Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 10:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1615c973bf40986ed4842489f4c9c3f2.exe
Resource
win7-20231215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
1615c973bf40986ed4842489f4c9c3f2.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
1615c973bf40986ed4842489f4c9c3f2.exe
-
Size
300KB
-
MD5
1615c973bf40986ed4842489f4c9c3f2
-
SHA1
5b320b57fe4f42c30cc2d00d1b8460371abb0c60
-
SHA256
6cd986e4248ff3f184b0c787f6534fb58250ab73f1fd9aa15bae95d626b735a7
-
SHA512
e8b2ae1f7c44d375c5684a58b705ae990b248fd241b31e6e6705b8078e5e5758878d7ec728bd8ca6a1d2ddb461371bb8e90b6ed0fdaf6fa3f8e18aea3184cfa5
-
SSDEEP
6144:ke9aKpFY/kJqeNhi0GTvHMww3y/IAFMsq:f8cEeNIAAFMsq
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 1615c973bf40986ed4842489f4c9c3f2.exe Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" nezih.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation 1615c973bf40986ed4842489f4c9c3f2.exe -
Executes dropped EXE 1 IoCs
pid Process 3100 nezih.exe -
Adds Run key to start application 2 TTPs 53 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /v" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /A" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /S" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /D" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /N" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /M" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /Z" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /K" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /J" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /E" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /o" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /Q" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /f" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /g" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /j" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /m" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /x" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /h" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /R" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /c" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /z" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /s" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /G" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /e" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /H" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /C" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /b" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /U" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /i" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /q" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /l" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /I" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /V" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /O" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /B" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /u" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /X" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /L" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /T" 1615c973bf40986ed4842489f4c9c3f2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /p" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /n" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /k" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /P" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /T" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /w" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /F" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /d" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /a" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /r" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /W" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /t" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /y" nezih.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nezih = "C:\\Users\\Admin\\nezih.exe /Y" nezih.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4988 1615c973bf40986ed4842489f4c9c3f2.exe 4988 1615c973bf40986ed4842489f4c9c3f2.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe 3100 nezih.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4988 1615c973bf40986ed4842489f4c9c3f2.exe 3100 nezih.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4988 wrote to memory of 3100 4988 1615c973bf40986ed4842489f4c9c3f2.exe 91 PID 4988 wrote to memory of 3100 4988 1615c973bf40986ed4842489f4c9c3f2.exe 91 PID 4988 wrote to memory of 3100 4988 1615c973bf40986ed4842489f4c9c3f2.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\1615c973bf40986ed4842489f4c9c3f2.exe"C:\Users\Admin\AppData\Local\Temp\1615c973bf40986ed4842489f4c9c3f2.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Users\Admin\nezih.exe"C:\Users\Admin\nezih.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3100
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
253KB
MD56e8b67da35e3d15fa0effd6a3b19d9f2
SHA15fd7818b8710e05afecb79bddc6d7495b0ae898b
SHA2567805c29bde6920d1e31efcf189c1f328adb9fc718f5319a1cea85d7acdc61bd6
SHA512dd1675f1468719cea1983fa45becb8bf8adc4ea5d8f1bb723f8ac057ddf3303700ac85213b8ffc8f3ceeca00a0006da10b561f3588d81230cfa8f537550546d2
-
Filesize
300KB
MD5c2bd62b7da9c2cd0bc4c3da33fc791ef
SHA1650d6150cb18621d6a7d0c2a6cc9a5c19ca59c86
SHA2569e138c202dd02b957301b7a438e34bed6795b2eeb0ffec9b55e09b1f67eae58b
SHA5124aa148fae3cac6066a613ae59d114ca74ef830a15fcf038c7b8cc9fb71d52ceb59e5a48d085f6fbb009cfbcb321450b41c44db34b66a2320dfaa1f2b6c4f0d59