Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2023 09:57
Behavioral task
behavioral1
Sample
159449b2dd57a7b0ed9e455ace3a6ea2.exe
Resource
win7-20231215-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
159449b2dd57a7b0ed9e455ace3a6ea2.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
159449b2dd57a7b0ed9e455ace3a6ea2.exe
-
Size
9KB
-
MD5
159449b2dd57a7b0ed9e455ace3a6ea2
-
SHA1
1e1d26eed9aa8735b60549b8825b28509f75b720
-
SHA256
cffff4b5898e77809e88e1bec10fa158465429807aed743e91a7584fe57eeaef
-
SHA512
c25910c7cbb14266470238433e160b3696e3c1843daf03e373373c5ac77c3c76eaa64ff606ef5e36e83bc454bd2391f0d0d9ef7882adbfb11a3bdba0bf734969
-
SSDEEP
192:RUubub5vj2/hR5QWAIuWbhb9m8ypR2s25Y:Oub8J2/D5Vx1bs8OB25Y
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation 159449b2dd57a7b0ed9e455ace3a6ea2.exe -
resource yara_rule behavioral2/memory/2764-0-0x00000000003E0000-0x000000000040D000-memory.dmp upx behavioral2/memory/2764-1-0x00000000003E0000-0x000000000040D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2764 159449b2dd57a7b0ed9e455ace3a6ea2.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2764 wrote to memory of 640 2764 159449b2dd57a7b0ed9e455ace3a6ea2.exe 92 PID 2764 wrote to memory of 640 2764 159449b2dd57a7b0ed9e455ace3a6ea2.exe 92 PID 2764 wrote to memory of 640 2764 159449b2dd57a7b0ed9e455ace3a6ea2.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\159449b2dd57a7b0ed9e455ace3a6ea2.exe"C:\Users\Admin\AppData\Local\Temp\159449b2dd57a7b0ed9e455ace3a6ea2.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\159449~1.EXE > nul2⤵PID:640
-