is-NH2UT.tmp	PYXXW.tmp
File created	C:\Program Files\AutoClicker\Resources\Icons\is-UDOLD.tmp	PYXXW.tmp
File created	C:\Program Files\AutoClicker\is-C0BJO.tmp	PYXXW.tmp
File opened for modification	C:\Program Files\AutoClicker\System.ValueTuple.dll	PYXXW.tmp
File created	C:\Program Files\AutoClicker\is-G9S5D.tmp	PYXXW.tmp
File created	C:\Program Files\AutoClicker\is-VSV2A.tmp	PYXXW.tmp
File created	C:\Program Files\AutoClicker\is-RIFG5.tmp	PYXXW.tmp
File created	C:\Program Files\AutoClicker\is-PBIM1.tmp	PYXXW.tmp
File opened for modification	C:\Program Files\AutoClicker\System.Memory.dll	PYXXW.tmp
File created	C:\Program Files\AutoClicker\is-17M0K.tmp	PYXXW.tmp
File created	C:\Program Files\AutoClicker\is-08E6R.tmp	PYXXW.tmp
File created	C:\Program Files\AutoClicker\AutoClickerUpdate.bat	PYXXW.tmp
File opened for modification	C:\Program Files\AutoClicker\AutoClicker.exe	PYXXW.tmp
File opened for modification	C:\Program Files\AutoClicker\System.Text.Encodings.Web.dll	PYXXW.tmp
File created	C:\Program Files\AutoClicker\is-3R0HN.tmp	PYXXW.tmp
File created	C:\Program Files\AutoClicker\is-LDK8R.tmp	PYXXW.tmp
File created	C:\Program Files\AutoClicker\is-4JRUT.tmp	PYXXW.tmp
File created	C:\Program Files\AutoClicker\is-Q4S7T.tmp	PYXXW.tmp
File created	C:\Program Files\AutoClicker\is-M5MVL.tmp	PYXXW.tmp
File opened for modification	C:\Program Files\AutoClicker\System.Threading.Tasks.Extensions.dll	PYXXW.tmp
File created	C:\Program Files\AutoClicker\Resources\Icons\is-30V1P.tmp	PYXXW.tmp
File created	C:\Program Files\AutoClicker\is-PNTSN.tmp	PYXXW.tmp
File opened for modification	C:\Program Files\AutoClicker\System.Buffers.dll	PYXXW.tmp
File opened for modification	C:\Program Files\AutoClicker\Serilog.Sinks.Console.dll	PYXXW.tmp
File created	C:\Program Files\AutoClicker\is-4S2HI.tmp	PYXXW.tmp
File created	C:\Program Files\AutoClicker\is-QEFT2.tmp	PYXXW.tmp
File created	C:\Program Files\AutoClicker\is-TQ55E.tmp	PYXXW.tmp
File created	C:\Program Files\AutoClicker\Resources\is-BJ2LJ.tmp	PYXXW.tmp
File created	C:\Program Files\AutoClicker\is-4OOR9.tmp	PYXXW.tmp
File opened for modification	C:\Program Files\AutoClicker\CommonServiceLocator.dll	PYXXW.tmp
File opened for modification	C:\Program Files\AutoClicker\Serilog.Sinks.File.dll	PYXXW.tmp
File created	C:\Program Files\AutoClicker\is-OCDNG.tmp	PYXXW.tmp
File created	C:\Program Files\AutoClicker\is-LMTD7.tmp	PYXXW.tmp
File created	C:\Program Files\AutoClicker\is-SBBVC.tmp	PYXXW.tmp
File created	C:\Program Files\AutoClicker\is-I0N47.tmp	PYXXW.tmp
File created	C:\Program Files\AutoClicker\is-RTEO3.tmp	PYXXW.tmp
File created	C:\Program Files\AutoClicker\is-P7ESG.tmp	PYXXW.tmp
File opened for modification	C:\Program Files\AutoClicker\Serilog.dll	PYXXW.tmp
File created	C:\Program Files\AutoClicker\is-N4KED.tmp	PYXXW.tmp
File created	C:\Program Files\AutoClicker\is-9F0G8.tmp	PYXXW.tmp
File created	C:\Program Files\AutoClicker\is-TN3BJ.tmp	PYXXW.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PYXXW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PYXXW.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3536	PYXXW.tmp
3536	PYXXW.tmp
1868	AutoClicker.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1868	AutoClicker.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3536	PYXXW.tmp
1596	AutoClicker.exe
1596	AutoClicker.exe
1596	AutoClicker.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1596	AutoClicker.exe
1596	AutoClicker.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 3536	4456	PYXXW.exe	81
PID 4456 wrote to memory of 3536	4456	PYXXW.exe	81
PID 4456 wrote to memory of 3536	4456	PYXXW.exe	81
PID 3536 wrote to memory of 1596	3536	PYXXW.tmp	82
PID 3536 wrote to memory of 1596	3536	PYXXW.tmp	82
PID 3536 wrote to memory of 4952	3536	PYXXW.tmp	85
PID 3536 wrote to memory of 4952	3536	PYXXW.tmp	85
PID 3536 wrote to memory of 4952	3536	PYXXW.tmp	85
PID 4952 wrote to memory of 1868	4952	cmd.exe	87
PID 4952 wrote to memory of 1868	4952	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\PYXXW.exe
"C:\Users\Admin\AppData\Local\Temp\PYXXW.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Users\Admin\AppData\Local\Temp\is-9L72U.tmp\PYXXW.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-9L72U.tmp\PYXXW.tmp" /SL5="$70166,1362357,857600,C:\Users\Admin\AppData\Local\Temp\PYXXW.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3536
- - C:\Program Files\AutoClicker\AutoClicker.exe
    "C:\Program Files\AutoClicker\AutoClicker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files\AutoClicker\AutoClickerUpdate.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4952
  - - C:\Program Files\AutoClicker\AutoClicker.exe
      AutoClicker.exe /update
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\AutoClicker\AutoClicker.exe

