9ffbdb410011e5def7b3d99c93b053472d16cbb4870bf181bc615a88a69647af

Analysis

max time kernel
104s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Oct 2024 SOA.exe
Size

756KB
MD5

043857927ef282a798f2d188c3279aec
SHA1

2680a6c5db29e0cf2e9f2d3998160037b9cb9da7
SHA256

358900830079215ebfdef56206a4b554e0687c4e81361ebd71ee292d86965343
SHA512

75542276629c59e4329b7aab3baa09d40596468e257c6e7ec304418dc83094a70b8bf3e1953d446eca79f2e89136cefaa8dbf4ff4f963ab80944b4ee1621ee81
SSDEEP

12288:rOv5jKhsfoPA+yeVKUCUxP4C902bdRtJJPiSOgEAmDhyl/qw8VNnWLu2Cm20XJfP:rq5TfcdHj4fmbRiyIw8NWDn20Z75h0w

Score

5^/10

discovery upx

Malware Config

Signatures

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1696-12-0x0000000000DB0000-0x0000000000F5B000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1696 set thread context of 2320	1696	Oct 2024 SOA.exe	83

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1696-0-0x0000000000DB0000-0x0000000000F5B000-memory.dmp	upx
behavioral2/memory/1696-12-0x0000000000DB0000-0x0000000000F5B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oct 2024 SOA.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2320	svchost.exe
2320	svchost.exe
2320	svchost.exe
2320	svchost.exe
2320	svchost.exe
2320	svchost.exe
2320	svchost.exe
2320	svchost.exe
2320	svchost.exe
2320	svchost.exe
2320	svchost.exe
2320	svchost.exe
2320	svchost.exe
2320	svchost.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1696	Oct 2024 SOA.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1696	Oct 2024 SOA.exe
1696	Oct 2024 SOA.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1696	Oct 2024 SOA.exe
1696	Oct 2024 SOA.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 2320	1696	Oct 2024 SOA.exe	83
PID 1696 wrote to memory of 2320	1696	Oct 2024 SOA.exe	83
PID 1696 wrote to memory of 2320	1696	Oct 2024 SOA.exe	83
PID 1696 wrote to memory of 2320	1696	Oct 2024 SOA.exe	83

C:\Users\Admin\AppData\Local\Temp\Oct 2024 SOA.exe
"C:\Users\Admin\AppData\Local\Temp\Oct 2024 SOA.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\SysWOW64\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\Oct 2024 SOA.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut8174.tmp

Filesize
281KB

MD5
0afff40b84214c22d435797a0d35074e

SHA1
834dd19bf3b9b3ff5c3e5986fa072aa4332a4e8d

SHA256
60dbcdbdf6242b9a87e041affba728311c4d25ffaaeb67b08b18e7906fb1226c

SHA512
99ebbc84ac09bd8ad3f4482c0cd7bf56bfd05a792c9ff85ae1c3227d859d68e3eef65a19107a39d8e396a9641fcab301cf1ef12f222543ea4588f7bea6e179de

Download Submit
memory/1696-0-0x0000000000DB0000-0x0000000000F5B000-memory.dmp

Filesize
1.7MB

Download
memory/1696-9-0x0000000001100000-0x0000000001500000-memory.dmp

Filesize
4.0MB

Download
memory/1696-12-0x0000000000DB0000-0x0000000000F5B000-memory.dmp

Filesize
1.7MB

Download
memory/2320-10-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2320-13-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2320-14-0x0000000001200000-0x000000000154A000-memory.dmp

Filesize
3.3MB

Download
memory/2320-15-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download