2159bfb9b83d80708a9b4a81666ff2ac76c82c4d50dc94c02086e9383a8df958

Analysis

max time kernel
193s
max time network
233s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

408355a0a90beebb6637719830b41ee5.exe
Size

186KB
MD5

408355a0a90beebb6637719830b41ee5
SHA1

2d479e6e65c53e5615c8420aee9309c5bea108e0
SHA256

2159bfb9b83d80708a9b4a81666ff2ac76c82c4d50dc94c02086e9383a8df958
SHA512

a18fb0fe9dfb2b4d1435300c5c31fd3a5faa55b0c90e2e84b1e7aaa9fb5680a707e3989279240d3b67d81ebb63a26b3b84f06095989aabe82e9435f6ebea93cd
SSDEEP

3072:7X7DItrfaocyTgfsqQOlJGa/UCAVa7zpBYQar3FT6rPxlivJE1uAKvsNLIkcZCsc:7saocyLCG8AVa7YL1eLxYO1DKUNL6N7g

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	inst.exe

Executes dropped EXE 2 IoCs

pid	Process
316	inst.exe
716	519ccf03-7d58-4734-a488-45e35bc06f2f.exe

Loads dropped DLL 1 IoCs

pid	Process
5048	408355a0a90beebb6637719830b41ee5.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	inst.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	inst.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	inst.exe
File created	C:\Windows\assembly\Desktop.ini	inst.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	inst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	inst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60168000000010000000000000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	inst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 5c000000010000000400000000080000190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b816800000001000000000000007e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8122000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	inst.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	716	519ccf03-7d58-4734-a488-45e35bc06f2f.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
716	519ccf03-7d58-4734-a488-45e35bc06f2f.exe
716	519ccf03-7d58-4734-a488-45e35bc06f2f.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 316	5048	408355a0a90beebb6637719830b41ee5.exe	93
PID 5048 wrote to memory of 316	5048	408355a0a90beebb6637719830b41ee5.exe	93
PID 316 wrote to memory of 716	316	inst.exe	95
PID 316 wrote to memory of 716	316	inst.exe	95
PID 316 wrote to memory of 716	316	inst.exe	95

C:\Users\Admin\AppData\Local\Temp\408355a0a90beebb6637719830b41ee5.exe
"C:\Users\Admin\AppData\Local\Temp\408355a0a90beebb6637719830b41ee5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Users\Admin\AppData\Local\Temp\nsgBA54.tmp\inst.exe
  C:\Users\Admin\AppData\Local\Temp\nsgBA54.tmp\inst.exe 519ccf03-7d58-4734-a488-45e35bc06f2f.exe /dT131650040S1541849476 /e8012553 /t1541849476 /u519ccf03-7d58-4734-a488-45e35bc06f2f
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Users\Admin\AppData\Local\Temp\nsgBA54.tmp\519ccf03-7d58-4734-a488-45e35bc06f2f.exe
    "C:\Users\Admin\AppData\Local\Temp\nsgBA54.tmp\519ccf03-7d58-4734-a488-45e35bc06f2f.exe" /dT131650040S1541849476 /e8012553 /t1541849476 /u519ccf03-7d58-4734-a488-45e35bc06f2f
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1F39B5CFACECFDE48DB25BCA2231FAC6_F0E2901B5CB9DFCB03318B8D06C40A30

Filesize
1KB

MD5
541137d165e78d1fce6c1fe04a4b155e

SHA1
7a59a115c7044d016e6112bff114451c07edf305

SHA256
a939c29a18db19346e1422182912fd2bf78a7a26623c894537fe6a0d2994daa2

SHA512
3939fd192c6aa750b6b046fa88cccc284b8a88ebb35a6a20913099de10e1173e309ce678c1c9cc587c27e1f424b9b63cde63cfd697bc95cbaad63b2a6998e545

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EDCF682921FE94F4A02A43CD1A28E6B

Filesize
604B

MD5
a8c8eb8bf71ea727e35148b09b26fec7

SHA1
f4ab4a15766b9d1e7253ecbb20973af8affbdb7c

SHA256
21c9949032173647ca9cd7fd03822577e2eaeefa0954974f9dd8a9d7ed4c0e13

SHA512
dc04414bf8dd78dafef8d5582ced4c8ab9e466354c03ddaa3014c1400934692a4dbabbf6200616e5364b4a69ce4192f283852a126c1e938a1705cd005d0c6d55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1F39B5CFACECFDE48DB25BCA2231FAC6_F0E2901B5CB9DFCB03318B8D06C40A30

