Analysis
-
max time kernel
133s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20/12/2023, 15:47
Behavioral task
behavioral1
Sample
dd2e2cf10a41a07faa2bfc890a30ef28.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
dd2e2cf10a41a07faa2bfc890a30ef28.exe
Resource
win10v2004-20231215-en
General
-
Target
dd2e2cf10a41a07faa2bfc890a30ef28.exe
-
Size
6.9MB
-
MD5
dd2e2cf10a41a07faa2bfc890a30ef28
-
SHA1
fc9e90c465f8457f8e0cff8fdac85b412c09d7e1
-
SHA256
57926c629184179f9f15f942b791bd36bfec63e28b87dd7b2f701b878bba7df4
-
SHA512
ec7da112c4d574bd78aed1648c1586e6eeb851bc7cb9d29969a779cda5eb98ea1709da19dce0ded19192f96c959a7e5af872ad704c16ebb86be759931ca3f53b
-
SSDEEP
196608:fOKzCPwaYLFn9WpTIA6qmF5RZLL9wVzSyUCIQ:f3CHMFApcA69Pn9qSy1
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation services32.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation dd2e2cf10a41a07faa2bfc890a30ef28.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation msconfig.exe -
Executes dropped EXE 3 IoCs
pid Process 1932 msconfig.exe 1764 services32.exe 4940 sihost32.exe -
resource yara_rule behavioral2/memory/1848-1-0x0000000000400000-0x0000000000AE3000-memory.dmp vmprotect behavioral2/memory/1848-2-0x0000000000400000-0x0000000000AE3000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1848 dd2e2cf10a41a07faa2bfc890a30ef28.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2976 schtasks.exe 3384 schtasks.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ dd2e2cf10a41a07faa2bfc890a30ef28.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1848 dd2e2cf10a41a07faa2bfc890a30ef28.exe 1848 dd2e2cf10a41a07faa2bfc890a30ef28.exe 1932 msconfig.exe 1764 services32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1932 msconfig.exe Token: SeDebugPrivilege 1764 services32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1848 wrote to memory of 1932 1848 dd2e2cf10a41a07faa2bfc890a30ef28.exe 91 PID 1848 wrote to memory of 1932 1848 dd2e2cf10a41a07faa2bfc890a30ef28.exe 91 PID 1932 wrote to memory of 2008 1932 msconfig.exe 96 PID 1932 wrote to memory of 2008 1932 msconfig.exe 96 PID 2008 wrote to memory of 2976 2008 cmd.exe 95 PID 2008 wrote to memory of 2976 2008 cmd.exe 95 PID 1932 wrote to memory of 1764 1932 msconfig.exe 97 PID 1932 wrote to memory of 1764 1932 msconfig.exe 97 PID 1764 wrote to memory of 1188 1764 services32.exe 100 PID 1764 wrote to memory of 1188 1764 services32.exe 100 PID 1764 wrote to memory of 4940 1764 services32.exe 101 PID 1764 wrote to memory of 4940 1764 services32.exe 101 PID 1188 wrote to memory of 3384 1188 cmd.exe 103 PID 1188 wrote to memory of 3384 1188 cmd.exe 103 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd2e2cf10a41a07faa2bfc890a30ef28.exe"C:\Users\Admin\AppData\Local\Temp\dd2e2cf10a41a07faa2bfc890a30ef28.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\AppData\Roaming\msconfig.exe"C:\Users\Admin\AppData\Roaming\msconfig.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:2008
-
-
C:\Users\Admin\AppData\Local\Temp\services32.exe"C:\Users\Admin\AppData\Local\Temp\services32.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"'5⤵
- Creates scheduled task(s)
PID:3384
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"4⤵
- Executes dropped EXE
PID:4940
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"'1⤵
- Creates scheduled task(s)
PID:2976
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
325KB
MD5835aad8d40d9871a75c52015e65f46a4
SHA1e9726151dcfb5b9e33c544a463a304438d44bc72
SHA256c7ec084b94ed35b0b5bb042a009a5717f376d35f3eb8a664d99e3002311de893
SHA5122052db0053b078dbc8f950030052b6c0593dff04f6ee85be8764110cc582510e7180d87fab4a17bea651c492c5598a689f9fc5bb59a05eeaf30a6c7b15ca0364
-
Filesize
315KB
MD58a14bec3d46c43d7142640b1a1764e91
SHA158819977b16433fa405b5a8dfa23966ab13ba11d
SHA25625866e9432c0ed5501856d7928f1cf8dd0a27e6fe0f5293ec009a900a4cff540
SHA512e48bd1d72888ed1ab51a4e762a333c68258c71ab0cd4fe8f2d1e109f81599bc4899edf573b306c503e4fc9fa1967c6aa275166113d511553ba2b715e52f3b740
-
Filesize
8KB
MD51415d3cef8766b64044d48804587e97d
SHA14d5d324dc95cacfffe08a30096c95892ae22660e
SHA256530f0f19333c1b89a59017b7728d0128514f1f18705af48cb4428f87bf833849
SHA51248d0d3ea6abaaf2ed94aceea28ff4de0b8d823de5e35641860e7c9736f860c8491087d5e9a6a108a50e82db8ce0e4cf33efc3d4a390368618939cf92cf594765
-
Filesize
163KB
MD58c1b376208fcc1dffe640cfc9a7c4539
SHA18cdd314200e8b47195adba6614898db8a8aa2f17
SHA2567546627ccf909ec2d023a342164a914e34d1e517379a617b7468835cad304705
SHA5122987270d5ff9d4549d9ce58922c3a45e79f31837fa79b3003bd858376ea818af6a39360c659c2178d23f0a07cd3cb16fc3349837764022786d0e0704d00b9fc1
-
Filesize
124KB
MD5789d410c48d86e9c75a3f77190b25846
SHA18e77724c96da53994b3db26df3c5fe1e91c8b87f
SHA2564d8b192b098e151e71d6749f5690d400f44e8cbfc494923fae79dbdf5a69aeaa
SHA512992e18236bf37a8dbff463da4e50c6401e65a2f22146ac26e0fd8813e0e40e5f73755bfb7c149fdb3844418b03167b97ecd6e1727c79916cfb37a76aaade4cc1
-
Filesize
53KB
MD5318ed36e9e86705a64785370dfb3d449
SHA1c829f1a131d5831abd0407bd1cb7d03f58bbcc20
SHA2561aedc7a7de2045368d9f15abd3e0a2fff34639db4cb1e4441a050e667ea9d828
SHA512bae6feeb65a1796deded0bc055d89de5304b43edc6f329c0af2647bde4c04636170794a2f070b59547a34f9a01fb61218d5988ef3c5743ed896a8dc90848a1c6