e2fa29c224800b069b2d57d8444515db48a5d2ada0d18e2ecd09d3caaab8532d

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

610KB
MD5

aa4814cd12e5bbcb9d43f053ce284cb5
SHA1

5203f9a885739c4b739ec3b6aa090692c72d8583
SHA256

807d107511365e7da46ae2c010a5413fded7ce2e5c0a647ed64171d004b5f129
SHA512

231989d9718941ca457eaf79ab9f719d293be1fbfc551e15e680d3b6cda7a7b087838472f9b8c5d9a2e3baa116119fe4a0f2fb6d66e696bc511a810399a1d643
SSDEEP

12288:SoFrggvvuzNpiBw2MGmv4zF3Z4mxxF/mJri5BAhCFPTiAAcg91JQ8WNu:/egvvw2M3vkQmXFiu5BeCx4MY

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	1.exe

Executes dropped EXE 2 IoCs

pid	Process
4464	0000.exe
2456	Updates.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\program files\common files\microsoft shared\msinfo\0000.jpg	1.exe
File opened for modification	C:\program files\common files\microsoft shared\msinfo\0000.exe	0000.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Updates.exe	0000.exe
File opened for modification	C:\Windows\Updates.exe	0000.exe
File created	C:\Windows\uninstal.bat	0000.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4464	0000.exe
Token: SeDebugPrivilege	2456	Updates.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2456	Updates.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 4464	2820	1.exe	89
PID 2820 wrote to memory of 4464	2820	1.exe	89
PID 2820 wrote to memory of 4464	2820	1.exe	89
PID 2456 wrote to memory of 4904	2456	Updates.exe	93
PID 2456 wrote to memory of 4904	2456	Updates.exe	93
PID 4464 wrote to memory of 3604	4464	0000.exe	96
PID 4464 wrote to memory of 3604	4464	0000.exe	96
PID 4464 wrote to memory of 3604	4464	0000.exe	96

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2820
- C:\program files\common files\microsoft shared\msinfo\0000.exe
  "C:\program files\common files\microsoft shared\msinfo\0000.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
    3⤵
    PID:3604

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
1⤵
PID:4904

C:\Windows\Updates.exe
C:\Windows\Updates.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\MSInfo\0000.exe

Filesize
283KB

MD5
200a20ea7afbe73f156e680bb1b91148

SHA1
fe1f3f87a186ccdca49ff5350c6bc44eb420725d

SHA256
1b2b8d57725524a07e152c7ae34b4aa6370d9fd97e82db3005940da193df4615

SHA512
f3368fd381e9aac246189adf4c821c3f9a25ea9bc020257e306d16b625e414e6ee16d64906d631507603fe88baa11844e37dc0e37edaa439788be7071d23df72

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\0000.exe

Filesize
256KB

MD5
bfdbe2730174c85efda5fe5f07bea973

SHA1
cd897fc86fe919658659c9c6c4f698fb8530a7ec

SHA256
c40ddccc8dfbd42dbd1476e61cbe62255cea6a42afc1b16e53f6fad35cc7e8e5

SHA512
d6cb3fd20655523a0fe37eec5ca3645707ee332951f030b63d8c642a4329c88fc74428be66f0092f338b44257e395d73de74a4109a892f1ac6ce47cb9e5f1d92

Download Submit
memory/2456-60-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/2456-59-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/2456-58-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/2456-53-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/2456-52-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/2820-27-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/2820-29-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/2820-12-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/2820-13-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/2820-16-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/2820-15-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/2820-14-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/2820-17-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/2820-19-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/2820-18-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/2820-21-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/2820-20-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/2820-22-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/2820-23-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/2820-24-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/2820-25-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/2820-0-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2820-26-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/2820-28-0x00000000034B0000-0x00000000034B1000-memory.dmp

Filesize
4KB

Download
memory/2820-11-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/2820-30-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/2820-31-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2820-32-0x00000000034A0000-0x00000000034A1000-memory.dmp

Filesize
4KB

Download
memory/2820-33-0x0000000003490000-0x0000000003491000-memory.dmp

Filesize
4KB

Download
memory/2820-34-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/2820-7-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/2820-10-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/2820-42-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2820-1-0x0000000002290000-0x00000000022E4000-memory.dmp

Filesize
336KB

Download
memory/2820-2-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/2820-44-0x0000000002290000-0x00000000022E4000-memory.dmp

Filesize
336KB

Download
memory/2820-3-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/2820-6-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/2820-9-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/2820-8-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/4464-49-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/4464-56-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/4464-46-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/4464-45-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/4464-43-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download