89500d95e289944c5685985075ed0c611d4cd6fdd03f8b35d6eb0f4aefd14465

Analysis

max time kernel
154s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89500d95e289944c5685985075ed0c611d4cd6fdd03f8b35d6eb0f4aefd14465.exe
Size

1.4MB
MD5

8e42f97ee888aeac494f7caabc21ae8e
SHA1

ee3a142528c8e9108982ff28934580d635e7dfff
SHA256

89500d95e289944c5685985075ed0c611d4cd6fdd03f8b35d6eb0f4aefd14465
SHA512

e0d4f7087e8b85871e6cc0dc5a80845881893ba1f0226dd10143c3c938fd422dd61224a2a6646bf2211fafb9d352c7b93dfc1d5683d5c64e6aa26211eccd2cd5
SSDEEP

24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	89500d95e289944c5685985075ed0c611d4cd6fdd03f8b35d6eb0f4aefd14465.exe

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1380	powershell.exe
1380	powershell.exe
4120	powershell.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3668	WMIC.exe
Token: SeSecurityPrivilege	3668	WMIC.exe
Token: SeTakeOwnershipPrivilege	3668	WMIC.exe
Token: SeLoadDriverPrivilege	3668	WMIC.exe
Token: SeSystemProfilePrivilege	3668	WMIC.exe
Token: SeSystemtimePrivilege	3668	WMIC.exe
Token: SeProfSingleProcessPrivilege	3668	WMIC.exe
Token: SeIncBasePriorityPrivilege	3668	WMIC.exe
Token: SeCreatePagefilePrivilege	3668	WMIC.exe
Token: SeBackupPrivilege	3668	WMIC.exe
Token: SeRestorePrivilege	3668	WMIC.exe
Token: SeShutdownPrivilege	3668	WMIC.exe
Token: SeDebugPrivilege	3668	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3668	WMIC.exe
Token: SeRemoteShutdownPrivilege	3668	WMIC.exe
Token: SeUndockPrivilege	3668	WMIC.exe
Token: SeManageVolumePrivilege	3668	WMIC.exe
Token: 33	3668	WMIC.exe
Token: 34	3668	WMIC.exe
Token: 35	3668	WMIC.exe
Token: 36	3668	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3668	WMIC.exe
Token: SeSecurityPrivilege	3668	WMIC.exe
Token: SeTakeOwnershipPrivilege	3668	WMIC.exe
Token: SeLoadDriverPrivilege	3668	WMIC.exe
Token: SeSystemProfilePrivilege	3668	WMIC.exe
Token: SeSystemtimePrivilege	3668	WMIC.exe
Token: SeProfSingleProcessPrivilege	3668	WMIC.exe
Token: SeIncBasePriorityPrivilege	3668	WMIC.exe
Token: SeCreatePagefilePrivilege	3668	WMIC.exe
Token: SeBackupPrivilege	3668	WMIC.exe
Token: SeRestorePrivilege	3668	WMIC.exe
Token: SeShutdownPrivilege	3668	WMIC.exe
Token: SeDebugPrivilege	3668	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3668	WMIC.exe
Token: SeRemoteShutdownPrivilege	3668	WMIC.exe
Token: SeUndockPrivilege	3668	WMIC.exe
Token: SeManageVolumePrivilege	3668	WMIC.exe
Token: 33	3668	WMIC.exe
Token: 34	3668	WMIC.exe
Token: 35	3668	WMIC.exe
Token: 36	3668	WMIC.exe
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeDebugPrivilege	4120	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4216 wrote to memory of 2516	4216	89500d95e289944c5685985075ed0c611d4cd6fdd03f8b35d6eb0f4aefd14465.exe	88
PID 4216 wrote to memory of 2516	4216	89500d95e289944c5685985075ed0c611d4cd6fdd03f8b35d6eb0f4aefd14465.exe	88
PID 4216 wrote to memory of 2516	4216	89500d95e289944c5685985075ed0c611d4cd6fdd03f8b35d6eb0f4aefd14465.exe	88
PID 2516 wrote to memory of 4732	2516	cmd.exe	91
PID 2516 wrote to memory of 4732	2516	cmd.exe	91
PID 2516 wrote to memory of 4732	2516	cmd.exe	91
PID 4732 wrote to memory of 1180	4732	cmd.exe	92
PID 4732 wrote to memory of 1180	4732	cmd.exe	92
PID 4732 wrote to memory of 1180	4732	cmd.exe	92
PID 2516 wrote to memory of 1860	2516	cmd.exe	93
PID 2516 wrote to memory of 1860	2516	cmd.exe	93
PID 2516 wrote to memory of 1860	2516	cmd.exe	93
PID 1860 wrote to memory of 3668	1860	cmd.exe	94
PID 1860 wrote to memory of 3668	1860	cmd.exe	94
PID 1860 wrote to memory of 3668	1860	cmd.exe	94
PID 2516 wrote to memory of 1380	2516	cmd.exe	96
PID 2516 wrote to memory of 1380	2516	cmd.exe	96
PID 2516 wrote to memory of 1380	2516	cmd.exe	96
PID 2516 wrote to memory of 4120	2516	cmd.exe	106
PID 2516 wrote to memory of 4120	2516	cmd.exe	106
PID 2516 wrote to memory of 4120	2516	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\89500d95e289944c5685985075ed0c611d4cd6fdd03f8b35d6eb0f4aefd14465.exe
"C:\Users\Admin\AppData\Local\Temp\89500d95e289944c5685985075ed0c611d4cd6fdd03f8b35d6eb0f4aefd14465.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4732
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup myip.opendns.com. resolver1.opendns.com
      4⤵
      PID:1180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get Domain
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3668
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1380
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4120
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'
    3⤵
    PID:4388
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'
    3⤵
    PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
33b19d75aa77114216dbc23f43b195e3

SHA1
36a6c3975e619e0c5232aa4f5b7dc1fec9525535

SHA256
b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

SHA512
676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
1a6d986f55a10d3037e2a8ae67e71cd9

SHA1
88b71a454b4fc10b58d469fe69bd48335d5e4d1b

SHA256
731676a77fdc0e8ad2e1fe4789ec2efa54a09e4b92d004c2b342f0dfed308c95

SHA512
35b860711224371b843fca73f87855e90f21864c978420fc0c0fa94f282374860780235546df23934161e49793dcb5426049e4c4a9c2f94e132e5a7b0f1a447e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
d126569153a88d11769214480a900938

SHA1
0a2963cf6a70962b658cd8cedbdcf39d4412beac

SHA256
ce62aaa80e5bda34ca254d527eb8ce25ad9787d2ca987c63732003c5c9bd33ae

SHA512
141b9a50350c72475edf2ba4c508b091b30b28f1406b4703e741864c3338ea93295ed9552346c218dac440ac5d133f3ed82ef69d7e7463c72f6101e3691058a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
b716252a6c42cbe509f8159129327514

SHA1
d3c6b11b15b4a2d961556ac9cbaedb9290b4e75f

SHA256
f496994e12e043c8c390771b0d6c827a242c896b6ec610c716c2ec95ee9ff04a

SHA512
a7eaed8eaa47e556b8a11795be28a769e9373489ffa9753173e2f30f6f23613c2b65dd02c9b746f790d383a5d9f01cb3c798ce27424ada313655fff55944fa56

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4rfvg1gm.ylx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.bat

Filesize
1KB

MD5
7ea1fec84d76294d9256ae3dca7676b2

SHA1
1e335451d1cbb6951bc77bf75430f4d983491342

SHA256
9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

SHA512
ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

Download Submit
memory/1380-36-0x0000000004940000-0x0000000004950000-memory.dmp

Filesize
64KB

Download
memory/1380-35-0x0000000005E70000-0x0000000005EBC000-memory.dmp

Filesize
304KB

Download
memory/1380-20-0x0000000004940000-0x0000000004950000-memory.dmp

Filesize
64KB

Download
memory/1380-21-0x0000000004B80000-0x0000000004BA2000-memory.dmp

Filesize
136KB

Download
memory/1380-22-0x0000000005620000-0x0000000005686000-memory.dmp

Filesize
408KB

Download
memory/1380-23-0x0000000005690000-0x00000000056F6000-memory.dmp

Filesize
408KB

Download
memory/1380-18-0x0000000004F80000-0x00000000055A8000-memory.dmp

Filesize
6.2MB

Download
memory/1380-33-0x0000000005910000-0x0000000005C64000-memory.dmp

Filesize
3.3MB

Download
memory/1380-34-0x0000000005DB0000-0x0000000005DCE000-memory.dmp

Filesize
120KB

Download
memory/1380-14-0x0000000004940000-0x0000000004950000-memory.dmp

Filesize
64KB

Download
memory/1380-17-0x0000000004940000-0x0000000004950000-memory.dmp

Filesize
64KB

Download
memory/1380-39-0x00000000742B0000-0x0000000074A60000-memory.dmp

Filesize
7.7MB

Download
memory/1380-16-0x00000000742B0000-0x0000000074A60000-memory.dmp

Filesize
7.7MB

Download
memory/1380-19-0x0000000004940000-0x0000000004950000-memory.dmp

Filesize
64KB

Download
memory/1380-13-0x00000000742B0000-0x0000000074A60000-memory.dmp

Filesize
7.7MB

Download
memory/1380-15-0x0000000004870000-0x00000000048A6000-memory.dmp

Filesize
216KB

Download
memory/2176-74-0x00000000031A0000-0x00000000031B0000-memory.dmp

Filesize
64KB

Download
memory/2176-73-0x00000000742B0000-0x0000000074A60000-memory.dmp

Filesize
7.7MB

Download
memory/4120-41-0x00000000742B0000-0x0000000074A60000-memory.dmp

Filesize
7.7MB

Download
memory/4120-55-0x00000000742B0000-0x0000000074A60000-memory.dmp

Filesize
7.7MB

Download
memory/4120-43-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/4120-42-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/4388-57-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/4388-67-0x0000000005680000-0x00000000059D4000-memory.dmp

Filesize
3.3MB

Download
memory/4388-56-0x00000000742B0000-0x0000000074A60000-memory.dmp

Filesize
7.7MB

Download
memory/4388-69-0x00000000062D0000-0x000000000631C000-memory.dmp

Filesize
304KB

Download
memory/4388-70-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/4388-72-0x00000000742B0000-0x0000000074A60000-memory.dmp

Filesize
7.7MB

Download