8f1e4e2dfeb7eebd5e3d17234bf44a6dd0a7fd68e4d6a9c7de73ec880c9ff2e2

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b04547260183db1eac33e54db382748.exe
Size

193KB
MD5

2b04547260183db1eac33e54db382748
SHA1

8574962facbb3cf8c517ee65bdafe1ce97d8ff7d
SHA256

8f1e4e2dfeb7eebd5e3d17234bf44a6dd0a7fd68e4d6a9c7de73ec880c9ff2e2
SHA512

3857466e33bd1f153cf830b05578d3093f47f798d1ff0ad73436b43490ad5cd23859eeeaf969341c9819f7621190409608606017ac08d8e0f7e430cc106cfd8d
SSDEEP

3072:43jPII0UAW8mzNdJpfRRqVcF2Fg9B45rFwV2bVCQmp+ZGkkCyKpEi:43jPIIzAW8kd0Fg9m5xwvQA+2pm

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	Framework.net
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	2b04547260183db1eac33e54db382748.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	Framework.net

Executes dropped EXE 4 IoCs

pid	Process
3224	Framework.net
4688	2b04547260183db1eac33e54db382748.ехе
3016	Framework.net
3676	services.ехе

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\.NET = "C:\\Windows\\Microsoft.NET\\Framework\\Framework.net start"	Framework.net

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\services.ехе	Framework.net
File created	C:\Windows\system32\services.ехе	Framework.net

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\Framework.net	2b04547260183db1eac33e54db382748.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\Framework.net	2b04547260183db1eac33e54db382748.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\netfile\TileInfo = "Microsoft .NET Framework Setup"	2b04547260183db1eac33e54db382748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\shell\runas\command\ = "\"%1\" %*"	2b04547260183db1eac33e54db382748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\shellex\PropertySheetHandlers\ShimLayer Property Page	2b04547260183db1eac33e54db382748.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\netfile\shell\open\EditFlags = 00000000	2b04547260183db1eac33e54db382748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\netfile\shellex\PropertySheetHandlers\PifProps\ = "{86F19A00-42A0-1069-A2E9-08002B30309D}"	2b04547260183db1eac33e54db382748.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\EditFlags = 38070000	2b04547260183db1eac33e54db382748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.net	2b04547260183db1eac33e54db382748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\shell\open\command\ = "\"%1\" %*"	2b04547260183db1eac33e54db382748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\eхefile\shellex\PropertySheetHandlers\ShimLayer Property Page\ = "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"	Framework.net
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\netfile\shell\open\command	2b04547260183db1eac33e54db382748.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\shell\open\EditFlags = 00000000	Framework.net
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\eхefile\ = "Aplicación"	Framework.net
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eхefile\shellex\PropertySheetHandlers\ShimLayer Property Page	Framework.net
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\DefaultIcon\ = "\"%1\""	Framework.net
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eхefile\shell\runas	Framework.net
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eхefile\shellex\PropertySheetHandlers\PifProps	Framework.net
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\netfile\EditFlags = 38070000	Framework.net
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eхefile\shell\open	Framework.net
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.net\PersistentHandler\ = "{098f2470-bae0-11cd-b579-08002b30bfeb}"	Framework.net
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\eхefile\shell\open\command\ = "\"%1\" %*"	Framework.net
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\netfile\InfoTip = "Componente para aplicaciones Microsoft .NET"	Framework.net
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.net\PersistentHandler	2b04547260183db1eac33e54db382748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\shellex	2b04547260183db1eac33e54db382748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.eхe\PersistentHandler\ = "{098f2470-bae0-11cd-b579-08002b30bfeb}"	Framework.net
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ехе	2b04547260183db1eac33e54db382748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ехе\PersistentHandler\ = "{098f2470-bae0-11cd-b579-08002b30bfeb}"	2b04547260183db1eac33e54db382748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.net\Content Type = "application/x-msdownload"	Framework.net
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\netfile\ = "Componente para aplicaciones Microsoft .NET"	2b04547260183db1eac33e54db382748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\shell\runas\ = "\"%1\" %*"	Framework.net
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\eхefile\InfoTip = "prop:FileVersion;FileDescription"	Framework.net
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.net\ = "netfile"	2b04547260183db1eac33e54db382748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\netfile\InfoTip = "Componente para aplicaciones Microsoft .NET"	2b04547260183db1eac33e54db382748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ехе\Content Type = "application/x-msdownload"	Framework.net
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\eхefile\shell\open\EditFlags = 00000000	Framework.net
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\eхefile\shellex\DropHandler\ = "{86C86720-42A0-1069-A2E8-08002B30309D}"	Framework.net
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\netfile\shell\runas	2b04547260183db1eac33e54db382748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\netfile\shellex\DropHandler\ = "{86C86720-42A0-1069-A2E8-08002B30309D}"	2b04547260183db1eac33e54db382748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\shell\open	2b04547260183db1eac33e54db382748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\shellex\PropertySheetHandlers\ShimLayer Property Page\ = "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"	Framework.net
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\netfile\shellex	2b04547260183db1eac33e54db382748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\TileInfo = "prop:FileVersion;FileDescription"	Framework.net
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\InfoTip = "prop:FileVersion;FileDescription"	Framework.net
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eхefile\shellex\DropHandler	Framework.net
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\TileInfo = "prop:FileVersion;FileDescription"	2b04547260183db1eac33e54db382748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\shellex\DropHandler	2b04547260183db1eac33e54db382748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\shellex\PropertySheetHandlers\PifProps\ = "{86F19A00-42A0-1069-A2E9-08002B30309D}"	Framework.net
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eхefile\shellex	Framework.net
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\shell\open\EditFlags = 00000000	2b04547260183db1eac33e54db382748.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\EditFlags = 38070000	Framework.net
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\shell\runas\command\ = "\"%1\" %*"	Framework.net
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eхefile	Framework.net
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\eхefile\TileInfo = "prop:FileVersion;FileDescription"	Framework.net
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ехе\Content Type = "application/x-msdownload"	2b04547260183db1eac33e54db382748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\InfoTip = "prop:FileVersion;FileDescription"	2b04547260183db1eac33e54db382748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\shellex\DropHandler\ = "{86C86720-42A0-1069-A2E8-08002B30309D}"	2b04547260183db1eac33e54db382748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\shellex\PropertySheetHandlers	2b04547260183db1eac33e54db382748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\netfile\shellex\PropertySheetHandlers\PifProps	2b04547260183db1eac33e54db382748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\shellex\PropertySheetHandlers\PifProps\ = "{86F19A00-42A0-1069-A2E9-08002B30309D}"	2b04547260183db1eac33e54db382748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\netfile\DefaultIcon\ = "%SystemRoot%\\System32\\shell32.dll,-154"	Framework.net
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eхefile\shell	Framework.net
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eхefile\shell\runas\command	Framework.net
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\netfile\EditFlags = 38070000	2b04547260183db1eac33e54db382748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\DefaultIcon	2b04547260183db1eac33e54db382748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.eхe\ = "eхefile"	Framework.net

