72a4f802a0818076f00fdf7ca1710fad0f35244e472a74845f9cf6c2644cc528

Resubmissions

11/03/2025, 16:25

250311-txd2jayygs 10

11/03/2025, 16:25

250311-tw2ffaxqz6 10

11/03/2025, 01:47

250311-b7vsxswzdv 10

09/03/2025, 02:19

250309-cr474awzex 10

Analysis

max time kernel
52s
max time network
47s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2025, 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72a4f802a0818076f00fdf7ca1710fad0f35244e472a74845f9cf6c2644cc528.exe
Size

42.2MB
MD5

357b5f06e0a084f8c37e6a38afa29c76
SHA1

e7de8b81872b571e9e0fe6dcc48c94dfe8d50318
SHA256

72a4f802a0818076f00fdf7ca1710fad0f35244e472a74845f9cf6c2644cc528
SHA512

ab539349cb46cdf4c2ce48569a123abc9634adebe68e0ccd19c89f008692651deb727892c1476796d0229965ed25d96b73735ce9ab86fad2bf67abd65ae9cd36
SSDEEP

786432:M129ofpkXbsydPnpeWjrqBqe4k51vJ8EhsI14StdNoIvTe3HzuREJgIkH5:Y29AwsydPnpXqBq4pmEhh4Sj9Te3TGEk

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	divx.tmp

Executes dropped EXE 2 IoCs

pid	Process
4996	divx.exe
4028	divx.tmp

Loads dropped DLL 2 IoCs

pid	Process
4028	divx.tmp
4028	divx.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	72a4f802a0818076f00fdf7ca1710fad0f35244e472a74845f9cf6c2644cc528.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	divx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	divx.tmp

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	divx.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	divx.tmp

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 4996	744	72a4f802a0818076f00fdf7ca1710fad0f35244e472a74845f9cf6c2644cc528.exe	86
PID 744 wrote to memory of 4996	744	72a4f802a0818076f00fdf7ca1710fad0f35244e472a74845f9cf6c2644cc528.exe	86
PID 744 wrote to memory of 4996	744	72a4f802a0818076f00fdf7ca1710fad0f35244e472a74845f9cf6c2644cc528.exe	86
PID 4996 wrote to memory of 4028	4996	divx.exe	90
PID 4996 wrote to memory of 4028	4996	divx.exe	90
PID 4996 wrote to memory of 4028	4996	divx.exe	90

C:\Users\Admin\AppData\Local\Temp\72a4f802a0818076f00fdf7ca1710fad0f35244e472a74845f9cf6c2644cc528.exe
"C:\Users\Admin\AppData\Local\Temp\72a4f802a0818076f00fdf7ca1710fad0f35244e472a74845f9cf6c2644cc528.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:744
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\divx.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\divx.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Users\Admin\AppData\Local\Temp\is-GD665.tmp\divx.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-GD665.tmp\divx.tmp" /SL5="$601D0,40413792,257024,C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\divx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\divx.exe

Filesize
39.1MB

MD5
83638209152822d2c9fe80cc7c634651

SHA1
c77ff7890d935d19fe2c4d3d0ad933247e383e32

SHA256
777159af2544a2bd9d7bff6c6c120981325c580939d276235904c8be1bc6922c

SHA512
34dd370511691037507eb395ba18bc5c65ff7527ec6681f1e05930a96ea583064788c1e9a380b9210971b817c9e92381019e76ba846d064dd3a2d210e937e959

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GD665.tmp\divx.tmp

Filesize
1.3MB

MD5
77d3db03dfcb155bfdc21eea46158565

SHA1
7ef9f5a1ed81052c8a7a53c6bfbdcad46817f971

SHA256
58e366192e500acd1c9e8bcad208ec4b36e19072ca03a1f8d9da99e4002c6d45

SHA512
546b71cb5244e9813501e425437b0abd5041be313a1bb12e2976a471c6fe83ac083849d72686ad7401289cf164eef176d830e81acb90a6e7ff8823f1bbc316a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MVSUC.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MVSUC.tmp\klcp_detect.dll

Filesize
55KB

MD5
5b4eaa57dce5f61687513fdec129282e

SHA1
66f2bd1b49c3bdba54923e93cfcf3548748b99c7

SHA256
7be1d61459c0ce007aa12d0fe0d747775897827f0da6c90c3a189f02b878beb8

SHA512
9e62764e241aaec8b773699097465f21a7abba0e1bdf00af1fa1d4e6418475199e9acf2e568a819f875ca8227ee23dc203a45c923fa83c4185a2375a96518b00

Download Submit
memory/4028-13-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/4028-28-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/4028-30-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/4028-32-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/4028-34-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/4996-9-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/4996-6-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4996-27-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads