abbbca8ae1d2e74dce6d71dffcaf6242aa1375ad764b7fa9905eab527a87d3cd

General

Target

abbbca8ae1d2e74dce6d71dffcaf6242aa1375ad764b7fa9905eab527a87d3cd.exe
Size

193KB
MD5

c86068c0a98b8af36c5385f540925e75
SHA1

1f896e48105ff8aff703eac447e890f3ea50c2fe
SHA256

abbbca8ae1d2e74dce6d71dffcaf6242aa1375ad764b7fa9905eab527a87d3cd
SHA512

0cce4f67b77ef37ea6b48f352fae3a5f726f25172091cdf28597433039efe6d79d2914bb764b31a16c438603f5b083be4950ad522ced6ce76a7abad165a7fd3b
SSDEEP

6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCOV:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXX0

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	abbbca8ae1d2e74dce6d71dffcaf6242aa1375ad764b7fa9905eab527a87d3cd.exe

Executes dropped EXE 1 IoCs

pid	Process
1088	akmhost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Debug\akmhost.exe	abbbca8ae1d2e74dce6d71dffcaf6242aa1375ad764b7fa9905eab527a87d3cd.exe
File opened for modification	C:\Windows\Debug\akmhost.exe	abbbca8ae1d2e74dce6d71dffcaf6242aa1375ad764b7fa9905eab527a87d3cd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	akmhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	akmhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4084	abbbca8ae1d2e74dce6d71dffcaf6242aa1375ad764b7fa9905eab527a87d3cd.exe
Token: SeManageVolumePrivilege	1992	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4084 wrote to memory of 3568	4084	abbbca8ae1d2e74dce6d71dffcaf6242aa1375ad764b7fa9905eab527a87d3cd.exe	90
PID 4084 wrote to memory of 3568	4084	abbbca8ae1d2e74dce6d71dffcaf6242aa1375ad764b7fa9905eab527a87d3cd.exe	90
PID 4084 wrote to memory of 3568	4084	abbbca8ae1d2e74dce6d71dffcaf6242aa1375ad764b7fa9905eab527a87d3cd.exe	90

C:\Users\Admin\AppData\Local\Temp\abbbca8ae1d2e74dce6d71dffcaf6242aa1375ad764b7fa9905eab527a87d3cd.exe
"C:\Users\Admin\AppData\Local\Temp\abbbca8ae1d2e74dce6d71dffcaf6242aa1375ad764b7fa9905eab527a87d3cd.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\ABBBCA~1.EXE > nul
  2⤵
  PID:3568

C:\Windows\Debug\akmhost.exe
C:\Windows\Debug\akmhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1088

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:3404

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Debug\akmhost.exe

Filesize
193KB

MD5
35149be85565e674ac94d8703093394e

SHA1
531eda55ee84132bcf0e8ac4ea7c0d638df05e88

SHA256
649ba6c1bc0c8ffd7f757abd79a3f8f40580884a7bc985fb9cf21ac637af220a

SHA512
d43cff09403653b0fce01fdecdaf4114f1c17ac81481744ce4469ab3c00fb44fd314cbe2468fcbebdf994a4373756ecbf9e14cd22b0150c0e6d8d32a0f98ed41

Download Submit
C:\Windows\debug\akmhost.exe

Filesize
193KB

MD5
35149be85565e674ac94d8703093394e

SHA1
531eda55ee84132bcf0e8ac4ea7c0d638df05e88

SHA256
649ba6c1bc0c8ffd7f757abd79a3f8f40580884a7bc985fb9cf21ac637af220a

SHA512
d43cff09403653b0fce01fdecdaf4114f1c17ac81481744ce4469ab3c00fb44fd314cbe2468fcbebdf994a4373756ecbf9e14cd22b0150c0e6d8d32a0f98ed41

Download Submit
memory/1992-44-0x0000021BBC500000-0x0000021BBC501000-memory.dmp

Filesize
4KB

Download
memory/1992-36-0x0000021BBC4E0000-0x0000021BBC4E1000-memory.dmp

Filesize
4KB

Download
memory/1992-45-0x0000021BBC500000-0x0000021BBC501000-memory.dmp

Filesize
4KB

Download
memory/1992-37-0x0000021BBC500000-0x0000021BBC501000-memory.dmp

Filesize
4KB

Download
memory/1992-38-0x0000021BBC500000-0x0000021BBC501000-memory.dmp

Filesize
4KB

Download
memory/1992-39-0x0000021BBC500000-0x0000021BBC501000-memory.dmp

Filesize
4KB

Download
memory/1992-40-0x0000021BBC500000-0x0000021BBC501000-memory.dmp

Filesize
4KB

Download
memory/1992-41-0x0000021BBC500000-0x0000021BBC501000-memory.dmp

Filesize
4KB

Download
memory/1992-46-0x0000021BBC500000-0x0000021BBC501000-memory.dmp

Filesize
4KB

Download
memory/1992-43-0x0000021BBC500000-0x0000021BBC501000-memory.dmp

Filesize
4KB

Download
memory/1992-72-0x0000021BBC380000-0x0000021BBC381000-memory.dmp

Filesize
4KB

Download
memory/1992-20-0x0000021BB3F40000-0x0000021BB3F50000-memory.dmp

Filesize
64KB

Download
memory/1992-42-0x0000021BBC500000-0x0000021BBC501000-memory.dmp

Filesize
4KB

Download
memory/1992-47-0x0000021BBC130000-0x0000021BBC131000-memory.dmp

Filesize
4KB

Download
memory/1992-48-0x0000021BBC120000-0x0000021BBC121000-memory.dmp

Filesize
4KB

Download
memory/1992-50-0x0000021BBC130000-0x0000021BBC131000-memory.dmp

Filesize
4KB

Download
memory/1992-53-0x0000021BBC120000-0x0000021BBC121000-memory.dmp

Filesize
4KB

Download
memory/1992-56-0x0000021BBC060000-0x0000021BBC061000-memory.dmp

Filesize
4KB

Download
memory/1992-68-0x0000021BBC260000-0x0000021BBC261000-memory.dmp

Filesize
4KB

Download
memory/1992-70-0x0000021BBC270000-0x0000021BBC271000-memory.dmp

Filesize
4KB

Download
memory/1992-71-0x0000021BBC270000-0x0000021BBC271000-memory.dmp

Filesize
4KB

Download
memory/1992-4-0x0000021BB3E40000-0x0000021BB3E50000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads