Analysis
-
max time kernel
17s -
max time network
29s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-it -
resource tags
arch:x64arch:x86image:win10v2004-20231020-itlocale:it-itos:windows10-2004-x64systemwindows -
submitted
05-11-2023 14:58
Static task
static1
Behavioral task
behavioral1
Sample
danger.exe
Resource
win7-20231025-it
Behavioral task
behavioral2
Sample
danger.exe
Resource
win10-20231023-it
Behavioral task
behavioral3
Sample
danger.exe
Resource
win10v2004-20231020-it
General
-
Target
danger.exe
-
Size
17.3MB
-
MD5
7aff5c8e1a98cda8d462565511a5bc2d
-
SHA1
4703377360e523fae14e0c09aa1a05af040ccc91
-
SHA256
a90ca15d3c601ae18f82601cfa311ff92405877087ff5566b365799ba05466eb
-
SHA512
bbbc8ccbc6a2fcea0949c4a27ac935310c4b6c8175521c4db0753c0e440c8d9eb58c99996f0bb5d42e02bbd4c6b4f21530abe43add04d58e89f35471f1db909f
-
SSDEEP
393216:7eYCTfyWo1HwlNwakK/Aze071Sxs9PHPN4s+Fhh1:bCDyWEHs3kv7Iy9Pe/
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
danger.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation danger.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 25 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
danger.exepid process 4676 danger.exe 4676 danger.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
danger.exedescription pid process Token: SeDebugPrivilege 4676 danger.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
danger.exedescription pid process target process PID 4676 wrote to memory of 976 4676 danger.exe powershell.exe PID 4676 wrote to memory of 976 4676 danger.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\danger.exe"C:\Users\Admin\AppData\Local\Temp\danger.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Packet_Installer.exe'2⤵PID:976
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/976-6-0x00007FFB51630000-0x00007FFB520F1000-memory.dmpFilesize
10.8MB
-
memory/976-7-0x000001F95BD10000-0x000001F95BD20000-memory.dmpFilesize
64KB
-
memory/976-8-0x000001F95BD10000-0x000001F95BD20000-memory.dmpFilesize
64KB
-
memory/4676-1-0x00007FFB51630000-0x00007FFB520F1000-memory.dmpFilesize
10.8MB
-
memory/4676-0-0x0000000000370000-0x00000000025B4000-memory.dmpFilesize
34.3MB
-
memory/4676-2-0x0000000004720000-0x0000000004721000-memory.dmpFilesize
4KB
-
memory/4676-3-0x000000001D3A0000-0x000000001D3B0000-memory.dmpFilesize
64KB
-
memory/4676-4-0x00007FFB51630000-0x00007FFB520F1000-memory.dmpFilesize
10.8MB
-
memory/4676-5-0x000000001D3A0000-0x000000001D3B0000-memory.dmpFilesize
64KB