2363558dbf5e5853711b9c8de05f3f4e982279876d1245a753227b4727ac68ef

Analysis

max time kernel
41s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f808d56ccf6c1949976538e5c82d63a.exe
Size

3.3MB
MD5

1f808d56ccf6c1949976538e5c82d63a
SHA1

02fad1084819163cf92b868a092ec87d0f9e89d9
SHA256

2363558dbf5e5853711b9c8de05f3f4e982279876d1245a753227b4727ac68ef
SHA512

6f137b17250cbf85ed1675436ea159ed1fb3df3691537926b3e063a977d07f0313b89095fde9d4cdc0982737457f79ab42293ab94b36ca6d03ac35dec4da24f0
SSDEEP

98304:o5aFEvk5ZAlmO5Qxc/uBY/upDeRqAeaV8Fw:o5aFSk5ZAEc/uppOZeami

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
files.000webhost.com
Port:
21
Username:
fdhfdcgfgg

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	1f808d56ccf6c1949976538e5c82d63a.exe

Executes dropped EXE 9 IoCs

pid	Process
1576	7z.exe
2760	7z.exe
2400	7z.exe
3716	7z.exe
3220	7z.exe
628	7z.exe
4104	7z.exe
2348	7z.exe
932	miner.exe

Loads dropped DLL 8 IoCs

pid	Process
1576	7z.exe
2760	7z.exe
2400	7z.exe
3716	7z.exe
3220	7z.exe
628	7z.exe
4104	7z.exe
2348	7z.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\main\WinMgmts:\	miner.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeRestorePrivilege	1576	7z.exe
Token: 35	1576	7z.exe
Token: SeSecurityPrivilege	1576	7z.exe
Token: SeSecurityPrivilege	1576	7z.exe
Token: SeRestorePrivilege	2760	7z.exe
Token: 35	2760	7z.exe
Token: SeSecurityPrivilege	2760	7z.exe
Token: SeSecurityPrivilege	2760	7z.exe
Token: SeRestorePrivilege	2400	7z.exe
Token: 35	2400	7z.exe
Token: SeSecurityPrivilege	2400	7z.exe
Token: SeSecurityPrivilege	2400	7z.exe
Token: SeRestorePrivilege	3716	7z.exe
Token: 35	3716	7z.exe
Token: SeSecurityPrivilege	3716	7z.exe
Token: SeSecurityPrivilege	3716	7z.exe
Token: SeRestorePrivilege	3220	7z.exe
Token: 35	3220	7z.exe
Token: SeSecurityPrivilege	3220	7z.exe
Token: SeSecurityPrivilege	3220	7z.exe
Token: SeRestorePrivilege	628	7z.exe
Token: 35	628	7z.exe
Token: SeSecurityPrivilege	628	7z.exe
Token: SeSecurityPrivilege	628	7z.exe
Token: SeRestorePrivilege	4104	7z.exe
Token: 35	4104	7z.exe
Token: SeSecurityPrivilege	4104	7z.exe
Token: SeSecurityPrivilege	4104	7z.exe
Token: SeRestorePrivilege	2348	7z.exe
Token: 35	2348	7z.exe
Token: SeSecurityPrivilege	2348	7z.exe
Token: SeSecurityPrivilege	2348	7z.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 2408	4568	1f808d56ccf6c1949976538e5c82d63a.exe	92
PID 4568 wrote to memory of 2408	4568	1f808d56ccf6c1949976538e5c82d63a.exe	92
PID 2408 wrote to memory of 3448	2408	cmd.exe	94
PID 2408 wrote to memory of 3448	2408	cmd.exe	94
PID 2408 wrote to memory of 1576	2408	cmd.exe	95
PID 2408 wrote to memory of 1576	2408	cmd.exe	95
PID 2408 wrote to memory of 2760	2408	cmd.exe	96
PID 2408 wrote to memory of 2760	2408	cmd.exe	96
PID 2408 wrote to memory of 2400	2408	cmd.exe	97
PID 2408 wrote to memory of 2400	2408	cmd.exe	97
PID 2408 wrote to memory of 3716	2408	cmd.exe	107
PID 2408 wrote to memory of 3716	2408	cmd.exe	107
PID 2408 wrote to memory of 3220	2408	cmd.exe	105
PID 2408 wrote to memory of 3220	2408	cmd.exe	105
PID 2408 wrote to memory of 628	2408	cmd.exe	104
PID 2408 wrote to memory of 628	2408	cmd.exe	104
PID 2408 wrote to memory of 4104	2408	cmd.exe	103
PID 2408 wrote to memory of 4104	2408	cmd.exe	103
PID 2408 wrote to memory of 2348	2408	cmd.exe	98
PID 2408 wrote to memory of 2348	2408	cmd.exe	98
PID 2408 wrote to memory of 3764	2408	cmd.exe	100
PID 2408 wrote to memory of 3764	2408	cmd.exe	100
PID 2408 wrote to memory of 932	2408	cmd.exe	102
PID 2408 wrote to memory of 932	2408	cmd.exe	102
PID 2408 wrote to memory of 932	2408	cmd.exe	102

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3764	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1f808d56ccf6c1949976538e5c82d63a.exe
"C:\Users\Admin\AppData\Local\Temp\1f808d56ccf6c1949976538e5c82d63a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:3448
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e file.zip -p___________23794pwd24951pwd4742___________ -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1576
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_7.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_6.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2400
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2348
- - C:\Windows\system32\attrib.exe
    attrib +H "miner.exe"
    3⤵
    - Views/modifies file attributes
    PID:3764
- - C:\Users\Admin\AppData\Local\Temp\main\miner.exe
    "miner.exe"
    3⤵
    - Executes dropped EXE
    - NTFS ADS
    PID:932
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4104
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:628
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_4.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3220
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_5.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3716

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..tional-codepage-875_31bf3856ad364e35_6.1.7600.16385_none_2adebd12b4e159ed\webcheck.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..tional-codepage-875_31bf3856ad364e35_6.1.7600.16385_none_2adebd12b4e159ed\webcheck.exe
1⤵
PID:632

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..tional-codepage-875_31bf3856ad364e35_6.1.7600.16385_none_2adebd12b4e159ed\webcheck.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..tional-codepage-875_31bf3856ad364e35_6.1.7600.16385_none_2adebd12b4e159ed\webcheck.exe
1⤵
PID:3796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
1310403ffe43ed3e856c98ce92e1cc09

SHA1
36e6bed614c5891bbc20bbfc4f03f83c366a81ad

SHA256
23512f9a6823909c039e587c420bff18709338636269eaf2c07791c1e690d3ab

SHA512
fa1b71882a6dc9fe9f050f053d4c782567d6bc622c8ed35b69d2f9760b713b8a7ee1e342559ef4e3e0d861b2387a22160e3efce0c8e9e25598c8da8770c50c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.5MB

MD5
8a1de98e8ac3ff91bfcbde4f85198380

SHA1
9f80f5e58cc6d3bf20e5c3e66d6c53f4ee5fa03e

SHA256
7bf1f9998116c8c06f6ffb6ef3455496518014217ca1ad8a8fed67f7893136f2

SHA512
6e57fb9ae31f2d96110067b777d01295ffb5bf7238d63cafcbcfe66c3c3f227e031bcedf221c70e23b8ca2683a9ba678caecf32765d55cde0f660c22dbebee47

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
321KB

MD5
e93a6b16bee75b26ead5deb9a11f1f66

SHA1
51bdec1f19d32fbb9c8702fff1ee50844c9d9ee6

SHA256
39eb5d788e8a9826082278ccc34df28a5641412c6d5dfb039881379e6699b26c

SHA512
ab1f16bace59d72557eda85d96ae0e4387d375eb38810c0933f08e9980d35af8e25badcfa6848436c40ebc6e01c96d943afd60ae31243fa4eb137641deff3393

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
93KB

MD5
0cfa846ca28f23e465359cd99dac5e1b

SHA1
d41e44638f70a5d58ba8e3224973c4b485b77c2f

SHA256
fd999cdb1799fe6a5928b6e783e5bb7171a0b14ce27eb9c58aac03ab39891173

SHA512
4d8ecb7040fc1e3262653f2b47ffefba829f5e84a5daebe15684004426f362364a0339d9250807763fcaed5d7738c70108be344a3898e3ca80910c61a94a72de

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
92KB

MD5
3bcfb801c854da1ce7e719f1418cf815

SHA1
5934217712aa609866b946d7801cf185ae4ba90c

SHA256
d056cabaa270cb967d7d92a48bb0de74aa47fdf9983d772636c4bb6e09788915

SHA512
def8af48bd4568f5d4d5371fd69cd86f3102eff5584bd7cd28b9837ab5f1c51d0f5b81fd73001a6f0a30361ba5db7c73d5fc6c295eae3303a925827f1767f5b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip

Filesize
93KB

MD5
1b2b6dc5ba506cfb28b95d530aa46894

SHA1
666b4a2c44e9b7a4f3c76b27470211c5d71bb9b0

SHA256
ab1213c5676812df0b6677bde567ad7dcb7fa9f942d695355cee89d056ec751c

SHA512
c8c07b2c26d7e5818c385bc791149b9734fad210ffa64194e568ab6b0b4b3c9e777f8ea8f171a1675cbb75c3fe8a69c35a7aebfc41553f2b52a485c37bdf8aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip

Filesize
256KB

MD5
acb4cbca703a0d9c901ccda01825012d

SHA1
32f35db129c208c7ba5b99693e7008d280b5825f

SHA256
e8631e5dd24f96e5e40bb6b3cb4a319c18a375c833602156e6e2aca81a579be0

SHA512
b661c21decd3cfea60e3213606f5fd8f4cc2e6bfcfac905a9c33cd566a1695fb4946aef0ff96d3bd0cc40597764596c186bf38f7cf8df8927d14a2d1e4e3f4e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
2.2MB

MD5
a85983bc6513930b9bd73b3577865426

SHA1
7e1e37899d0aaeb832ae54ec14711fb1b010430b

SHA256
43d94d77b971ae4a7a95a8e43d298ebeb3714d68f4e4f40b93b54a8b1bf73844

SHA512
0d5790a9ee9ceec7d4317e8b557cb282aa6c7c0fa9f6934b4666d2c5041b28982608d705f36cdfd7935fa0e5f59bb6496b73eab931ef73eeec3b86e32283889a

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
474B

MD5
a475346f88b21627ae1a374bfad9a5df

SHA1
c44131fcf78c5d1a46db796b32f5b27e477a2b65

SHA256
36454fd474b79cf94ab53b0f60949d4de37d0a98551ace3474ffb36a40bce9f6

SHA512
b63d5448b130d2648f4e3f41beda02ad4a5695feeee07e657c82b40349cbc5a4801e1b1d031dc0638e2fb555d4135917dd587a1d0c8c731517502f516c5e75a8

Download Submit