05d4ef2b202a6cb08e77e6b9ba71002118bf6fd1ff3ea5ba55707fedc9c1a561

Analysis

max time kernel
8s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f2d0ffeb941208c8f247c874512336b.exe
Size

674KB
MD5

4f2d0ffeb941208c8f247c874512336b
SHA1

ba3716f08fb562a4b53306130d7b768b2d20383f
SHA256

05d4ef2b202a6cb08e77e6b9ba71002118bf6fd1ff3ea5ba55707fedc9c1a561
SHA512

bf78c8b27ea9f84b530f6e7fa802a2e97f0c67d30b94a01a3fbbda57be02ccee9dcc3edca8db8d5096facd2b26716646ab2b30453f80381243ac3efc5659f780
SSDEEP

12288:DHgrruWY28YVn+W/UV85duS3zz6HffZa2W2:DHQvY2XV+F9SOTW2

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	4f2d0ffeb941208c8f247c874512336b.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svnhostt.exe	4f2d0ffeb941208c8f247c874512336b.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svnhostt.exe	4f2d0ffeb941208c8f247c874512336b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
4872	PING.EXE
4832	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	228	4f2d0ffeb941208c8f247c874512336b.exe

C:\Users\Admin\AppData\Local\Temp\4f2d0ffeb941208c8f247c874512336b.exe
"C:\Users\Admin\AppData\Local\Temp\4f2d0ffeb941208c8f247c874512336b.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:228
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svnhostt.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svnhostt.exe"
  2⤵
  PID:3544
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svnhostt.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svnhostt.exe"
    3⤵
    PID:2524
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svnhostt.exe"
      4⤵
      PID:1424
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 1000
        5⤵
        Runs ping.exe
        
        PID:4832
  - - C:\Users\Admin\AppData\Local\Temp\svnhostt\svnhostt.exe
      "C:\Users\Admin\AppData\Local\Temp\svnhostt\svnhostt.exe"
      4⤵
      PID:5000
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svnhostt.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svnhostt.exe"
        5⤵
        
        PID:3452
      - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svnhostt.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svnhostt.exe"
        6⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svnhostt.exe"
        7⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\svnhostt\svnhostt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svnhostt\svnhostt.exe"
        7⤵
        
        PID:2088

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
1⤵
- Runs ping.exe
PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svnhostt.exe

Filesize
674KB

MD5
4f2d0ffeb941208c8f247c874512336b

SHA1
ba3716f08fb562a4b53306130d7b768b2d20383f

SHA256
05d4ef2b202a6cb08e77e6b9ba71002118bf6fd1ff3ea5ba55707fedc9c1a561

SHA512
bf78c8b27ea9f84b530f6e7fa802a2e97f0c67d30b94a01a3fbbda57be02ccee9dcc3edca8db8d5096facd2b26716646ab2b30453f80381243ac3efc5659f780

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svnhostt.exe

Filesize
92KB

MD5
b37809f8bc43947fcbee07cb0078c8e7

SHA1
122b356d1a43d847fda0f3e2402c33c45da93c29

SHA256
57441ef9bc700d3416940b7a272a79b0d4e582b83a4b67756bd2665fcb6eb088

SHA512
610b9186b4e9fe7f28013759911d8fd2ebcc77ee82b00f6359014de90b16267aab5d191af675e70b583d696da673e64225ea9cf0e6e0092a8e55561dc048e8ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svnhostt.exe

Filesize
628KB

MD5
c2ad3471a68591edb06da1d768b4076e

SHA1
10fcf010a36a6be85cf6acbe11bb99208cfc7ef5

SHA256
e46d21b08d708cd2e5b97c552cc6e2d50a3da3770f6dd9732904a84a6ccdad20

SHA512
9e360300e71ae7368aed639e548997c4a24b13dd93512f9f24c99694982220e1b6edf09b927c0feca18bb6fdad677df3f3f13f982be11a2555915b96374e2aa8

Download Submit
memory/228-1-0x0000000001220000-0x0000000001230000-memory.dmp

Filesize
64KB

Download
memory/228-0-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/228-16-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/228-2-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/2088-93-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/2088-95-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/2088-91-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/2088-92-0x00000000013D0000-0x00000000013E0000-memory.dmp

Filesize
64KB

Download
memory/2524-31-0x0000000001820000-0x0000000001830000-memory.dmp

Filesize
64KB

Download
memory/2524-19-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2524-23-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/2524-24-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/2524-50-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/3452-64-0x0000000000ED0000-0x0000000000EE0000-memory.dmp

Filesize
64KB

Download
memory/3452-73-0x0000000005C50000-0x0000000005C55000-memory.dmp

Filesize
20KB

Download
memory/3452-79-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/3452-74-0x0000000005C60000-0x0000000005C61000-memory.dmp

Filesize
4KB

Download
memory/3452-72-0x0000000005C50000-0x0000000005C55000-memory.dmp

Filesize
20KB

Download
memory/3452-67-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/3452-68-0x0000000000ED0000-0x0000000000EE0000-memory.dmp

Filesize
64KB

Download
memory/3452-71-0x0000000005C50000-0x0000000005C55000-memory.dmp

Filesize
20KB

Download
memory/3452-63-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/3544-25-0x0000000004FA0000-0x0000000004FA5000-memory.dmp

Filesize
20KB

Download
memory/3544-27-0x0000000004FA0000-0x0000000004FA5000-memory.dmp

Filesize
20KB

Download
memory/3544-17-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/3544-18-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/3544-15-0x0000000000DB0000-0x0000000000DC0000-memory.dmp

Filesize
64KB

Download
memory/3544-22-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/3544-21-0x0000000000DB0000-0x0000000000DC0000-memory.dmp

Filesize
64KB

Download
memory/3544-34-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/3544-26-0x0000000004FA0000-0x0000000004FA5000-memory.dmp

Filesize
20KB

Download
memory/3544-28-0x0000000005C50000-0x0000000005C51000-memory.dmp

Filesize
4KB

Download
memory/4632-77-0x00000000018A0000-0x00000000018B0000-memory.dmp

Filesize
64KB

Download
memory/4632-94-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/4632-69-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/4632-70-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/5000-62-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/5000-48-0x0000000000540000-0x0000000000550000-memory.dmp

Filesize
64KB

Download
memory/5000-49-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/5000-47-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download