Analysis
-
max time kernel
17s -
max time network
29s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-it -
resource tags
-
submitted
05-11-2023 14:58
General
-
Target
danger.exe
-
Size
17.3MB
-
MD5
7aff5c8e1a98cda8d462565511a5bc2d
-
SHA1
4703377360e523fae14e0c09aa1a05af040ccc91
-
SHA256
a90ca15d3c601ae18f82601cfa311ff92405877087ff5566b365799ba05466eb
-
SHA512
bbbc8ccbc6a2fcea0949c4a27ac935310c4b6c8175521c4db0753c0e440c8d9eb58c99996f0bb5d42e02bbd4c6b4f21530abe43add04d58e89f35471f1db909f
-
SSDEEP
393216:7eYCTfyWo1HwlNwakK/Aze071Sxs9PHPN4s+Fhh1:bCDyWEHs3kv7Iy9Pe/
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\danger.exe"C:\Users\Admin\AppData\Local\Temp\danger.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Packet_Installer.exe'2⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/976-6-0x00007FFB51630000-0x00007FFB520F1000-memory.dmpFilesize
10.8MB
-
memory/976-7-0x000001F95BD10000-0x000001F95BD20000-memory.dmpFilesize
64KB
-
memory/976-8-0x000001F95BD10000-0x000001F95BD20000-memory.dmpFilesize
64KB
-
memory/4676-1-0x00007FFB51630000-0x00007FFB520F1000-memory.dmpFilesize
10.8MB
-
memory/4676-0-0x0000000000370000-0x00000000025B4000-memory.dmpFilesize
34.3MB
-
memory/4676-2-0x0000000004720000-0x0000000004721000-memory.dmpFilesize
4KB
-
memory/4676-3-0x000000001D3A0000-0x000000001D3B0000-memory.dmpFilesize
64KB
-
memory/4676-4-0x00007FFB51630000-0x00007FFB520F1000-memory.dmpFilesize
10.8MB
-
memory/4676-5-0x000000001D3A0000-0x000000001D3B0000-memory.dmpFilesize
64KB