d5685b7576875be2c14879906191e0817ff0fab11b0075d89a92445ad93c1191

Analysis

max time kernel
92s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0874d77f9d19a2668da6e8a4ea44e5b2.exe
Size

203KB
MD5

0874d77f9d19a2668da6e8a4ea44e5b2
SHA1

422955180edf85c8f28ae06fc84a7498613594d0
SHA256

d5685b7576875be2c14879906191e0817ff0fab11b0075d89a92445ad93c1191
SHA512

590566d9466a4580595030a7bb2a16d28a962ed5b6c0ed7082f9308d27efae6fb41697281518b44efd83ab47be7da278f8c7eb3ba037092764730700e12bc5cd
SSDEEP

3072:aVG6UVYxmJhU40XGRkTjuIWnGPDXHV0wcFS+p3z67C3gA2QQCTK8bOfbvp7EH/E7:yh17XtTKGPD10fFx3WbA23CNbOThIcWe

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	tmp1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	tmp2.exe

Executes dropped EXE 4 IoCs

pid	Process
4912	ns545D.tmp
3184	check.exe
3220	tmp1.exe
3176	tmp2.exe

Loads dropped DLL 1 IoCs

pid	Process
5104	0874d77f9d19a2668da6e8a4ea44e5b2.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "kdeun.exe"	tmp1.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kdeun.exe	tmp1.exe
File opened for modification	C:\Windows\SysWOW64\kdeun.exe	tmp1.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3220 set thread context of 4400	3220	tmp1.exe	43

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo	tmp1.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International	tmp1.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo	tmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International	tmp2.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3220	tmp1.exe
3220	tmp1.exe
3220	tmp1.exe
3220	tmp1.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3220	tmp1.exe
Token: SeSecurityPrivilege	3220	tmp1.exe
Token: SeTakeOwnershipPrivilege	3220	tmp1.exe
Token: SeLoadDriverPrivilege	3220	tmp1.exe
Token: SeSystemProfilePrivilege	3220	tmp1.exe
Token: SeSystemtimePrivilege	3220	tmp1.exe
Token: SeProfSingleProcessPrivilege	3220	tmp1.exe
Token: SeIncBasePriorityPrivilege	3220	tmp1.exe
Token: SeCreatePagefilePrivilege	3220	tmp1.exe
Token: SeBackupPrivilege	3220	tmp1.exe
Token: SeRestorePrivilege	3220	tmp1.exe
Token: SeShutdownPrivilege	3220	tmp1.exe
Token: SeDebugPrivilege	3220	tmp1.exe
Token: SeSystemEnvironmentPrivilege	3220	tmp1.exe
Token: SeChangeNotifyPrivilege	3220	tmp1.exe
Token: SeRemoteShutdownPrivilege	3220	tmp1.exe
Token: SeUndockPrivilege	3220	tmp1.exe
Token: SeManageVolumePrivilege	3220	tmp1.exe
Token: SeImpersonatePrivilege	3220	tmp1.exe
Token: SeCreateGlobalPrivilege	3220	tmp1.exe
Token: 33	3220	tmp1.exe
Token: 34	3220	tmp1.exe
Token: 35	3220	tmp1.exe
Token: 36	3220	tmp1.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 4912	5104	0874d77f9d19a2668da6e8a4ea44e5b2.exe	25
PID 5104 wrote to memory of 4912	5104	0874d77f9d19a2668da6e8a4ea44e5b2.exe	25
PID 5104 wrote to memory of 4912	5104	0874d77f9d19a2668da6e8a4ea44e5b2.exe	25
PID 4912 wrote to memory of 3184	4912	ns545D.tmp	20
PID 4912 wrote to memory of 3184	4912	ns545D.tmp	20
PID 4912 wrote to memory of 3184	4912	ns545D.tmp	20
PID 5104 wrote to memory of 3220	5104	0874d77f9d19a2668da6e8a4ea44e5b2.exe	22
PID 5104 wrote to memory of 3220	5104	0874d77f9d19a2668da6e8a4ea44e5b2.exe	22
PID 5104 wrote to memory of 3220	5104	0874d77f9d19a2668da6e8a4ea44e5b2.exe	22
PID 5104 wrote to memory of 3176	5104	0874d77f9d19a2668da6e8a4ea44e5b2.exe	24
PID 5104 wrote to memory of 3176	5104	0874d77f9d19a2668da6e8a4ea44e5b2.exe	24
PID 5104 wrote to memory of 3176	5104	0874d77f9d19a2668da6e8a4ea44e5b2.exe	24
PID 3220 wrote to memory of 2916	3220	tmp1.exe	45
PID 3220 wrote to memory of 2916	3220	tmp1.exe	45
PID 3220 wrote to memory of 4400	3220	tmp1.exe	43
PID 3220 wrote to memory of 4400	3220	tmp1.exe	43

C:\Users\Admin\AppData\Local\Temp\0874d77f9d19a2668da6e8a4ea44e5b2.exe
"C:\Users\Admin\AppData\Local\Temp\0874d77f9d19a2668da6e8a4ea44e5b2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Users\Admin\AppData\Local\Temp\tmp1.exe
  tmp1.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies WinLogon
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3220
- - C:\Windows\bfsvc.exe
    C:\Windows\bfsvc.exe
    3⤵
    PID:4400
- - C:\Windows\bfsvc.exe
    C:\Windows\bfsvc.exe
    3⤵
    PID:2916
- C:\Users\Admin\AppData\Local\Temp\tmp2.exe
  tmp2.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies Control Panel
  PID:3176
- C:\Users\Admin\AppData\Local\Temp\nsa544C.tmp\ns545D.tmp
  "C:\Users\Admin\AppData\Local\Temp\nsa544C.tmp\ns545D.tmp" "C:\Users\Admin\AppData\Local\Temp\check.exe" e -o+ -pdwPud7lfqhm5VGMCkBWYKE5j8mex4 package.tmp
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4912

