0cedd5f9e64e15622c2e237d16de0df469d651583c3476c4eb881a707a5e77f9

Analysis

max time kernel
138s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2023, 06:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e450ee62441e90exeexeexeex.exe
Size

327KB
MD5

e450ee62441e907892f392726da24822
SHA1

924d2915171af5293b2109ebbe1bc99945a20bad
SHA256

0cedd5f9e64e15622c2e237d16de0df469d651583c3476c4eb881a707a5e77f9
SHA512

db4d534707624a4587beaf094482fe843efbd2b3d36618bfd542d9a3a5f84372bed3a251f520db8ecde77568a8cad19199b27dcab4c7e9ffc72c5bd6fce8b8b6
SSDEEP

6144:+2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG8KgbPzDh:+2TFafJiHCWBWPMjVWrXK0

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	e450ee62441e90exeexeexeex.exe

Executes dropped EXE 2 IoCs

pid	Process
4612	SearchIndexerDB.exe
2220	SearchIndexerDB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\cmos	e450ee62441e90exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\.exe	e450ee62441e90exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\.exe\DefaultIcon\ = "%1"	e450ee62441e90exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings	e450ee62441e90exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\.exe\ = "cmos"	e450ee62441e90exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\.exe\shell\open	e450ee62441e90exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_x86_64\\SearchIndexerDB.exe\" /START \"%1\" %*"	e450ee62441e90exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	e450ee62441e90exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\cmos\ = "Application"	e450ee62441e90exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\cmos\Content-Type = "application/x-msdownload"	e450ee62441e90exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\cmos\shell\open\command\IsolatedCommand = "\"%1\" %*"	e450ee62441e90exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\.exe\DefaultIcon	e450ee62441e90exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\.exe\shell\runas\command	e450ee62441e90exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	e450ee62441e90exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\cmos\shell\runas\command\IsolatedCommand = "\"%1\" %*"	e450ee62441e90exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\.exe\shell	e450ee62441e90exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\cmos\DefaultIcon\ = "%1"	e450ee62441e90exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\.exe\shell\open\command	e450ee62441e90exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\.exe\shell\runas	e450ee62441e90exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\cmos\shell	e450ee62441e90exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\cmos\shell\runas\command	e450ee62441e90exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\.exe\Content-Type = "application/x-msdownload"	e450ee62441e90exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\cmos\shell\open\command	e450ee62441e90exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\cmos\shell\open	e450ee62441e90exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\cmos\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_x86_64\\SearchIndexerDB.exe\" /START \"%1\" %*"	e450ee62441e90exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\cmos\shell\runas	e450ee62441e90exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\cmos\shell\runas\command\ = "\"%1\" %*"	e450ee62441e90exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	e450ee62441e90exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\cmos\DefaultIcon	e450ee62441e90exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	e450ee62441e90exeexeexeex.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4612	SearchIndexerDB.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 4612	4412	e450ee62441e90exeexeexeex.exe	88
PID 4412 wrote to memory of 4612	4412	e450ee62441e90exeexeexeex.exe	88
PID 4412 wrote to memory of 4612	4412	e450ee62441e90exeexeexeex.exe	88
PID 4612 wrote to memory of 2220	4612	SearchIndexerDB.exe	89
PID 4612 wrote to memory of 2220	4612	SearchIndexerDB.exe	89
PID 4612 wrote to memory of 2220	4612	SearchIndexerDB.exe	89

C:\Users\Admin\AppData\Local\Temp\e450ee62441e90exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\e450ee62441e90exeexeexeex.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\SearchIndexerDB.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\SearchIndexerDB.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\SearchIndexerDB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4612
- - C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\SearchIndexerDB.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\SearchIndexerDB.exe"
    3⤵
    - Executes dropped EXE
    PID:2220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\SearchIndexerDB.exe

Filesize
327KB

MD5
6ece936ce6c5a78b52b0c3899e13bfc9

SHA1
26d97f799931bf0271202bb190d25acf487ea750

SHA256
d65208c3ecedb7b2f1d60597925e5200a2163afb151de3a0a6c90b56ea4e4bfb

SHA512
31e820d87e12ddd658cdc386b23ee4b833255840d5cc5cf2fa14860ca56d972ae50c5276efcbd29b17a56e4f18d1eb4cd074d0b424e2ac53a726a36e65ce6085

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\SearchIndexerDB.exe

Filesize
327KB

MD5
6ece936ce6c5a78b52b0c3899e13bfc9

SHA1
26d97f799931bf0271202bb190d25acf487ea750

SHA256
d65208c3ecedb7b2f1d60597925e5200a2163afb151de3a0a6c90b56ea4e4bfb

SHA512
31e820d87e12ddd658cdc386b23ee4b833255840d5cc5cf2fa14860ca56d972ae50c5276efcbd29b17a56e4f18d1eb4cd074d0b424e2ac53a726a36e65ce6085

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\SearchIndexerDB.exe

Filesize
327KB

MD5
6ece936ce6c5a78b52b0c3899e13bfc9

SHA1
26d97f799931bf0271202bb190d25acf487ea750

SHA256
d65208c3ecedb7b2f1d60597925e5200a2163afb151de3a0a6c90b56ea4e4bfb

SHA512
31e820d87e12ddd658cdc386b23ee4b833255840d5cc5cf2fa14860ca56d972ae50c5276efcbd29b17a56e4f18d1eb4cd074d0b424e2ac53a726a36e65ce6085

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\SearchIndexerDB.exe

Filesize
327KB

MD5
6ece936ce6c5a78b52b0c3899e13bfc9

SHA1
26d97f799931bf0271202bb190d25acf487ea750

SHA256
d65208c3ecedb7b2f1d60597925e5200a2163afb151de3a0a6c90b56ea4e4bfb

SHA512
31e820d87e12ddd658cdc386b23ee4b833255840d5cc5cf2fa14860ca56d972ae50c5276efcbd29b17a56e4f18d1eb4cd074d0b424e2ac53a726a36e65ce6085

Download Submit