Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
-
submitted
12-11-2023 08:49
General
-
Target
46975109aa4c05a5301ca4bcd1ae26c743caa723a772863c57bdcf721a100d02.exe
-
Size
2.4MB
-
MD5
e5eef0e0c5daf17bee42a5fbf42c01cd
-
SHA1
0f73635c6075af79214ea8256fecbe46efe567f5
-
SHA256
46975109aa4c05a5301ca4bcd1ae26c743caa723a772863c57bdcf721a100d02
-
SHA512
6b888802e97fa46562d059973415cf33c4404e9415ed7eb4d3140cd73d57b99b0b7b8dc32e3ddb62804852a415b53d5babadd1ced07f94de0826bfb260ac1911
-
SSDEEP
24576:bjSokU1rigjSow13JbKkKF/eMNPj7F5vvFvXn:bjSn6rigjSt59KFeMJF5vvFvXn
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Drops file in System32 directory 11 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies data under HKEY_USERS 17 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 37 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\Inf\FXSCOVER.exe"C:\Windows\Inf\FXSCOVER.exe"2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
-
C:\Windows\Inf\xwizard.exe"C:\Windows\Inf\xwizard.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\46975109aa4c05a5301ca4bcd1ae26c743caa723a772863c57bdcf721a100d02.exe"C:\Users\Admin\AppData\Local\Temp\46975109aa4c05a5301ca4bcd1ae26c743caa723a772863c57bdcf721a100d02.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\TpmInit.exe"C:\Windows\system32\TpmInit.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\46975109aa4c05a5301ca4bcd1ae26c743caa723a772863c57bdcf721a100d02.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 14⤵
- Delays execution with timeout.exe
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14.1MB
MD5a7ef23896bd75e4cf69595d10cac31ac
SHA16882cc47f35317decd34213a550473c6aa83a908
SHA2563148f6ce8f8cd6246cb222715925a6a6066d573e92bf5441a8f191884870810c
SHA5121f8efa9855b5f9b768a2cd445986de7f5c4a2adec31afa5b92530651a8f99fcb43f25eaa2469c5ea7c1e7e04b3a5fd41f61bc1b322d9489ad11494ad4164f08c
-
Filesize
242KB
MD55769f78d00f22f76a4193dc720d0b2bd
SHA1d62b6cab057e88737cba43fe9b0c6d11a28b53e8
SHA25640e8e6dabfa1485b11cdccf220eb86eeaa8256e99e344cf2b2098d4cdb788a31
SHA512b4b3448a2635b21690c71254d964832e89bf947f7a0d32e79dcc84730f11d4afb4149a810a768878e52f88fc8baec45f1a2fec8e22c5301e9f39fe4fc6a57e3f
-
Filesize
242KB
MD55769f78d00f22f76a4193dc720d0b2bd
SHA1d62b6cab057e88737cba43fe9b0c6d11a28b53e8
SHA25640e8e6dabfa1485b11cdccf220eb86eeaa8256e99e344cf2b2098d4cdb788a31
SHA512b4b3448a2635b21690c71254d964832e89bf947f7a0d32e79dcc84730f11d4afb4149a810a768878e52f88fc8baec45f1a2fec8e22c5301e9f39fe4fc6a57e3f
-
Filesize
62KB
MD530c784340f42db44a84c7958c240e394
SHA1a9611d90310fe54d0f78e7e067b00c9d53c870c3
SHA2564359c82a6760d717ec367bc80b1a70e149bf7e197ea45c1188a4826570b96c50
SHA512f5f7da6505dfde7060ec0fb186915f4390eb1d0a3048effc65df41b9b6201e501be1ad6cb3db8f626451fd3fdfaf5ef9d615200b7d039f79e93ef74e4a359d8e
-
Filesize
62KB
MD530c784340f42db44a84c7958c240e394
SHA1a9611d90310fe54d0f78e7e067b00c9d53c870c3
SHA2564359c82a6760d717ec367bc80b1a70e149bf7e197ea45c1188a4826570b96c50
SHA512f5f7da6505dfde7060ec0fb186915f4390eb1d0a3048effc65df41b9b6201e501be1ad6cb3db8f626451fd3fdfaf5ef9d615200b7d039f79e93ef74e4a359d8e
-
Filesize
4KB
-
Filesize
12KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
1.8MB
-
Filesize
812KB
-
Filesize
1.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
1.8MB
-
Filesize
64KB
-
Filesize
812KB
-
Filesize
812KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
812KB
-
Filesize
812KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
812KB
-
Filesize
12KB
-
Filesize
996KB
-
Filesize
12KB
-
Filesize
996KB
-
Filesize
4KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
4KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
996KB
-
Filesize
996KB