603262b52a0605c1e6d1c17c4a978aa0357558ca85b577bc3e95c9697c0db73c

Analysis

max time kernel
139s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07/07/2023, 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b88b210f05306exeexeexeex.exe
Size

327KB
MD5

4b88b210f053063ea0002ff27777a972
SHA1

dfc65468fe296b7bad474722233fbe1a579dd378
SHA256

603262b52a0605c1e6d1c17c4a978aa0357558ca85b577bc3e95c9697c0db73c
SHA512

027f3173c13a24b5286c4d92a2bf8ba09b627a3bce534beaac99482a36b643ba83bb0d0191f6732d23e8057693e73baa7fbd8c6394908b78dda70778443359e5
SSDEEP

6144:z2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG8KgbPzDh:z2TFafJiHCWBWPMjVWrXK0

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation	4b88b210f05306exeexeexeex.exe

Executes dropped EXE 2 IoCs

pid	Process
2664	winit32.exe
3096	winit32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\winit32.exe\" /START \"%1\" %*"	4b88b210f05306exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	4b88b210f05306exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\ntdriver	4b88b210f05306exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\shell\open	4b88b210f05306exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\shell\runas\command	4b88b210f05306exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\shell\runas	4b88b210f05306exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\ntdriver\DefaultIcon\ = "%1"	4b88b210f05306exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\ntdriver\shell\runas	4b88b210f05306exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe	4b88b210f05306exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\DefaultIcon	4b88b210f05306exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\ntdriver\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\winit32.exe\" /START \"%1\" %*"	4b88b210f05306exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\ntdriver\shell\runas\command\ = "\"%1\" %*"	4b88b210f05306exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\ntdriver\shell\runas\command\IsolatedCommand = "\"%1\" %*"	4b88b210f05306exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\shell\open\command	4b88b210f05306exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	4b88b210f05306exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\ntdriver\ = "Application"	4b88b210f05306exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\ = "ntdriver"	4b88b210f05306exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings	4b88b210f05306exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\ntdriver\Content-Type = "application/x-msdownload"	4b88b210f05306exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\ntdriver\DefaultIcon	4b88b210f05306exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\ntdriver\shell\open	4b88b210f05306exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\Content-Type = "application/x-msdownload"	4b88b210f05306exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\DefaultIcon\ = "%1"	4b88b210f05306exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	4b88b210f05306exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\ntdriver\shell\open\command	4b88b210f05306exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\ntdriver\shell	4b88b210f05306exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\ntdriver\shell\open\command\IsolatedCommand = "\"%1\" %*"	4b88b210f05306exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\ntdriver\shell\runas\command	4b88b210f05306exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	4b88b210f05306exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\shell	4b88b210f05306exeexeexeex.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2664	winit32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 2664	4604	4b88b210f05306exeexeexeex.exe	85
PID 4604 wrote to memory of 2664	4604	4b88b210f05306exeexeexeex.exe	85
PID 4604 wrote to memory of 2664	4604	4b88b210f05306exeexeexeex.exe	85
PID 2664 wrote to memory of 3096	2664	winit32.exe	86
PID 2664 wrote to memory of 3096	2664	winit32.exe	86
PID 2664 wrote to memory of 3096	2664	winit32.exe	86

C:\Users\Admin\AppData\Local\Temp\4b88b210f05306exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\4b88b210f05306exeexeexeex.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\winit32.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\winit32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\winit32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\winit32.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\winit32.exe"
    3⤵
    - Executes dropped EXE
    PID:3096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\winit32.exe

Filesize
327KB

MD5
8a661a0d72e928b9e0252e91436809f4

SHA1
925fdf550e3b9fc7399da41e1d1f5df7571f992f

SHA256
b3a140893dd2ddea0a2a647f4a480690948c3857d0dd711276c27c48c0266922

SHA512
d4bb5cbdad699fe244f431e996e8ea8f35097f64b0fe8ea859b7825d1ca0500acf41a05e26baf86fb4191f96a42e5f9bd4db1a8c2fbc55a822e6297149dd9e2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\winit32.exe

Filesize
327KB

MD5
8a661a0d72e928b9e0252e91436809f4

SHA1
925fdf550e3b9fc7399da41e1d1f5df7571f992f

SHA256
b3a140893dd2ddea0a2a647f4a480690948c3857d0dd711276c27c48c0266922

SHA512
d4bb5cbdad699fe244f431e996e8ea8f35097f64b0fe8ea859b7825d1ca0500acf41a05e26baf86fb4191f96a42e5f9bd4db1a8c2fbc55a822e6297149dd9e2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\winit32.exe

Filesize
327KB

MD5
8a661a0d72e928b9e0252e91436809f4

SHA1
925fdf550e3b9fc7399da41e1d1f5df7571f992f

SHA256
b3a140893dd2ddea0a2a647f4a480690948c3857d0dd711276c27c48c0266922

SHA512
d4bb5cbdad699fe244f431e996e8ea8f35097f64b0fe8ea859b7825d1ca0500acf41a05e26baf86fb4191f96a42e5f9bd4db1a8c2fbc55a822e6297149dd9e2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\winit32.exe

Filesize
327KB

MD5
8a661a0d72e928b9e0252e91436809f4

SHA1
925fdf550e3b9fc7399da41e1d1f5df7571f992f

SHA256
b3a140893dd2ddea0a2a647f4a480690948c3857d0dd711276c27c48c0266922

SHA512
d4bb5cbdad699fe244f431e996e8ea8f35097f64b0fe8ea859b7825d1ca0500acf41a05e26baf86fb4191f96a42e5f9bd4db1a8c2fbc55a822e6297149dd9e2f

Download Submit