Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2023 17:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
07958a611f1213120e6189d8134fda7f.exe
Resource
win7-20231215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
07958a611f1213120e6189d8134fda7f.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
07958a611f1213120e6189d8134fda7f.exe
-
Size
91KB
-
MD5
07958a611f1213120e6189d8134fda7f
-
SHA1
a61b883303e41bb3f3c8d5fe1764a154cf73104c
-
SHA256
5aa99858723c705bf93b15a6285a8e7825ff05cc7b212229db2d95db24704c4d
-
SHA512
aa6ee0433c4de15c14f00df36fd32b8b3d09ac21527a5b19be7b6be2bc7f493b79fd7d3d375cca909f529216e5dbe865b0b54eb05b24bdde2b997cbf9b70ec3d
-
SSDEEP
1536:BqQAx0n+jpe1hZqAvGGtCSoe11z3vqM4/VbucdU/mNYjiZcHvIyi68q7+FSlDKGs:u+nd1hZqFMuuit
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" boten.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 07958a611f1213120e6189d8134fda7f.exe -
Executes dropped EXE 1 IoCs
pid Process 4212 boten.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boten = "C:\\Users\\Admin\\boten.exe" boten.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe 4212 boten.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3076 07958a611f1213120e6189d8134fda7f.exe 4212 boten.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3076 wrote to memory of 4212 3076 07958a611f1213120e6189d8134fda7f.exe 79 PID 3076 wrote to memory of 4212 3076 07958a611f1213120e6189d8134fda7f.exe 79 PID 3076 wrote to memory of 4212 3076 07958a611f1213120e6189d8134fda7f.exe 79 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19 PID 4212 wrote to memory of 3076 4212 boten.exe 19
Processes
-
C:\Users\Admin\AppData\Local\Temp\07958a611f1213120e6189d8134fda7f.exe"C:\Users\Admin\AppData\Local\Temp\07958a611f1213120e6189d8134fda7f.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Users\Admin\boten.exe"C:\Users\Admin\boten.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4212
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD581e88945a247f5c82453605d4b345e4a
SHA12d9c8ffddcac93093a9368eaccec38d4943fb3b2
SHA25672e3f82c5038e1465aa510e65e3a045034f59d2c7b2a030845cea8ae49a14736
SHA512d9acaba0fbdd965a9032dbfb26a812f2b244ac75999f5c9da2243d14abd3d77d63a6783d875b9685f3e2ea10bd9c5fda20202cf97badb64bbfed652b142a96b9
-
Filesize
84KB
MD547bd1e6cc8fc0d7d2ca4758ff3db16b2
SHA15c2750b4999684104a78058c3fde1eec2ea53aed
SHA256df4f763bac861b660f035ad3ddf3fa6af54d0e8a2c993c7127fed7c518d85f4a
SHA51211906f7b04287008c1f869482cbb461f9e8231ae787c033d9e73a94cbea1dbb5bda39f12b64913b806e9482ce55a8e4ab2687b290497a3e3b3e5ba70c5b2a8f4
-
Filesize
83KB
MD5f4573137b5518a9fa53c2b74af14a6a6
SHA1178e29dd99c7659713d01c23ded2a3d7683b38ff
SHA25641d8a50ccee54c43f700e9ea68c45ffe0b76897ad320c00fa5a7d0d9251fa4cd
SHA512351175c58ae04b6f03cb4294dad3ad7a2a19c42e3c7bc439244e978ae9189f1ec02f730aae3424581960969574951813b944d6bab7097f978dadb8a49af4f34e