38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

08-02-2025 06:10

250208-gw53ea1mhp 10

01-02-2025 10:25

250201-mf4saszmgl 10

01-02-2025 10:23

250201-metkyaxqdt 10

Analysis

max time kernel
147s
max time network
131s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-01-2025 13:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Size

669KB
MD5

ead18f3a909685922d7213714ea9a183
SHA1

1270bd7fd62acc00447b30f066bb23f4745869bf
SHA256

5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18
SHA512

6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91
SSDEEP

6144:bLUHLyHlwFjxDi2nEZkQ4NXxp0XMgkBWPqdN/jGdfYY7SRA7j4YlvfYAAjJ:4uFi02nEZh4jp0XLuxGdgTm73vL

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2768	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0d3cca6f-a1f3-4344-85b0-01839c7a1aac\\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe\" --AutoStart"	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	api.2ip.ua
26	api.2ip.ua
29	api.2ip.ua
31	api.2ip.ua
4	api.2ip.ua
5	api.2ip.ua

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral15/memory/2696-0-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral15/files/0x000600000001a4e0-18.dat	upx
behavioral15/memory/2744-24-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral15/memory/2744-26-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral15/memory/352-43-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral15/memory/748-69-0x0000000000400000-0x00000000004A9000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2696	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
2696	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
2744	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
2744	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
352	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
352	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1772	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1772	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
748	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
748	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2768	2696	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	31
PID 2696 wrote to memory of 2768	2696	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	31
PID 2696 wrote to memory of 2768	2696	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	31
PID 2696 wrote to memory of 2768	2696	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	31
PID 2696 wrote to memory of 2744	2696	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	32
PID 2696 wrote to memory of 2744	2696	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	32
PID 2696 wrote to memory of 2744	2696	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	32
PID 2696 wrote to memory of 2744	2696	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	32
PID 2744 wrote to memory of 352	2744	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	37
PID 2744 wrote to memory of 352	2744	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	37
PID 2744 wrote to memory of 352	2744	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	37
PID 2744 wrote to memory of 352	2744	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	37
PID 2744 wrote to memory of 1772	2744	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	38
PID 2744 wrote to memory of 1772	2744	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	38
PID 2744 wrote to memory of 1772	2744	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	38
PID 2744 wrote to memory of 1772	2744	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	38
PID 352 wrote to memory of 748	352	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	39
PID 352 wrote to memory of 748	352	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	39
PID 352 wrote to memory of 748	352	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	39
PID 352 wrote to memory of 748	352	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	39

C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\Users\Admin\AppData\Local\0d3cca6f-a1f3-4344-85b0-01839c7a1aac" /deny *S-1-1-0:(OI)(CI)(DE,DC)
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:2768
- C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
  "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Admin IsNotAutoStart IsNotTask
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsNotTask
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:352
  - - C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 352 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:748
- - C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 2744 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
c9be626e9715952e9b70f92f912b9787

SHA1
aa2e946d9ad9027172d0d321917942b7562d6abe

SHA256
c13e8d22800c200915f87f71c31185053e4e60ca25de2e41e160e09cd2d815d4

SHA512
7581b7c593785380e9db3ae760af85c1a889f607a3cd2aa5a2695a0e5a0fe8ee751578e88f7d8c997faeda804e2fc2655d859bee2832eace526ed4379edaa3f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
aa967cb5ed3f560c5c2970ceccd89e3c

SHA1
9d6fa26b269a628f46b126fa69fe43fc183ca94e

SHA256
cf1ba6a74fd69fc02e1c443391679e84ba4e4f96c96190cb5932ae1a0aeb7dfa

SHA512
22296cf812dbc9da8b128823de9628a92fd6d09d61dbeef72aacc48ac941877748eed55a5fd0ca52800f3f32fef7af163f59af9c511b8f857deb98eb8582c60d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
16f5eadd1a4b00e17a9261ef10afc520

SHA1
b8bde58663a74c05255f339f4c7da3c50a37b3f2

SHA256
83a9579d827b31fcb3e3021a407baf587ba277d850ec19e9772368f6079f30d3

SHA512
436cd41abf324cdb5a1acfcc464528b48b19f37e57afb03b4ac00bccc2924165b566afba2c254d40178ba83dd8b5a3035c5baac13f18708ffceecc13ffde6aa6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
2355bc5de55347afe6590e08fff1342a

SHA1
b8ccb8a3c089aa831e11ecf04c3cf6d4b7e021ed

SHA256
ce565c21b6e9c4d6177a86dfc87b503de53cefe0bc04b53847343f6b55c225dc

SHA512
c10b67a26ae49a6497071a784917e54617775843776b1a7a1c70c973d5b9ea59d1a61d2b1732674b868d1273a382d89f5d8af7f6af859f0d34e2a253679d0875

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
7e297a7ade0ceecda2e043a186abc329

SHA1
32d6a4a9a730c97cb6a5bd0432e8d3a6cd4b88f3

SHA256
215f69c32f1ad64ce13dfb683dada89449bcee6398d991cd54f9823e2c2fa329

SHA512
9082bd19eb5f1d6a49fef5f14dd484805076dcc0b3799b028327078ab23cc3df0c4bf83eac022519284772ca53c10cf20bcd9bf23af43f21a08aa78e9d3242b8

Download Submit
C:\Users\Admin\AppData\Local\0d3cca6f-a1f3-4344-85b0-01839c7a1aac\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

Filesize
669KB

MD5
ead18f3a909685922d7213714ea9a183

SHA1
1270bd7fd62acc00447b30f066bb23f4745869bf

SHA256
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

SHA512
6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAC17.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2A7B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/352-68-0x00000000038D0000-0x0000000003979000-memory.dmp

Filesize
676KB

Download
memory/352-43-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/352-79-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/748-69-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/748-78-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1772-82-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2696-21-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2696-22-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/2696-2-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/2696-3-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2696-19-0x0000000003A90000-0x0000000003B39000-memory.dmp

Filesize
676KB

Download
memory/2696-23-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2696-0-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2744-26-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2744-27-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2744-24-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2744-41-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2744-39-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2744-44-0x0000000002910000-0x00000000029B9000-memory.dmp

Filesize
676KB

Download
memory/2744-80-0x0000000002910000-0x00000000029B9000-memory.dmp

Filesize
676KB

Download
memory/2744-81-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2744-42-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download