31dbe3dcf4a804dac4ac7ff7a2191676dbfbb8ec6abee1c110120056a0f32b83

Analysis

max time kernel
18s
max time network
17s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
21-11-2024 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loaderunpac3.exe
Size

1.1MB
MD5

6901d467b6b8b2635f3841e98e4b613c
SHA1

b2f6c479a159c8103c57c0d0f179b6f0102bd969
SHA256

31dbe3dcf4a804dac4ac7ff7a2191676dbfbb8ec6abee1c110120056a0f32b83
SHA512

6108e5a0d3df6b792121a3c0a44cb1a7fed2163aa7816220c07d7d1b06240fd6bab1e63a2f3ed19fb9e3bacc05786e01b9bcc2ed7e346fae61a2f8b9a2f122cf
SSDEEP

24576:Vu9MQzEf7H539Fc7eApy0Qu0Xiok9VQSnJULVqtI/ob:/QwzB9FRX0919zNtI

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loaderunpac3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3368	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Loaderunpac3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Loaderunpac3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Loaderunpac3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1428	Loaderunpac3.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 1156	1428	Loaderunpac3.exe	89
PID 1428 wrote to memory of 1156	1428	Loaderunpac3.exe	89
PID 1428 wrote to memory of 1156	1428	Loaderunpac3.exe	89
PID 1156 wrote to memory of 1700	1156	cmd.exe	91
PID 1156 wrote to memory of 1700	1156	cmd.exe	91
PID 1156 wrote to memory of 1700	1156	cmd.exe	91
PID 1700 wrote to memory of 3368	1700	cmd.exe	93
PID 1700 wrote to memory of 3368	1700	cmd.exe	93
PID 1700 wrote to memory of 3368	1700	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\Loaderunpac3.exe
"C:\Users\Admin\AppData\Local\Temp\Loaderunpac3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c start cmd /C "color b && title Error && echo You must run the function KeyAuthApp.init(); first && timeout /t 5"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C "color b && title Error && echo You must run the function KeyAuthApp.init(); first && timeout /t 5"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:3368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1428-0-0x000000007441E000-0x000000007441F000-memory.dmp

Filesize
4KB

Download
memory/1428-1-0x00000000003F0000-0x000000000050C000-memory.dmp

Filesize
1.1MB

Download
memory/1428-2-0x0000000005090000-0x0000000005162000-memory.dmp

Filesize
840KB

Download
memory/1428-3-0x0000000074410000-0x0000000074BC1000-memory.dmp

Filesize
7.7MB

Download
memory/1428-4-0x0000000005840000-0x0000000005DE6000-memory.dmp

Filesize
5.6MB

Download
memory/1428-5-0x0000000005330000-0x00000000053C2000-memory.dmp

Filesize
584KB

Download
memory/1428-6-0x00000000052D0000-0x00000000052DA000-memory.dmp

Filesize
40KB

Download
memory/1428-7-0x0000000005520000-0x0000000005716000-memory.dmp

Filesize
2.0MB

Download
memory/1428-8-0x0000000008CA0000-0x0000000008CB2000-memory.dmp

Filesize
72KB

Download
memory/1428-9-0x0000000074410000-0x0000000074BC1000-memory.dmp

Filesize
7.7MB

Download
memory/1428-10-0x000000007441E000-0x000000007441F000-memory.dmp

Filesize
4KB

Download
memory/1428-11-0x0000000074410000-0x0000000074BC1000-memory.dmp

Filesize
7.7MB

Download
memory/1428-12-0x0000000074410000-0x0000000074BC1000-memory.dmp

Filesize
7.7MB

Download
memory/1428-14-0x0000000074410000-0x0000000074BC1000-memory.dmp

Filesize
7.7MB

Download