Filesize
217KB

MD5
1fc1854f81e865ebd44de80a721101cd

SHA1
465777fecb869232fc0892cfcfff50a2028b0acd

SHA256
b7277c0a2760d30b1fe464de44fbe0dcf162f1e5d25595588a583a7577ade250

SHA512
72ac55477eca1118a3d00c0de23b842408bd3c1da1d6a4ab4ab717f364c0a2b18e40b896731cc72d9825c8cb59dc2795acaaab33b46bc8400282595995760a8d

Download Submit
C:\Program Files\AutoClicker\AutoClicker.exe.config

Filesize
565B

MD5
ccf2419187b9583166f17a82971d6ec5

SHA1
3bebb957e0544d7e745823cb4d2b3b9fffad8440

SHA256
a52a88fea8cbfc4465bfa4d520879c29c5f2366502db608f490b42a45658ee52

SHA512
843ef6024919683fbc71bdfc6910863eeb0d4fc0afe2c103a7f525e60ef2c7503b096074ff3ea4e0e32ad44def3d438e129f4958bb1ed147c759cd12a1ace1eb

Download Submit
C:\Program Files\AutoClicker\AutoClickerUpdate.bat

Filesize
89B

MD5
86125fafcf3a7c569c9629e77d4f1caa

SHA1
6aa1981e114f00d13d2109ecd45145de65dd895e

SHA256
c559fd909c052bb65c009129ca29ae6cc2023f8446e59ed4bea92e2a35865446

SHA512
26d64b9602038495aaee61c22bd81ca1d3bdc1f23a38d6c50ea42018ef3decadfccfb0b882931fa0658a7feb5137cdf4cd6bd62cab19a525e2389753aaceeae6

Download Submit
C:\Program Files\AutoClicker\Resources\Icons\location-crosshairs-solid.ico

Filesize
4KB

MD5
5363e77e69e003bcd8cde06f34c3c884

SHA1
8b364c849a4ea39d402f5b3bcded0166f6b275eb

SHA256
2d221f00ad119037fa63cd4e347c6cb9a2d48dc99614677e926cc4b5a1fc6c95

SHA512
66be91c3afac037571c7b3a02dbe1d6b29280f45967b10581846750fdc13245bbb08b281014701107bc9e2e0171c855fa21b74379f8e4ff12b7d66cca77a0230

Download Submit
C:\Program Files\AutoClicker\Resources\keyMappings.json

Filesize
13KB

MD5
9086691d3237737d380505930380e319

SHA1
705d51d6a5059b42fa859ca996db63f5205a403b

SHA256
0d3e3c266198d8f68460ec522d2d3915f487afde3dbbf72a052157b2e13374da

SHA512
4ea13554cbb0813df7c398bad1f1a3a8c31dc57cb9ec801ffa386775f1158acd1f62b03721f03e98bee7f5ea5e36a7808db678181abdfb8be83ed4f125fa355c