C:\Users\Admin\AppData\Local\Temp\check.exe
"C:\Users\Admin\AppData\Local\Temp\check.exe" e -o+ -pdwPud7lfqhm5VGMCkBWYKE5j8mex4 package.tmp
1⤵
- Executes dropped EXE
PID:3184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\check.exe

Filesize
32KB

MD5
a1d5aed78906474e80190865e77ed9ae

SHA1
bbd2cddcf95ce14e2feb61c096c48bc4c4fc486d

SHA256
9310fd98f9bc4abf94b68f970c67498cfe887171251cb86927b786416b298a99

SHA512
8f46a087b4170a3afc8cc4d291ad79c04930034973c80de09111bbe774aa009ca3039ad3b5a814b1cdb1bc841f8a4b45b31f7dc0de0e15a1114a48eeb32b9ec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\check.exe

Filesize
25KB

MD5
54fcfb864e389ded4a05f8cb05fa5da0

SHA1
725d22d36e35a72494a35375f62eb3ff43ffc1df

SHA256
882f57faa0cfde10e4f57b11d8ede9bafb60a29472d63ff8e760efbaae848308

SHA512
96c9ee015880b3980d6686a66911015d4ad567ce4d8d01aed28cbd372f26e62909bc63a447949f6db239b48d37dc3465f13ea5be54d60dcf6639b3457cbd3b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa544C.tmp\ns545D.tmp

Filesize
6KB

MD5
412ccf8db992b93ecb598da8c07367be

SHA1
dceb6e337931ed0c4de084d0a52d719a61cd2c73

SHA256
e6c4f87160b647c8a8ddd5d494342692091cec409e664253b95b35c6abe7c5d1

SHA512
3dfb51523c075ac41778d76fd2a8f3a5384923d253fdebebe56a5c018fb23d9eb4057ea1a207731afb38c4803e304655c6b8b37e169957727043d7eb76daa55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa544C.tmp\nsExec.dll

Filesize
6KB

MD5
165d8d1e0c21b60862079368b063b25b

SHA1
a553c91c70eed07cfc27ac0d333dc7ca1e32c2c4

SHA256
db80fa3f48a227e91d16fe81eeae96dc15e8fd29fc4c4f8feb21b00c5dc19534

SHA512
f590932c2e933e029435bb8346239fe01ae54b0a16c9c377f0c779fc5b6f8c64ed285c54be0372bb395fafcedbf40c79735263b5ca1310e7adbf7fbe628cb87b

Download Submit
C:\Users\Admin\AppData\Local\Temp\package.tmp

Filesize
5KB

MD5
807fd05105bf48a697268f41de026ace

SHA1
f8f8f4945f5e4cf6b3d3ace4c92b833c70806322

SHA256
67193de90258777c6e1a723b2970831afeea7b6be1a486aae5e496434ab36509

SHA512
110f4982d97e0cabddca5a47664afc7c9a014f40b76be5510f241730c4df5e888b085a78cae57d46568a4459813a90313e8c812cea93b4af7bc7ef8ef45d0968

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1.exe

Filesize
2KB

MD5
0600c956020c108063aba15cfd798995

SHA1
7876bb7a74fdc1ffdd2ebe5468025ce2adeaa444

SHA256
605a6053e26b96f0b5b774122572f59b1b1a431ac14474cf56c63d2aeecc9400

SHA512
74d7762f8cb219bb0d4daecf455bc5c483cde7e15476e46c57d3976f65bb565ee21a05e46efd9d124329b67987693f6e5ab66753b41ef4a0c01c83b088ed7f30

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1.exe

Filesize
67KB

MD5
c5532bab3e4687201f3d11b84d044d5a

SHA1
23d6974df4ffef3f4df88a4cb8b9ed1c742f2b7e

SHA256
c12fedfb8a1536c6b57f215539875336da158f26f2fa5ba4805e8316840602b3

SHA512
ca8ebbcc0a39f35687c60cb47c72e884d533ed814d7d39025606e13eb5efdc56e36f6478e2e233ec920a94b248e04aa5b3bf817e3f92e6f1e60c5f556de00a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2.exe

Filesize
7KB

MD5
d3b973e304213e298ba7d26e6999c41b

SHA1
7372d3b2aa64fcbdbae28e35d69e89b55a28ab4e

SHA256
4e6d8a4c922e2104e818e4b75f2cf0418af42d332bcae8a7adceccd32cbb18cf

SHA512
405e615f66ff09bb3bfecd1f8aad4247bf23a3fcecb45196b3c5b2e295022b88bbb29dcdfe01b5afa2356a1db8d1ad4a71d84372f68c20363e300d6f28319128

Download Submit
C:\Windows\SysWOW64\kdeun.exe

Filesize
15KB

MD5
ca4234f73735d4283347dd3d01876e8e

SHA1
b32d9a6be571d4985e6cc1c6bb16284b0d639cd2

SHA256
a6b9fc35079fdbb1789b65c67142748fde78f6ea0c8a7e2b86ee928223105cdc

SHA512
a42f4b751f909942829720e4a5f7e7e82ae3376ac5beb43163d586c235a3f3107dd97513b9c748889312f277e0a0fb8ad1cc05704e60f37e986351efd9c69470

Download Submit
memory/3176-31-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3176-49-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3184-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3220-27-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3220-32-0x000000006B800000-0x000000006B8F0000-memory.dmp

Filesize
960KB

Download
memory/3220-48-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download