Analysis
-
max time kernel
138s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
19/04/2022, 04:12
Static task
static1
Behavioral task
behavioral1
Sample
asdf.exe
Resource
win7-20220414-en
0 signatures
0 seconds
General
-
Target
asdf.exe
-
Size
100KB
-
MD5
c7a310982da68b10360854f9cd78e718
-
SHA1
60140c28e0b7db797a771c2dee081fa3812246db
-
SHA256
df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731
-
SHA512
6747fa3f7637922eeaa0feeb25d430dc6ab66fd9f3d22e7e5fd16bad9b75528a8174c34a8baf681950b64e8cdaa6a14e37633592e843c363e75468622ebd2ec3
Malware Config
Extracted
Family
arkei
Botnet
Default
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation asdf.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1676 set thread context of 416 1676 asdf.exe 82 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1676 asdf.exe 1676 asdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1676 asdf.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1676 wrote to memory of 416 1676 asdf.exe 82 PID 1676 wrote to memory of 416 1676 asdf.exe 82 PID 1676 wrote to memory of 416 1676 asdf.exe 82 PID 1676 wrote to memory of 416 1676 asdf.exe 82 PID 1676 wrote to memory of 416 1676 asdf.exe 82 PID 1676 wrote to memory of 416 1676 asdf.exe 82 PID 1676 wrote to memory of 416 1676 asdf.exe 82 PID 1676 wrote to memory of 416 1676 asdf.exe 82 PID 1676 wrote to memory of 416 1676 asdf.exe 82 PID 1676 wrote to memory of 416 1676 asdf.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\asdf.exe"C:\Users\Admin\AppData\Local\Temp\asdf.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe2⤵PID:416
-