Download Submit
C:\Program Files\AutoClicker\Serilog.Sinks.Console.dll

Filesize
35KB

MD5
f526bdf426addec5f78065eb870d9058

SHA1
71062e45cc998965e3d0a5b34661e44f30f96938

SHA256
c5be08ce2fb67a7937669cb878134b2832c725ef8f07de7577c150efaad5d1a2

SHA512
e00ab343ccb7e5d7d2cf6228c028e89d956b2ee4c3b230d2846a9e73e3b9ca57085bb11746e7ffab50f99a19207e3dfdb96915eca67c1d3585d338724f7988a4

Download Submit
C:\Program Files\AutoClicker\Serilog.Sinks.File.dll

Filesize
32KB

MD5
c25357a7950dcfc7f85ee9d593cb1a24

SHA1
6a533712852465ab3c11b5c76004312d6482f07f

SHA256
5b70dc2eeceb1963f9c3690c1cc8ffa793b280e903fa9a31780e6a7bb0bdfcf9

SHA512
30ca628b17b2a51bd9974fe1380caf728e7826c2bb552e4bc5ac15be8f819e908fc1744932db23734fec64e0f2c758372d8c49d019407efdfb076133c6df70c6

Download Submit
C:\Program Files\AutoClicker\Serilog.dll

Filesize
123KB

MD5
0aa45a8a1cd24cd2b589e4aad925f35d

SHA1
0dc29954c4c2ffea4c33af0e56ce84158849b81e

SHA256
7a26a473af5eb7a00196e275c86d773f36e1d4caef566f97f1df7e07e20b1670

SHA512
7a865b16633c09bdecda34fdf15c62db4f04f2fb8db0abf57563aea51de67daf9eca0c08f053f551937a0c3c7987a53de2454ecb13139a193291633df7262981

Download Submit
C:\Program Files\AutoClicker\System.Buffers.dll

Filesize
20KB

MD5
ecdfe8ede869d2ccc6bf99981ea96400

SHA1
2f410a0396bc148ed533ad49b6415fb58dd4d641

SHA256
accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb

SHA512
5fc7fee5c25cb2eee19737068968e00a00961c257271b420f594e5a0da0559502d04ee6ba2d8d2aad77f3769622f6743a5ee8dae23f8f993f33fb09ed8db2741

Download Submit
C:\Program Files\AutoClicker\System.Memory.dll

Filesize
137KB

MD5
6fb95a357a3f7e88ade5c1629e2801f8

SHA1
19bf79600b716523b5317b9a7b68760ae5d55741

SHA256
8e76318e8b06692abf7dab1169d27d15557f7f0a34d36af6463eff0fe21213c7

SHA512
293d8c709bc68d2c980a0df423741ce06d05ff757077e63986d34cb6459f9623a024d12ef35a280f50d3d516d98abe193213b9ca71bfde2a9fe8753b1a6de2f0

Download Submit
C:\Program Files\AutoClicker\System.Numerics.Vectors.dll

Filesize
113KB

MD5
aaa2cbf14e06e9d3586d8a4ed455db33

SHA1
3d216458740ad5cb05bc5f7c3491cde44a1e5df0

SHA256
1d3ef8698281e7cf7371d1554afef5872b39f96c26da772210a33da041ba1183

SHA512
0b14a039ca67982794a2bb69974ef04a7fbee3686d7364f8f4db70ea6259d29640cbb83d5b544d92fa1d3676c7619cd580ff45671a2bb4753ed8b383597c6da8

Download Submit
C:\Program Files\AutoClicker\System.Runtime.CompilerServices.Unsafe.dll

Filesize
16KB

MD5
9a341540899dcc5630886f2d921be78f

SHA1
bab44612721c3dc91ac3d9dfca7c961a3a511508

SHA256
3cadcb6b8a7335141c7c357a1d77af1ff49b59b872df494f5025580191d1c0d5

SHA512
066984c83de975df03eee1c2b5150c6b9b2e852d9caf90cfd956e9f0f7bd5a956b96ea961b26f7cd14c089bc8a27f868b225167020c5eb6318f66e58113efa37

