00b79f0a2bec5dbd14815e7c286de06a5ec394f7713c0cb5318743036d085874

Analysis

max time kernel
145s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
16/11/2023, 22:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

simplewall.exe
Size

780KB
MD5

f3c5d9d3ff26df02a6764e3186a6f2a8
SHA1

72181dff9d45af62dfe2690ca2d6bf93dcc33b28
SHA256

00b79f0a2bec5dbd14815e7c286de06a5ec394f7713c0cb5318743036d085874
SHA512

5937487b0bfe85fe5700a0080f2a6d541e984dfd87ef5ed9c7e326ddeeee5adbfb98bc4f3b60bdd7321f04b95aea63cf5f8d21201a3ab5437edf8893aeb7474f
SSDEEP

24576:wHHyYqInEFB7AGtROg782oChmTZnx80zvsZU81:KSYFcB7AGtROg74ChmTZnx80O

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	simplewall.exe

Executes dropped EXE 1 IoCs

pid	Process
4784	update-simplewall-dsvhwfe.exe

Loads dropped DLL 1 IoCs

pid	Process
4784	update-simplewall-dsvhwfe.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1936	simplewall.exe
Token: SeTakeOwnershipPrivilege	1936	simplewall.exe
Token: SeIncBasePriorityPrivilege	1936	simplewall.exe
Token: SeBackupPrivilege	1936	simplewall.exe
Token: SeRestorePrivilege	1936	simplewall.exe
Token: SeDebugPrivilege	1936	simplewall.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
1936	simplewall.exe
1936	simplewall.exe
1936	simplewall.exe
1936	simplewall.exe
1936	simplewall.exe
1936	simplewall.exe
1936	simplewall.exe
1936	simplewall.exe
1936	simplewall.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
1936	simplewall.exe
1936	simplewall.exe
1936	simplewall.exe
1936	simplewall.exe
1936	simplewall.exe
1936	simplewall.exe
1936	simplewall.exe
1936	simplewall.exe
1936	simplewall.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 4784	1936	simplewall.exe	104
PID 1936 wrote to memory of 4784	1936	simplewall.exe	104
PID 1936 wrote to memory of 4784	1936	simplewall.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\simplewall.exe
"C:\Users\Admin\AppData\Local\Temp\simplewall.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Users\Admin\AppData\Roaming\Henry++\simplewall\cache\update-simplewall-dsvhwfe.exe
  "C:\Users\Admin\AppData\Roaming\Henry++\simplewall\cache\update-simplewall-dsvhwfe.exe" "C:\Users\Admin\AppData\Roaming\Henry++\simplewall\cache\update-simplewall-dsvhwfe.exe" /u /S /D=C:\Users\Admin\AppData\Local\Temp
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsbE017.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
C:\Users\Admin\AppData\Roaming\Henry++\simplewall\cache\update-simplewall-dsvhwfe.exe

Filesize
645KB

MD5
853361e4f4bc777db1bd3a2269185fb3

SHA1
813c1ca948ec0e9282e9a7d4546c8a89109e2773

SHA256
7804edc4a726f39a94cb08197a9cad5818eda2854c9cf64d84aadf58ecf3d4a9

SHA512
123e5c8c5aac54d4c3b110256e9dfe8ef1eaf61c9421f5c97bd1c38a97d18b5c306cead1d721d6fc2330e92830c58631281495e059c50ff8512c0c49d4404d66

Download Submit
C:\Users\Admin\AppData\Roaming\Henry++\simplewall\cache\update-simplewall-dsvhwfe.exe

Filesize
645KB

MD5
853361e4f4bc777db1bd3a2269185fb3

SHA1
813c1ca948ec0e9282e9a7d4546c8a89109e2773

SHA256
7804edc4a726f39a94cb08197a9cad5818eda2854c9cf64d84aadf58ecf3d4a9

SHA512
123e5c8c5aac54d4c3b110256e9dfe8ef1eaf61c9421f5c97bd1c38a97d18b5c306cead1d721d6fc2330e92830c58631281495e059c50ff8512c0c49d4404d66

Download Submit
C:\Users\Admin\AppData\Roaming\Henry++\simplewall\cache\update-simplewall-dsvhwfe.exe

Filesize
645KB

MD5
853361e4f4bc777db1bd3a2269185fb3

SHA1
813c1ca948ec0e9282e9a7d4546c8a89109e2773

SHA256
7804edc4a726f39a94cb08197a9cad5818eda2854c9cf64d84aadf58ecf3d4a9

SHA512
123e5c8c5aac54d4c3b110256e9dfe8ef1eaf61c9421f5c97bd1c38a97d18b5c306cead1d721d6fc2330e92830c58631281495e059c50ff8512c0c49d4404d66

Download Submit