Filesize
412B

MD5
f5fc12ed9f4b9fbdc8beef2035763af9

SHA1
fccc983c08e54d09a23824a17d93f7ba0efbe1ad

SHA256
134eb5c292629befc581e5486b2b5e9fda15ce0e745ef9adcd5392184a55e076

SHA512
8f2e37117e3e05b36fb0e751ddf0c35a1fe0c9cd0383890a44ca0c2cf6dba04e30e8e137ad150555d3a7ac9030aa3523cecaceafd40773acccfab95202b83728

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EDCF682921FE94F4A02A43CD1A28E6B

Filesize
188B

MD5
381034e0fed2ecf91ad0ee1c47d81b2a

SHA1
09fe28ae89739a63fc4f50690cd30f5c11553beb

SHA256
ad9767b9f11e1e82728b94925ba8e69f164b816a04606aca1702133020d80327

SHA512
0444940f7edee415df5afc7badf3b4bcbfd325b0bc23ac5cad4fe86f8cd307a7ac3ab23f51da6d27846ba981316ba9943eb4025b961a08d270f30e7f66c76b13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9

Filesize
404B

MD5
d4186f412ddb9c2a7af4a555a28d2fb7

SHA1
9bf6fa00585b5446d69312257c9429a040276920

SHA256
c44c2738e4a11aaf2d9ce36927f07d35bc0fef03a721ca0a2b08efcc88669c9b

SHA512
d34d4e82b20018383f8a020dcb8b6c40a6600b39d83babc7f92a4062dc39bc33a6f7d98beac6f4102f0e5c6a00acc737c11003db5460dec855da17631bd8c2ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgBA54.tmp\519ccf03-7d58-4734-a488-45e35bc06f2f.exe

Filesize
161KB

MD5
fea751116d26cdd3b5976bb20e746615

SHA1
cc451d9d4594c76717b69df84b14f4fce512503a

SHA256
ffcda5ceafb9d740ffb811bf221f1780c87a1ce6b1b2a5b4ba96905c1c9a8170

SHA512
9e09872223247f1849c98a1c7649ef68fa4eaac7f0c64484259b28df39ee09a941762c114824fbf09dd2dd3a1b4a569d5b09fd1d01b0f366b1c41a3e485ac081

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgBA54.tmp\inst.exe

Filesize
144KB

MD5
6c13897aac76495646cb21a0f3026459

SHA1
3b852f19dfe1efc220356abce7b99a491cc44e3a

SHA256
174d6c4705673cfbd506f0cb916a766dd4e1a45f3ba1b124d4cda16fcd66582c

SHA512
93ca87000dc1ec560f153da999f7489b3a856ded0653e981667bc5a2af7f4f4a886a3f982c6e2db05351668bf8fc20f80d8a27591e49f4d9bc20a11a260d8051

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgBA54.tmp\nsExec.dll

Filesize
8KB

MD5
249ae678f0dac4c625c6de6aca53823a

SHA1
6ac2b9e90e8445fed4c45c5dbf2d0227cd3b5201

SHA256
7298024a36310b7c4c112be87b61b62a0b1be493e2d5252a19e5e976daf674ce

SHA512
66e4081a40f3191bf28b810cf8411cb3c8c3e3ec5943e18d6672414fb5e7b4364f862cba44c9115c599ac90890ef02a773e254e7c979e930946bc52b0693aad7

Download Submit
memory/316-15-0x00007FFE4F4E0000-0x00007FFE4FE81000-memory.dmp

Filesize
9.6MB

Download
memory/316-34-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/316-11-0x00007FFE4F4E0000-0x00007FFE4FE81000-memory.dmp

Filesize
9.6MB

Download
memory/316-12-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/316-29-0x000000001C5D0000-0x000000001C5F0000-memory.dmp

Filesize
128KB

Download
memory/316-47-0x00007FFE4F4E0000-0x00007FFE4FE81000-memory.dmp

Filesize
9.6MB

Download
memory/716-53-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/716-54-0x0000000000D10000-0x0000000000D20000-memory.dmp

Filesize
64KB

Download
memory/716-52-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/716-61-0x0000000000D10000-0x0000000000D20000-memory.dmp

Filesize
64KB

Download
memory/716-62-0x0000000000D10000-0x0000000000D20000-memory.dmp

Filesize
64KB

Download
memory/716-63-0x0000000000D10000-0x0000000000D20000-memory.dmp

Filesize
64KB

Download
memory/716-64-0x0000000000D10000-0x0000000000D20000-memory.dmp

Filesize
64KB

Download
memory/716-65-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/716-67-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/5048-51-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5048-10-0x000000006E940000-0x000000006E948000-memory.dmp

Filesize
32KB

Download
memory/5048-9-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download