Analysis
-
max time kernel
186s -
max time network
195s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2023 16:41
Static task
static1
Behavioral task
behavioral1
Sample
064827f373f0bb93f4616642146a91fc.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
064827f373f0bb93f4616642146a91fc.exe
Resource
win10v2004-20231215-en
General
-
Target
064827f373f0bb93f4616642146a91fc.exe
-
Size
25KB
-
MD5
064827f373f0bb93f4616642146a91fc
-
SHA1
99202be7f698c30dbf0c9d4af3efefd7bc0cec4f
-
SHA256
b81766c2273db2979fc060aa926a13b6b560ad446612088371464a606c80fae4
-
SHA512
e75cbd54a310e882bed97052046e784b14e161232a368042a0f37df39579725f9497428aad55714aafdb8452a643ac3e2b9ca6c8b0e793e5949ad2c752179bf4
-
SSDEEP
768:yaVnrEeAvRH+DHOoVeiInaZxekZ9pjOOdPD9:LRExV9oVKUrntJ
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
064827f373f0bb93f4616642146a91fc.exeServer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation 064827f373f0bb93f4616642146a91fc.exe Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation Server.exe -
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bdae7bc82fc5afd8ef934e53747b3bda.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bdae7bc82fc5afd8ef934e53747b3bda.exe svchost.exe -
Executes dropped EXE 2 IoCs
Processes:
Server.exesvchost.exepid process 3780 Server.exe 4580 svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bdae7bc82fc5afd8ef934e53747b3bda = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdae7bc82fc5afd8ef934e53747b3bda = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 4580 svchost.exe Token: 33 4580 svchost.exe Token: SeIncBasePriorityPrivilege 4580 svchost.exe Token: 33 4580 svchost.exe Token: SeIncBasePriorityPrivilege 4580 svchost.exe Token: 33 4580 svchost.exe Token: SeIncBasePriorityPrivilege 4580 svchost.exe Token: 33 4580 svchost.exe Token: SeIncBasePriorityPrivilege 4580 svchost.exe Token: 33 4580 svchost.exe Token: SeIncBasePriorityPrivilege 4580 svchost.exe Token: 33 4580 svchost.exe Token: SeIncBasePriorityPrivilege 4580 svchost.exe Token: 33 4580 svchost.exe Token: SeIncBasePriorityPrivilege 4580 svchost.exe Token: 33 4580 svchost.exe Token: SeIncBasePriorityPrivilege 4580 svchost.exe Token: 33 4580 svchost.exe Token: SeIncBasePriorityPrivilege 4580 svchost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
064827f373f0bb93f4616642146a91fc.exeServer.exesvchost.exedescription pid process target process PID 3788 wrote to memory of 3780 3788 064827f373f0bb93f4616642146a91fc.exe Server.exe PID 3788 wrote to memory of 3780 3788 064827f373f0bb93f4616642146a91fc.exe Server.exe PID 3788 wrote to memory of 3780 3788 064827f373f0bb93f4616642146a91fc.exe Server.exe PID 3780 wrote to memory of 4580 3780 Server.exe svchost.exe PID 3780 wrote to memory of 4580 3780 Server.exe svchost.exe PID 3780 wrote to memory of 4580 3780 Server.exe svchost.exe PID 4580 wrote to memory of 2412 4580 svchost.exe netsh.exe PID 4580 wrote to memory of 2412 4580 svchost.exe netsh.exe PID 4580 wrote to memory of 2412 4580 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\064827f373f0bb93f4616642146a91fc.exe"C:\Users\Admin\AppData\Local\Temp\064827f373f0bb93f4616642146a91fc.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE4⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
37KB
MD525e1a437f519c6fae7d58c979850b235
SHA1bf7b2905fd7fb26e6670a9d21585344392513e4f
SHA256ba98637b354d445da2d87a5b150dadf38fae99e2732268c7b72ff62d563e6bef
SHA512ffb9c4d4f48893e971994e80360c96f218c5de8f29edf162239f15dffe642032544e09a5adf89d68ecd81630ce8f0bf253144fcaf14cf0d3fa6274dd85365ed2
-
memory/3780-15-0x0000000001430000-0x0000000001440000-memory.dmpFilesize
64KB
-
memory/3780-14-0x00000000748E0000-0x0000000074E91000-memory.dmpFilesize
5.7MB
-
memory/3780-16-0x00000000748E0000-0x0000000074E91000-memory.dmpFilesize
5.7MB
-
memory/3780-18-0x00000000748E0000-0x0000000074E91000-memory.dmpFilesize
5.7MB
-
memory/3780-27-0x00000000748E0000-0x0000000074E91000-memory.dmpFilesize
5.7MB
-
memory/3788-4-0x0000000001760000-0x0000000001770000-memory.dmpFilesize
64KB
-
memory/3788-1-0x00007FFAD8130000-0x00007FFAD8BF1000-memory.dmpFilesize
10.8MB
-
memory/3788-13-0x00007FFAD8130000-0x00007FFAD8BF1000-memory.dmpFilesize
10.8MB
-
memory/3788-0-0x0000000000E80000-0x0000000000E8C000-memory.dmpFilesize
48KB
-
memory/4580-28-0x00000000748E0000-0x0000000074E91000-memory.dmpFilesize
5.7MB
-
memory/4580-29-0x00000000748E0000-0x0000000074E91000-memory.dmpFilesize
5.7MB
-
memory/4580-31-0x00000000748E0000-0x0000000074E91000-memory.dmpFilesize
5.7MB