f5e7ec25b1a88f8aa126974cfeb0f202e9b4fc501af19976a7881689b40fa5cf

Analysis

max time kernel
123s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2023, 09:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

67fec5705cd2acexeexeexeex.exe
Size

288KB
MD5

67fec5705cd2ac62c5672aa762970a87
SHA1

fed83862b63d9af3b173d6abdb82ac20d1199d29
SHA256

f5e7ec25b1a88f8aa126974cfeb0f202e9b4fc501af19976a7881689b40fa5cf
SHA512

53bd9c1fee624fe88b8714105bbc4af0f3e615fc8be0b97063bb19826d2595f61eb4f7502daee549e3ea85151b3fb4702d31b1756b68486a828c079c4c1309d7
SSDEEP

6144:fQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:fQMyfmNFHfnWfhLZVHmOog

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation	67fec5705cd2acexeexeexeex.exe

Executes dropped EXE 2 IoCs

pid	Process
3144	dwmsys.exe
3732	dwmsys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\systemui\shell\open\command	67fec5705cd2acexeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\systemui\shell\open\command\IsolatedCommand = "\"%1\" %*"	67fec5705cd2acexeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe	67fec5705cd2acexeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\DefaultIcon	67fec5705cd2acexeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\shell\open	67fec5705cd2acexeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_amd64\\dwmsys.exe\" /START \"%1\" %*"	67fec5705cd2acexeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\systemui\DefaultIcon	67fec5705cd2acexeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\systemui\Content-Type = "application/x-msdownload"	67fec5705cd2acexeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\systemui\shell	67fec5705cd2acexeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\Content-Type = "application/x-msdownload"	67fec5705cd2acexeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\shell\open\command	67fec5705cd2acexeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\shell\runas\command	67fec5705cd2acexeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings	67fec5705cd2acexeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\systemui	67fec5705cd2acexeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\systemui\shell\runas\command\IsolatedCommand = "\"%1\" %*"	67fec5705cd2acexeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	67fec5705cd2acexeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\systemui\shell\open	67fec5705cd2acexeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\shell	67fec5705cd2acexeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	67fec5705cd2acexeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\shell\runas	67fec5705cd2acexeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	67fec5705cd2acexeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\systemui\ = "Application"	67fec5705cd2acexeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\DefaultIcon\ = "%1"	67fec5705cd2acexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	67fec5705cd2acexeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\systemui\shell\runas	67fec5705cd2acexeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\systemui\DefaultIcon\ = "%1"	67fec5705cd2acexeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\systemui\shell\runas\command\ = "\"%1\" %*"	67fec5705cd2acexeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\systemui\shell\runas\command	67fec5705cd2acexeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\ = "systemui"	67fec5705cd2acexeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\systemui\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_amd64\\dwmsys.exe\" /START \"%1\" %*"	67fec5705cd2acexeexeexeex.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3144	dwmsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 3144	1904	67fec5705cd2acexeexeexeex.exe	85
PID 1904 wrote to memory of 3144	1904	67fec5705cd2acexeexeexeex.exe	85
PID 1904 wrote to memory of 3144	1904	67fec5705cd2acexeexeexeex.exe	85
PID 3144 wrote to memory of 3732	3144	dwmsys.exe	86
PID 3144 wrote to memory of 3732	3144	dwmsys.exe	86
PID 3144 wrote to memory of 3732	3144	dwmsys.exe	86

C:\Users\Admin\AppData\Local\Temp\67fec5705cd2acexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\67fec5705cd2acexeexeexeex.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3144
- - C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe"
    3⤵
    - Executes dropped EXE
    PID:3732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe

Filesize
288KB

MD5
313a8f442e2fb1cb1c6c6a1cc14b988f

SHA1
8c4f4b0ef5fd480fce3268c18ef600c1c00c126f

SHA256
f881bcb59d49cd9b6c896b2086570aac3f8f34fd5e56b70fb3bcdd6c71af1dac

SHA512
5771b8727c7a478637f34d9d90190d37e3ee2ac4f53c05bde7a2550313fb0d04743197d8f744ae080fe68fa856b29268571712e2c10c2ba85d469d3c0244e0a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe

Filesize
288KB

MD5
313a8f442e2fb1cb1c6c6a1cc14b988f

SHA1
8c4f4b0ef5fd480fce3268c18ef600c1c00c126f

SHA256
f881bcb59d49cd9b6c896b2086570aac3f8f34fd5e56b70fb3bcdd6c71af1dac

SHA512
5771b8727c7a478637f34d9d90190d37e3ee2ac4f53c05bde7a2550313fb0d04743197d8f744ae080fe68fa856b29268571712e2c10c2ba85d469d3c0244e0a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe

Filesize
288KB

MD5
313a8f442e2fb1cb1c6c6a1cc14b988f

SHA1
8c4f4b0ef5fd480fce3268c18ef600c1c00c126f

SHA256
f881bcb59d49cd9b6c896b2086570aac3f8f34fd5e56b70fb3bcdd6c71af1dac

SHA512
5771b8727c7a478637f34d9d90190d37e3ee2ac4f53c05bde7a2550313fb0d04743197d8f744ae080fe68fa856b29268571712e2c10c2ba85d469d3c0244e0a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe

Filesize
288KB

MD5
313a8f442e2fb1cb1c6c6a1cc14b988f

SHA1
8c4f4b0ef5fd480fce3268c18ef600c1c00c126f

SHA256
f881bcb59d49cd9b6c896b2086570aac3f8f34fd5e56b70fb3bcdd6c71af1dac

SHA512
5771b8727c7a478637f34d9d90190d37e3ee2ac4f53c05bde7a2550313fb0d04743197d8f744ae080fe68fa856b29268571712e2c10c2ba85d469d3c0244e0a9

Download Submit