Analysis
-
max time kernel
126s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
16-04-2021 11:11
Static task
static1
Behavioral task
behavioral1
Sample
43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
-
Target
43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe
-
Size
11.2MB
-
MD5
885048c2a7156ec45ad6ea9cb3e31fba
-
SHA1
e9c35853bed083c1b16c9004bb0120b57ab3e425
-
SHA256
43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5
-
SHA512
de1c4f1c70253d3123e5d6b458846610457f994ecc8e63ab26b5e65b28d509d9b76065640e30705629e8db606532a15f24eed738b77d8734559fd78c4fe18507
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 2692 created 2204 2692 svchost.exe 43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation 43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall" 43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exepid process 2204 43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe 2204 43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe 2204 43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe 2204 43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe 2204 43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe 2204 43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe 4032 43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe 4032 43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe 4032 43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe 4032 43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exesvchost.exe43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exedescription pid process Token: SeDebugPrivilege 2204 43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe Token: SeTcbPrivilege 2692 svchost.exe Token: SeTcbPrivilege 2692 svchost.exe Token: SeTakeOwnershipPrivilege 4032 43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe Token: SeTcbPrivilege 4032 43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exepid process 2204 43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe 2204 43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe 2204 43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe 2204 43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe 4032 43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe 4032 43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe 4032 43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe 4032 43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
svchost.exedescription pid process target process PID 2692 wrote to memory of 4032 2692 svchost.exe 43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe PID 2692 wrote to memory of 4032 2692 svchost.exe 43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe PID 2692 wrote to memory of 4032 2692 svchost.exe 43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe"C:\Users\Admin\AppData\Local\Temp\43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exeC:\Users\Admin\AppData\Local\Temp\43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe -second2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory