Analysis
-
max time kernel
8s -
max time network
9s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2023 10:18
Static task
static1
Behavioral task
behavioral1
Sample
Sample_5d283d656ea1e5165f2c7b8c.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
Sample_5d283d656ea1e5165f2c7b8c.exe
Resource
win10v2004-20230915-en
General
-
Target
Sample_5d283d656ea1e5165f2c7b8c.exe
-
Size
205KB
-
MD5
881db1945686533f06f6626da444a7b5
-
SHA1
776fff17a531a374d13a9e267db764e3463a4cfc
-
SHA256
c85fec6ed44bdfd54c5f37190ffad38919640064ce718045e228dca65f74ec7b
-
SHA512
639d684ab5a15a23355577d0c0e6cab29fe66596af5c5644a4fb258c3f65324c94f4c5fc4f76c7b7ac2ff0f15ffc69e98c279f59e8897e3db4e3ffaee2e96af6
-
SSDEEP
3072:30imLeE+6Kiei4VrJo6lxPJUVjIMaNhUv:LE+6Kt53oExlNh
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation Sample_5d283d656ea1e5165f2c7b8c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4764 Sample_5d283d656ea1e5165f2c7b8c.exe 4764 Sample_5d283d656ea1e5165f2c7b8c.exe 4764 Sample_5d283d656ea1e5165f2c7b8c.exe 4764 Sample_5d283d656ea1e5165f2c7b8c.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4764 Sample_5d283d656ea1e5165f2c7b8c.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4764 wrote to memory of 2748 4764 Sample_5d283d656ea1e5165f2c7b8c.exe 12 PID 4764 wrote to memory of 2348 4764 Sample_5d283d656ea1e5165f2c7b8c.exe 93 PID 4764 wrote to memory of 2348 4764 Sample_5d283d656ea1e5165f2c7b8c.exe 93 PID 4764 wrote to memory of 336 4764 Sample_5d283d656ea1e5165f2c7b8c.exe 94 PID 4764 wrote to memory of 336 4764 Sample_5d283d656ea1e5165f2c7b8c.exe 94 PID 2348 wrote to memory of 2620 2348 net.exe 96 PID 2348 wrote to memory of 2620 2348 net.exe 96 PID 336 wrote to memory of 1652 336 net.exe 97 PID 336 wrote to memory of 1652 336 net.exe 97 PID 4764 wrote to memory of 2812 4764 Sample_5d283d656ea1e5165f2c7b8c.exe 46 PID 4764 wrote to memory of 2952 4764 Sample_5d283d656ea1e5165f2c7b8c.exe 45 PID 4764 wrote to memory of 3304 4764 Sample_5d283d656ea1e5165f2c7b8c.exe 41 PID 4764 wrote to memory of 3484 4764 Sample_5d283d656ea1e5165f2c7b8c.exe 40
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2748
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3484
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3304
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2952
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2812
-
C:\Users\Admin\AppData\Local\Temp\Sample_5d283d656ea1e5165f2c7b8c.exe"C:\Users\Admin\AppData\Local\Temp\Sample_5d283d656ea1e5165f2c7b8c.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:2620
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:1652
-
-