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2844	2b04547260183db1eac33e54db382748.exe
Token: SeDebugPrivilege	3676	services.ехе

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 3224	2844	2b04547260183db1eac33e54db382748.exe	89
PID 2844 wrote to memory of 3224	2844	2b04547260183db1eac33e54db382748.exe	89
PID 2844 wrote to memory of 4688	2844	2b04547260183db1eac33e54db382748.exe	90
PID 2844 wrote to memory of 4688	2844	2b04547260183db1eac33e54db382748.exe	90
PID 3224 wrote to memory of 3016	3224	Framework.net	96
PID 3224 wrote to memory of 3016	3224	Framework.net	96
PID 3016 wrote to memory of 3676	3016	Framework.net	94
PID 3016 wrote to memory of 3676	3016	Framework.net	94

C:\Users\Admin\AppData\Local\Temp\2b04547260183db1eac33e54db382748.exe
"C:\Users\Admin\AppData\Local\Temp\2b04547260183db1eac33e54db382748.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\Microsoft.NET\Framework\Framework.net
  "C:\Windows\Microsoft.NET\Framework\Framework.net" bautiza
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3224
- - C:\Windows\Microsoft.NET\Framework\Framework.net
    "C:\Windows\Microsoft.NET\Framework\Framework.net" vive
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3016
- C:\Users\Admin\appdata\local\temp\2b04547260183db1eac33e54db382748.ехе
  "C:\Users\Admin\appdata\local\temp\2b04547260183db1eac33e54db382748.ехе"
  2⤵
  - Executes dropped EXE
  PID:4688

C:\Windows\system32\services.ехе
"C:\Windows\system32\services.ехе" vive
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2b04547260183db1eac33e54db382748.ехе