Download Submit
C:\Program Files\AutoClicker\System.Text.Encodings.Web.dll

Filesize
66KB

MD5
e8cdacfd2ef2f4b3d1a8e6d59b6e3027

SHA1
9a85d938d8430a73255a65ea002a7709c81a4cf3

SHA256
edf13ebf2d45152e26a16b947cd953aeb7a42602fa48e53fd7673934e5acea30

SHA512
ee1005270305b614236d68e427263b4b4528ad3842057670fad061867286815577ec7d3ed8176e6683d723f9f592abcbf28d24935ce8a34571ab7f1720e2ffc5

Download Submit
C:\Program Files\AutoClicker\System.Text.Json.dll

Filesize
347KB

MD5
38470ca21414a8827c24d8fe0438e84b

SHA1
1c394a150c5693c69f85403f201caa501594b7ab

SHA256
2c7435257690ac95dc03b45a236005124097f08519adf3134b1d1ece4190e64c

SHA512
079f7320cc2f3b97a5733725d3b13dff17b595465159daabca5a166d39777100e5a2d9af2a75989dfabdb2f29eac0710e16c3bb2660621344b7a63c5dbb87ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9L72U.tmp\PYXXW.tmp

Filesize
3.2MB

MD5
bcf1478e2217221b21eec151c1799dc0

SHA1
d4e92222158d356a59741c14f0d245f98e5b64de

SHA256
acd8804789b64e208243881da188f779d90b93675c46917bc51fb2f8cdad725b

SHA512
e06ccb12bb8711be990162e57ffba0c42fe7fb30e9478d672e1d4a717de201fd30777ebfc2802425f5390e8dc5036af69f6ab2fc9012184bebd5d47250451380

Download Submit
memory/1596-101-0x00000249FD3D0000-0x00000249FD3DE000-memory.dmp

Filesize
56KB

Download
memory/1596-93-0x00000249FB610000-0x00000249FB648000-memory.dmp

Filesize
224KB

Download
memory/1596-111-0x00000249FF220000-0x00000249FF228000-memory.dmp

Filesize
32KB

Download
memory/1596-113-0x00000249FF540000-0x00000249FF554000-memory.dmp

Filesize
80KB

Download
memory/1596-118-0x00000249FF5C0000-0x00000249FF5F8000-memory.dmp

Filesize
224KB

Download
memory/1596-119-0x00000249FF200000-0x00000249FF20E000-memory.dmp

Filesize
56KB

Download
memory/1596-117-0x00000249FBA80000-0x00000249FBA88000-memory.dmp

Filesize
32KB

Download
memory/1596-108-0x00000249FF210000-0x00000249FF21A000-memory.dmp

Filesize
40KB

Download
memory/1596-131-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp

Filesize
10.8MB

Download
memory/1596-109-0x00000249FF260000-0x00000249FF268000-memory.dmp

Filesize
32KB

Download
memory/1596-95-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp

Filesize
10.8MB

Download
memory/1596-106-0x00000249FF480000-0x00000249FF4A6000-memory.dmp

Filesize
152KB

Download
memory/1596-94-0x00000249FF650000-0x00000249FF812000-memory.dmp

Filesize
1.8MB

Download
memory/1596-115-0x00000249FF560000-0x00000249FF57E000-memory.dmp

Filesize
120KB

Download
memory/1596-103-0x00000249FF4E0000-0x00000249FF53A000-memory.dmp

Filesize
360KB

Download
memory/1596-92-0x00007FFE4CDD3000-0x00007FFE4CDD5000-memory.dmp

Filesize
8KB

Download
memory/1596-99-0x00000249FBA90000-0x00000249FBAA0000-memory.dmp

Filesize
64KB

Download
memory/1596-130-0x00007FFE4CDD3000-0x00007FFE4CDD5000-memory.dmp

Filesize
8KB

Download
memory/1596-97-0x00000249FF230000-0x00000249FF256000-memory.dmp

Filesize
152KB

Download
memory/1868-124-0x000002079BFD0000-0x000002079C4F8000-memory.dmp

Filesize
5.2MB

Download
memory/3536-127-0x00000000006C0000-0x00000000009FF000-memory.dmp

Filesize
3.2MB

Download
memory/3536-6-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/4456-0-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4456-129-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4456-2-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download