dd77551ee4d22d0a5efe46f35b84880f185e6ca81d8676b2f5bfb76d7c63c556

Analysis

max time kernel
0s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 00:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4682f92946925a74b1d1102d645201bd.exe
Size

174KB
MD5

4682f92946925a74b1d1102d645201bd
SHA1

e7be4b09b189d2237c2b01385b5416e74b50e26b
SHA256

dd77551ee4d22d0a5efe46f35b84880f185e6ca81d8676b2f5bfb76d7c63c556
SHA512

bcd73bd5b3908aa36130089cb7daa11e5810b320f8a5968516816bef58a32fc62e40becd6ec67b59dc654a7702541bf052f08eb3bf3628b4ce4062b1a3b2d590
SSDEEP

3072:Ank/lLf0CI6bMzPbKKSgvOfKyq6FgeVd+jOqA0emIp0E1r0ufqmgbHMxGf9PR4LV:j7Fg+oy0emIpJ1r0FDgGZGKyRsol4ODJ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	4682f92946925a74b1d1102d645201bd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4580	4682f92946925a74b1d1102d645201bd.exe
4580	4682f92946925a74b1d1102d645201bd.exe
4580	4682f92946925a74b1d1102d645201bd.exe
4580	4682f92946925a74b1d1102d645201bd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4580	4682f92946925a74b1d1102d645201bd.exe

C:\Users\Admin\AppData\Local\Temp\4682f92946925a74b1d1102d645201bd.exe
"C:\Users\Admin\AppData\Local\Temp\4682f92946925a74b1d1102d645201bd.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4580
- C:\Users\Admin\AppData\Local\Temp\4682f92946925a74b1d1102d645201bd.exe
  "C:\Users\Admin\AppData\Local\Temp\4682f92946925a74b1d1102d645201bd.exe" C:\Users\Admin\AppData\Local\Temp\4682f92946925a74b1d1102d645201bd.exe"
  2⤵
  PID:3260
- C:\program files (x86)\adobe\acrotray.exe
  "C:\program files (x86)\adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\4682f92946925a74b1d1102d645201bd.exe"
  2⤵
  PID:3044
- - C:\program files (x86)\adobe\acrotray .exe
    "C:\program files (x86)\adobe\acrotray .exe" C:\program files (x86)\adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\4682f92946925a74b1d1102d645201bd.exe"
    3⤵
    PID:2892
  - - C:\program files (x86)\adobe\acrotray .exe
      "C:\program files (x86)\adobe\acrotray .exe" C:\program files (x86)\adobe\acrotray .exe" C:\program files (x86)\adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\4682f92946925a74b1d1102d645201bd.exe"
      4⤵
      PID:4680
- - C:\program files (x86)\adobe\acrotray.exe
    "C:\program files (x86)\adobe\acrotray.exe" C:\program files (x86)\adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\4682f92946925a74b1d1102d645201bd.exe"
    3⤵
    PID:2724

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
PID:2852
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2852 CREDAT:17410 /prefetch:2
  2⤵
  PID:2916
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2852 CREDAT:17418 /prefetch:2
  2⤵
  PID:404
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2852 CREDAT:17422 /prefetch:2
  2⤵
  PID:964

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:3560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\acrotray .exe

Filesize
99KB

MD5
0f778a5b86e0139e7398517bfb77204b

SHA1
0c296673700a203fb5a9c3995b1ebb0dc7b9530c

SHA256
aac8a7797f58376d191ed9a6ef2eef1e77639fee4ed22c651dce3c4cd318a063

SHA512
ec76b9f590b47eff2449183175ea133d05a62390a738c92143cfb02b96d659e4a2ffb74b85f61475105b1dad69698fc10805c1712d4f501c481362f07b9e0839

Download Submit
C:\program files (x86)\adobe\acrotray .exe

Filesize
190KB

MD5
50e3c7304e7f0aaa0b2368c09eb452b4

SHA1
d71296e440933bf6cf7b22539bc1bb25ee564966

SHA256
dd80c0e25dadbf944d058e7be1a0624e002e3e2dd794b012dd4bf7bec7b1a7c4

SHA512
7d0346054ac5adeb2d75f1017d22207daa106806ed7c571342a5f58a484466ab0788a8f3d8bfb610fe724aa13b7d140653d370536fe8365e3a091bdbe6ddc8e4

Download Submit
C:\program files (x86)\adobe\acrotray.exe

Filesize
183KB

MD5
6f39ab3d2a2554568a8f20e87d2a7b81

SHA1
5c0c54a2754d1a89322c6d6c4a71728177e4c8ba

SHA256
15394f2d3609cce007c4b1cf452beaa06c56b3dd108cfc856836a23b1c2e5e4c

SHA512
1d341e075c2fb27e6f01614e45de57bd8fd883c5cbecf76f7529f9a8b1459ff1587a03778b9aca04737927182eca63e147a885cb9d41206cfd2e7addbb3a922e

Download Submit
memory/4580-0-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download