Filesize
94KB

MD5
bae4be589972a5d011ae1f395e358d63

SHA1
dca9024695412e3e1d5dec8c50c51476ee0ace15

SHA256
c2b5ef85fffb98fded3a7a961fa03c6607a4b886cfef5903db84893c75dca29e

SHA512
dc0d5200a15d0c021f66359e9eea9881dca2b4f59dc55fbf4693658fdf4e6dce1d64b8b9d46a3b3a3359f3803060f9dc447e87f1e2f7e252929ac8b5c702b61c

Download Submit
C:\Windows\Microsoft.NET\Framework\Framework.net

Filesize
117KB

MD5
26e133568cff7fd39ef6cef7503cfd3c

SHA1
cec88342cd8e20b75208d2fe07242f90768904ea

SHA256
8166208700f0dd40d00e506127e340601a2b49ef127c1e9d22f836e77f06a82c

SHA512
8c18d099a9f04e3a18ea8309568817f05021b2ac50f8922859db700ff424c6230a3116b3557212ea597460dcda4cff27fbcd893bed1e0452fb3406d75904fab2

Download Submit
memory/2844-1-0x0000000001760000-0x0000000001770000-memory.dmp

Filesize
64KB

Download
memory/2844-2-0x000000001C290000-0x000000001C75E000-memory.dmp

Filesize
4.8MB

Download
memory/2844-3-0x00007FFDA6D90000-0x00007FFDA7731000-memory.dmp

Filesize
9.6MB

Download
memory/2844-42-0x00007FFDA6D90000-0x00007FFDA7731000-memory.dmp

Filesize
9.6MB

Download
memory/2844-41-0x00007FFDA6D90000-0x00007FFDA7731000-memory.dmp

Filesize
9.6MB

Download
memory/2844-0-0x00007FFDA6D90000-0x00007FFDA7731000-memory.dmp

Filesize
9.6MB

Download
memory/3016-30-0x00007FFDA6D90000-0x00007FFDA7731000-memory.dmp

Filesize
9.6MB

Download
memory/3016-27-0x00000000017D0000-0x00000000017E0000-memory.dmp

Filesize
64KB

Download
memory/3016-31-0x00007FFDA6D90000-0x00007FFDA7731000-memory.dmp

Filesize
9.6MB

Download
memory/3016-39-0x00007FFDA6D90000-0x00007FFDA7731000-memory.dmp

Filesize
9.6MB

Download
memory/3224-10-0x00007FFDA6D90000-0x00007FFDA7731000-memory.dmp

Filesize
9.6MB

Download
memory/3224-11-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

Filesize
64KB

Download
memory/3224-28-0x00007FFDA6D90000-0x00007FFDA7731000-memory.dmp

Filesize
9.6MB

Download
memory/3224-15-0x00007FFDA6D90000-0x00007FFDA7731000-memory.dmp

Filesize
9.6MB

Download
memory/3676-45-0x00007FFDA6D90000-0x00007FFDA7731000-memory.dmp

Filesize
9.6MB

Download
memory/3676-46-0x00000000012D0000-0x00000000012E0000-memory.dmp

Filesize
64KB

Download
memory/3676-38-0x00000000012D0000-0x00000000012E0000-memory.dmp

Filesize
64KB

Download
memory/3676-37-0x00007FFDA6D90000-0x00007FFDA7731000-memory.dmp

Filesize
9.6MB

Download
memory/3676-40-0x00007FFDA6D90000-0x00007FFDA7731000-memory.dmp

Filesize
9.6MB

Download
memory/4688-20-0x000000001BE70000-0x000000001BF0C000-memory.dmp

Filesize
624KB

Download
memory/4688-22-0x0000000000E60000-0x0000000000E70000-memory.dmp

Filesize
64KB

Download
memory/4688-21-0x00007FFDA6D90000-0x00007FFDA7731000-memory.dmp

Filesize
9.6MB

Download
memory/4688-43-0x00007FFDA6D90000-0x00007FFDA7731000-memory.dmp

Filesize
9.6MB

Download
memory/4688-44-0x0000000000E60000-0x0000000000E70000-memory.dmp

Filesize
64KB

Download
memory/4688-26-0x00007FFDA6D90000-0x00007FFDA7731000-memory.dmp

Filesize
9.6MB

Download
memory/4688-23-0x0000000000E00000-0x0000000000E08000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads