Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
08/12/2023, 10:24
Static task
static1
Behavioral task
behavioral1
Sample
608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe
Resource
win10v2004-20231127-en
General
-
Target
608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe
-
Size
2.0MB
-
MD5
f17d36b7435da33a9a9d550eaef8f549
-
SHA1
f079337f39395c7e7bcdc3c05f6287751a7d4f73
-
SHA256
608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e
-
SHA512
515a2c5a0c2211e257cbf6e0e0c49299c610d8c90d400c6c02acb4f4ece2f60b2cb91d311b73d7da8e602fde594fb508538e783631c43bf61a98c60b37c0e6fc
-
SSDEEP
49152:XLcMLSbtXIRK57i9j78xUn3BlJfoE1xNAfF1oH3tb2qZH9s:XLckSE67w8yJfoE1xNA7qbZ
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\ktkigeGt.sys svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Control Panel\International\Geo\Nation 608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe -
Loads dropped DLL 1 IoCs
pid Process 4936 svchost.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\s4q8.dll svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3492 set thread context of 4936 3492 608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe 86 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4936 svchost.exe 4936 svchost.exe 4936 svchost.exe 4936 svchost.exe 4936 svchost.exe 4936 svchost.exe 4936 svchost.exe 4936 svchost.exe 4936 svchost.exe 4936 svchost.exe 4936 svchost.exe 4936 svchost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3492 608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe Token: SeDebugPrivilege 4936 svchost.exe Token: SeDebugPrivilege 4936 svchost.exe Token: SeIncBasePriorityPrivilege 3492 608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3492 wrote to memory of 4936 3492 608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe 86 PID 3492 wrote to memory of 4936 3492 608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe 86 PID 3492 wrote to memory of 4936 3492 608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe 86 PID 3492 wrote to memory of 4936 3492 608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe 86 PID 3492 wrote to memory of 4404 3492 608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe 91 PID 3492 wrote to memory of 4404 3492 608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe 91 PID 3492 wrote to memory of 4404 3492 608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe"C:\Users\Admin\AppData\Local\Temp\608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4936
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\608C54~1.EXE > nul2⤵PID:4404
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD5b2ee390c0b9947b86ede4deb825710a4
SHA1267ca058a46609439560b4742b26e6b4b7d72a6b
SHA25664a2135124c4ef3d47efe2ca1936dd9c6a99f5d6fb9aa9365ee26d43a2fd4aa0
SHA512a81e1813bf0cb5eb3bf2ef32c98304e35d65242dab567c803166d123b6cc34639f598698b198ba85ee55b42c0ab439554340466f69eb5fcfd180bf454c12802b