Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system -
submitted
07-09-2023 06:16
Behavioral task
behavioral1
Sample
Stub.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
Stub.exe
Resource
win10v2004-20230831-en
General
-
Target
Stub.exe
-
Size
3.8MB
-
MD5
5d422b017137a0060e7de3b1ddff3fbb
-
SHA1
fbc8138cc80dd477ec6bd45ade7bdd27de251260
-
SHA256
c733abcd9c2a5c1734242bc3238dd44e9aaf7e2c01878bebe2751c1b99f9a658
-
SHA512
b5794b69eb87e6e3f0fe19dfe0734a94fb342e27dc3e2936abd052d7cf8f82b672d28a250378b15c3631be6ce60a21643573d372a12917d5cbfa941f17fd4bdc
-
SSDEEP
98304:d77Pmq33rE/JDLPWZADUGer7B6iY74M/7mlwXVZ4FB:5+R/eZADUXR
Malware Config
Extracted
bitrat
1.38
smgqnt3eixxksasu.xyz:1234
-
communication_password
30afda4853ef5b1bc36463ba95d84247
-
tor_process
tor
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Control Panel\International\Geo\Nation Stub.exe Key value queried \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Control Panel\International\Geo\Nation wGThotehCeA2xBFO.exe -
Executes dropped EXE 4 IoCs
pid Process 4476 wGThotehCeA2xBFO.exe 500 wGThotehCeA2xBFO.exe 2244 WwesZMdpwMbMzj4X.exe 4340 WwesZMdpwMbMzj4X.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WwesZMdpwMbMzj4X = "C:\\Users\\Admin\\Documents\\WwesZMdpwMbMzj4X.pif" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wGThotehCeA2xBFO = "C:\\Users\\Admin\\Documents\\wGThotehCeA2xBFO.pif" reg.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{79C12588-3291-4B6A-826D-B01A69ABD775}.catalogItem svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
pid Process 3904 Stub.exe 3904 Stub.exe 3904 Stub.exe 3904 Stub.exe 3904 Stub.exe 500 wGThotehCeA2xBFO.exe 500 wGThotehCeA2xBFO.exe 500 wGThotehCeA2xBFO.exe 500 wGThotehCeA2xBFO.exe 500 wGThotehCeA2xBFO.exe 4340 WwesZMdpwMbMzj4X.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4476 set thread context of 500 4476 wGThotehCeA2xBFO.exe 96 PID 2244 set thread context of 4340 2244 WwesZMdpwMbMzj4X.exe 104 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Suspicious behavior: EnumeratesProcesses 52 IoCs
pid Process 4476 wGThotehCeA2xBFO.exe 4476 wGThotehCeA2xBFO.exe 4476 wGThotehCeA2xBFO.exe 4476 wGThotehCeA2xBFO.exe 4476 wGThotehCeA2xBFO.exe 4476 wGThotehCeA2xBFO.exe 4476 wGThotehCeA2xBFO.exe 4476 wGThotehCeA2xBFO.exe 4476 wGThotehCeA2xBFO.exe 4476 wGThotehCeA2xBFO.exe 4476 wGThotehCeA2xBFO.exe 4476 wGThotehCeA2xBFO.exe 4476 wGThotehCeA2xBFO.exe 4476 wGThotehCeA2xBFO.exe 4476 wGThotehCeA2xBFO.exe 4476 wGThotehCeA2xBFO.exe 4476 wGThotehCeA2xBFO.exe 4476 wGThotehCeA2xBFO.exe 4476 wGThotehCeA2xBFO.exe 4476 wGThotehCeA2xBFO.exe 4476 wGThotehCeA2xBFO.exe 4476 wGThotehCeA2xBFO.exe 4476 wGThotehCeA2xBFO.exe 4476 wGThotehCeA2xBFO.exe 4476 wGThotehCeA2xBFO.exe 4476 wGThotehCeA2xBFO.exe 2244 WwesZMdpwMbMzj4X.exe 2244 WwesZMdpwMbMzj4X.exe 2244 WwesZMdpwMbMzj4X.exe 2244 WwesZMdpwMbMzj4X.exe 2244 WwesZMdpwMbMzj4X.exe 2244 WwesZMdpwMbMzj4X.exe 2244 WwesZMdpwMbMzj4X.exe 2244 WwesZMdpwMbMzj4X.exe 2244 WwesZMdpwMbMzj4X.exe 2244 WwesZMdpwMbMzj4X.exe 2244 WwesZMdpwMbMzj4X.exe 2244 WwesZMdpwMbMzj4X.exe 2244 WwesZMdpwMbMzj4X.exe 2244 WwesZMdpwMbMzj4X.exe 2244 WwesZMdpwMbMzj4X.exe 2244 WwesZMdpwMbMzj4X.exe 2244 WwesZMdpwMbMzj4X.exe 2244 WwesZMdpwMbMzj4X.exe 2244 WwesZMdpwMbMzj4X.exe 2244 WwesZMdpwMbMzj4X.exe 2244 WwesZMdpwMbMzj4X.exe 2244 WwesZMdpwMbMzj4X.exe 2244 WwesZMdpwMbMzj4X.exe 2244 WwesZMdpwMbMzj4X.exe 2244 WwesZMdpwMbMzj4X.exe 2244 WwesZMdpwMbMzj4X.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeShutdownPrivilege 3904 Stub.exe Token: SeDebugPrivilege 4476 wGThotehCeA2xBFO.exe Token: SeShutdownPrivilege 500 wGThotehCeA2xBFO.exe Token: SeDebugPrivilege 2244 WwesZMdpwMbMzj4X.exe Token: SeShutdownPrivilege 4340 WwesZMdpwMbMzj4X.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3904 Stub.exe 3904 Stub.exe 500 wGThotehCeA2xBFO.exe 500 wGThotehCeA2xBFO.exe -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 3904 wrote to memory of 4476 3904 Stub.exe 87 PID 3904 wrote to memory of 4476 3904 Stub.exe 87 PID 3904 wrote to memory of 4476 3904 Stub.exe 87 PID 4476 wrote to memory of 4612 4476 wGThotehCeA2xBFO.exe 91 PID 4476 wrote to memory of 4612 4476 wGThotehCeA2xBFO.exe 91 PID 4476 wrote to memory of 4612 4476 wGThotehCeA2xBFO.exe 91 PID 4612 wrote to memory of 1328 4612 cmd.exe 93 PID 4612 wrote to memory of 1328 4612 cmd.exe 93 PID 4612 wrote to memory of 1328 4612 cmd.exe 93 PID 4476 wrote to memory of 4560 4476 wGThotehCeA2xBFO.exe 94 PID 4476 wrote to memory of 4560 4476 wGThotehCeA2xBFO.exe 94 PID 4476 wrote to memory of 4560 4476 wGThotehCeA2xBFO.exe 94 PID 4476 wrote to memory of 500 4476 wGThotehCeA2xBFO.exe 96 PID 4476 wrote to memory of 500 4476 wGThotehCeA2xBFO.exe 96 PID 4476 wrote to memory of 500 4476 wGThotehCeA2xBFO.exe 96 PID 4476 wrote to memory of 500 4476 wGThotehCeA2xBFO.exe 96 PID 4476 wrote to memory of 500 4476 wGThotehCeA2xBFO.exe 96 PID 4476 wrote to memory of 500 4476 wGThotehCeA2xBFO.exe 96 PID 4476 wrote to memory of 500 4476 wGThotehCeA2xBFO.exe 96 PID 4476 wrote to memory of 500 4476 wGThotehCeA2xBFO.exe 96 PID 4476 wrote to memory of 500 4476 wGThotehCeA2xBFO.exe 96 PID 4476 wrote to memory of 500 4476 wGThotehCeA2xBFO.exe 96 PID 4476 wrote to memory of 500 4476 wGThotehCeA2xBFO.exe 96 PID 500 wrote to memory of 2244 500 wGThotehCeA2xBFO.exe 98 PID 500 wrote to memory of 2244 500 wGThotehCeA2xBFO.exe 98 PID 500 wrote to memory of 2244 500 wGThotehCeA2xBFO.exe 98 PID 2244 wrote to memory of 1584 2244 WwesZMdpwMbMzj4X.exe 99 PID 2244 wrote to memory of 1584 2244 WwesZMdpwMbMzj4X.exe 99 PID 2244 wrote to memory of 1584 2244 WwesZMdpwMbMzj4X.exe 99 PID 1584 wrote to memory of 3104 1584 cmd.exe 101 PID 1584 wrote to memory of 3104 1584 cmd.exe 101 PID 1584 wrote to memory of 3104 1584 cmd.exe 101 PID 2244 wrote to memory of 4004 2244 WwesZMdpwMbMzj4X.exe 102 PID 2244 wrote to memory of 4004 2244 WwesZMdpwMbMzj4X.exe 102 PID 2244 wrote to memory of 4004 2244 WwesZMdpwMbMzj4X.exe 102 PID 2244 wrote to memory of 4340 2244 WwesZMdpwMbMzj4X.exe 104 PID 2244 wrote to memory of 4340 2244 WwesZMdpwMbMzj4X.exe 104 PID 2244 wrote to memory of 4340 2244 WwesZMdpwMbMzj4X.exe 104 PID 2244 wrote to memory of 4340 2244 WwesZMdpwMbMzj4X.exe 104 PID 2244 wrote to memory of 4340 2244 WwesZMdpwMbMzj4X.exe 104 PID 2244 wrote to memory of 4340 2244 WwesZMdpwMbMzj4X.exe 104 PID 2244 wrote to memory of 4340 2244 WwesZMdpwMbMzj4X.exe 104 PID 2244 wrote to memory of 4340 2244 WwesZMdpwMbMzj4X.exe 104 PID 2244 wrote to memory of 4340 2244 WwesZMdpwMbMzj4X.exe 104 PID 2244 wrote to memory of 4340 2244 WwesZMdpwMbMzj4X.exe 104 PID 2244 wrote to memory of 4340 2244 WwesZMdpwMbMzj4X.exe 104 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Stub.exe"C:\Users\Admin\AppData\Local\Temp\Stub.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Users\Admin\AppData\Local\Temp\wGThotehCeA2xBFO.exe"C:\Users\Admin\AppData\Local\Temp\wGThotehCeA2xBFO.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "wGThotehCeA2xBFO" /t REG_SZ /F /D "C:\Users\Admin\Documents\wGThotehCeA2xBFO.pif"3⤵
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "wGThotehCeA2xBFO" /t REG_SZ /F /D "C:\Users\Admin\Documents\wGThotehCeA2xBFO.pif"4⤵
- Adds Run key to start application
PID:1328
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c Copy "C:\Users\Admin\AppData\Local\Temp\wGThotehCeA2xBFO.exe" "C:\Users\Admin\Documents\wGThotehCeA2xBFO.pif"3⤵PID:4560
-
-
C:\Users\Admin\AppData\Local\Temp\wGThotehCeA2xBFO.exe"C:\Users\Admin\AppData\Local\Temp\wGThotehCeA2xBFO.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:500 -
C:\Users\Admin\AppData\Local\Temp\WwesZMdpwMbMzj4X.exe"C:\Users\Admin\AppData\Local\Temp\WwesZMdpwMbMzj4X.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "WwesZMdpwMbMzj4X" /t REG_SZ /F /D "C:\Users\Admin\Documents\WwesZMdpwMbMzj4X.pif"5⤵
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "WwesZMdpwMbMzj4X" /t REG_SZ /F /D "C:\Users\Admin\Documents\WwesZMdpwMbMzj4X.pif"6⤵
- Adds Run key to start application
PID:3104
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c Copy "C:\Users\Admin\AppData\Local\Temp\WwesZMdpwMbMzj4X.exe" "C:\Users\Admin\Documents\WwesZMdpwMbMzj4X.pif"5⤵PID:4004
-
-
C:\Users\Admin\AppData\Local\Temp\WwesZMdpwMbMzj4X.exe"C:\Users\Admin\AppData\Local\Temp\WwesZMdpwMbMzj4X.exe"5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4340
-
-
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:2196
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112KB
MD5a9db678b7bad6d2bae54505759452dd9
SHA1b0ab52df85ec1595f0a2d1f4e4d09552ea27505a
SHA2565c362423456076e89659ae8ad2069d05a12ec769d27623fea060c4c7715e27ea
SHA512641c8a32a821b557cb7050d4ccfa1dfd5f02d4e6d5ce88f1ce305e9887d17c40368829c89a8e7f64880acd368288ed55a1b0b363b0b0f8da833eae2bf4cb807a
-
Filesize
112KB
MD5a9db678b7bad6d2bae54505759452dd9
SHA1b0ab52df85ec1595f0a2d1f4e4d09552ea27505a
SHA2565c362423456076e89659ae8ad2069d05a12ec769d27623fea060c4c7715e27ea
SHA512641c8a32a821b557cb7050d4ccfa1dfd5f02d4e6d5ce88f1ce305e9887d17c40368829c89a8e7f64880acd368288ed55a1b0b363b0b0f8da833eae2bf4cb807a
-
Filesize
112KB
MD5a9db678b7bad6d2bae54505759452dd9
SHA1b0ab52df85ec1595f0a2d1f4e4d09552ea27505a
SHA2565c362423456076e89659ae8ad2069d05a12ec769d27623fea060c4c7715e27ea
SHA512641c8a32a821b557cb7050d4ccfa1dfd5f02d4e6d5ce88f1ce305e9887d17c40368829c89a8e7f64880acd368288ed55a1b0b363b0b0f8da833eae2bf4cb807a
-
Filesize
112KB
MD5a9db678b7bad6d2bae54505759452dd9
SHA1b0ab52df85ec1595f0a2d1f4e4d09552ea27505a
SHA2565c362423456076e89659ae8ad2069d05a12ec769d27623fea060c4c7715e27ea
SHA512641c8a32a821b557cb7050d4ccfa1dfd5f02d4e6d5ce88f1ce305e9887d17c40368829c89a8e7f64880acd368288ed55a1b0b363b0b0f8da833eae2bf4cb807a
-
Filesize
112KB
MD5a9db678b7bad6d2bae54505759452dd9
SHA1b0ab52df85ec1595f0a2d1f4e4d09552ea27505a
SHA2565c362423456076e89659ae8ad2069d05a12ec769d27623fea060c4c7715e27ea
SHA512641c8a32a821b557cb7050d4ccfa1dfd5f02d4e6d5ce88f1ce305e9887d17c40368829c89a8e7f64880acd368288ed55a1b0b363b0b0f8da833eae2bf4cb807a
-
Filesize
112KB
MD5a9db678b7bad6d2bae54505759452dd9
SHA1b0ab52df85ec1595f0a2d1f4e4d09552ea27505a
SHA2565c362423456076e89659ae8ad2069d05a12ec769d27623fea060c4c7715e27ea
SHA512641c8a32a821b557cb7050d4ccfa1dfd5f02d4e6d5ce88f1ce305e9887d17c40368829c89a8e7f64880acd368288ed55a1b0b363b0b0f8da833eae2bf4cb807a
-
Filesize
112KB
MD5a9db678b7bad6d2bae54505759452dd9
SHA1b0ab52df85ec1595f0a2d1f4e4d09552ea27505a
SHA2565c362423456076e89659ae8ad2069d05a12ec769d27623fea060c4c7715e27ea
SHA512641c8a32a821b557cb7050d4ccfa1dfd5f02d4e6d5ce88f1ce305e9887d17c40368829c89a8e7f64880acd368288ed55a1b0b363b0b0f8da833eae2bf4cb807a