Analysis

  • max time kernel
    148s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/12/2023, 10:24

General

  • Target

    608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe

  • Size

    2.0MB

  • MD5

    f17d36b7435da33a9a9d550eaef8f549

  • SHA1

    f079337f39395c7e7bcdc3c05f6287751a7d4f73

  • SHA256

    608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e

  • SHA512

    515a2c5a0c2211e257cbf6e0e0c49299c610d8c90d400c6c02acb4f4ece2f60b2cb91d311b73d7da8e602fde594fb508538e783631c43bf61a98c60b37c0e6fc

  • SSDEEP

    49152:XLcMLSbtXIRK57i9j78xUn3BlJfoE1xNAfF1oH3tb2qZH9s:XLckSE67w8yJfoE1xNA7qbZ

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe
    "C:\Users\Admin\AppData\Local\Temp\608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3492
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      2⤵
      • Drops file in Drivers directory
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4936
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\608C54~1.EXE > nul
      2⤵
        PID:4404

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\s4q8.dll

            Filesize

            3.4MB

            MD5

            b2ee390c0b9947b86ede4deb825710a4

            SHA1

            267ca058a46609439560b4742b26e6b4b7d72a6b

            SHA256

            64a2135124c4ef3d47efe2ca1936dd9c6a99f5d6fb9aa9365ee26d43a2fd4aa0

            SHA512

            a81e1813bf0cb5eb3bf2ef32c98304e35d65242dab567c803166d123b6cc34639f598698b198ba85ee55b42c0ab439554340466f69eb5fcfd180bf454c12802b

          • memory/4936-0-0x0000000000E00000-0x0000000000FF2000-memory.dmp

            Filesize

            1.9MB

          • memory/4936-2-0x00000000018E0000-0x0000000001C6B000-memory.dmp

            Filesize

            3.5MB

          • memory/4936-10-0x00000000018E0000-0x0000000001C6B000-memory.dmp

            Filesize

            3.5MB

          • memory/4936-12-0x00000000018E0000-0x0000000001C6B000-memory.dmp

            Filesize

            3.5MB