8e06b3ea4555f3ebbf34cd4b63a0d66830a4f63c5bcec4009e2bb9a62501145e

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2023, 17:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a8620c75869efexeexeexeex.exe
Size

288KB
MD5

8a8620c75869efc428a0107a3cbf4bb8
SHA1

903f0ededf3ac451e15fbf963d98c6a79dac5955
SHA256

8e06b3ea4555f3ebbf34cd4b63a0d66830a4f63c5bcec4009e2bb9a62501145e
SHA512

eafb21dbb4f9b2c42737b2d58bbe71c943564309c0f7f78e26e92488d854c1f9a487e7aa69821a7095df13d552dd2fd7b41ba2f2f48b8d9fd617cdff465bf014
SSDEEP

6144:5Q+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:5QMyfmNFHfnWfhLZVHmOog

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	8a8620c75869efexeexeexeex.exe

Executes dropped EXE 2 IoCs

pid	Process
4592	winit32.exe
3536	winit32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\ntdriver\DefaultIcon	8a8620c75869efexeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings	8a8620c75869efexeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	8a8620c75869efexeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	8a8620c75869efexeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\ntdriver\shell\open\command\IsolatedCommand = "\"%1\" %*"	8a8620c75869efexeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_32\\winit32.exe\" /START \"%1\" %*"	8a8620c75869efexeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\ntdriver\shell\runas\command\ = "\"%1\" %*"	8a8620c75869efexeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\.exe\shell\open\command	8a8620c75869efexeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\.exe\shell\open	8a8620c75869efexeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\ntdriver\shell\open\command	8a8620c75869efexeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\ntdriver\shell	8a8620c75869efexeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\.exe\DefaultIcon\ = "%1"	8a8620c75869efexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	8a8620c75869efexeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\.exe	8a8620c75869efexeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\ntdriver\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_32\\winit32.exe\" /START \"%1\" %*"	8a8620c75869efexeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\ntdriver\shell\runas\command\IsolatedCommand = "\"%1\" %*"	8a8620c75869efexeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\.exe\Content-Type = "application/x-msdownload"	8a8620c75869efexeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\.exe\shell	8a8620c75869efexeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\ntdriver\shell\open	8a8620c75869efexeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\ntdriver\shell\runas	8a8620c75869efexeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\.exe\ = "ntdriver"	8a8620c75869efexeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\.exe\DefaultIcon	8a8620c75869efexeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\.exe\shell\runas	8a8620c75869efexeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\ntdriver\Content-Type = "application/x-msdownload"	8a8620c75869efexeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\ntdriver\DefaultIcon\ = "%1"	8a8620c75869efexeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\ntdriver\shell\runas\command	8a8620c75869efexeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\.exe\shell\runas\command	8a8620c75869efexeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	8a8620c75869efexeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\ntdriver	8a8620c75869efexeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\ntdriver\ = "Application"	8a8620c75869efexeexeexeex.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4592	winit32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 4592	4364	8a8620c75869efexeexeexeex.exe	86
PID 4364 wrote to memory of 4592	4364	8a8620c75869efexeexeexeex.exe	86
PID 4364 wrote to memory of 4592	4364	8a8620c75869efexeexeexeex.exe	86
PID 4592 wrote to memory of 3536	4592	winit32.exe	87
PID 4592 wrote to memory of 3536	4592	winit32.exe	87
PID 4592 wrote to memory of 3536	4592	winit32.exe	87

C:\Users\Admin\AppData\Local\Temp\8a8620c75869efexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\8a8620c75869efexeexeexeex.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\winit32.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\winit32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\winit32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\winit32.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\winit32.exe"
    3⤵
    - Executes dropped EXE
    PID:3536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\winit32.exe

Filesize
288KB

MD5
bce1cc7de5b66f6e153840f3442e8006

SHA1
95baa3cc694ae2e9939e3c87970e94afdf16cb93

SHA256
885629f9744a3ed09d26ec50db5ac5806cb30055f8f79b42073769aa23c96b35

SHA512
40d30edf6871e8405885d162f08e0df746d756c1e37ed5a327359452080ca93af68ad2112210886b40646674b1487700d3fd24086195d303f8df30b115c4bbdb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\winit32.exe

Filesize
288KB

MD5
bce1cc7de5b66f6e153840f3442e8006

SHA1
95baa3cc694ae2e9939e3c87970e94afdf16cb93

SHA256
885629f9744a3ed09d26ec50db5ac5806cb30055f8f79b42073769aa23c96b35

SHA512
40d30edf6871e8405885d162f08e0df746d756c1e37ed5a327359452080ca93af68ad2112210886b40646674b1487700d3fd24086195d303f8df30b115c4bbdb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\winit32.exe

Filesize
288KB

MD5
bce1cc7de5b66f6e153840f3442e8006

SHA1
95baa3cc694ae2e9939e3c87970e94afdf16cb93

SHA256
885629f9744a3ed09d26ec50db5ac5806cb30055f8f79b42073769aa23c96b35

SHA512
40d30edf6871e8405885d162f08e0df746d756c1e37ed5a327359452080ca93af68ad2112210886b40646674b1487700d3fd24086195d303f8df30b115c4bbdb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\winit32.exe

Filesize
288KB

MD5
bce1cc7de5b66f6e153840f3442e8006

SHA1
95baa3cc694ae2e9939e3c87970e94afdf16cb93

SHA256
885629f9744a3ed09d26ec50db5ac5806cb30055f8f79b42073769aa23c96b35

SHA512
40d30edf6871e8405885d162f08e0df746d756c1e37ed5a327359452080ca93af68ad2112210886b40646674b1487700d3fd24086195d303f8df30b115c4bbdb

Download Submit