e5b5b7948c5cbb009622a968d4e84250dca7be43e7d34466bec49c052e40915a

Analysis

max time kernel
107s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

588442db4ad75e889a9f68009a4639f9.exe
Size

656KB
MD5

588442db4ad75e889a9f68009a4639f9
SHA1

18a3ff7d585ed28a4e9757e48bbce8df47817479
SHA256

e5b5b7948c5cbb009622a968d4e84250dca7be43e7d34466bec49c052e40915a
SHA512

380995e9c0201ea4f148839c64879a037653e010a3657698c357980dfa72a0e41c90efe21c6b405de6d87ed280d9f55085233d3444e281b36c966eb4ab1cd11c
SSDEEP

12288:m1Eq0eAx/WOAaMTJJRUR0DFAF3Z4mxxGMLBDdZf:m1UeM/WOVM9JRUCxAQmXGaLl

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	1.exe

Executes dropped EXE 3 IoCs

pid	Process
2740	1.exe
4296	Server_Setup.exe
2684	wins.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	588442db4ad75e889a9f68009a4639f9.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.bat	Server_Setup.exe
File created	C:\Windows\wins.exe	Server_Setup.exe
File opened for modification	C:\Windows\wins.exe	Server_Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2740	1.exe
2740	1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4296	Server_Setup.exe
Token: SeDebugPrivilege	2684	wins.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2684	wins.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3936 wrote to memory of 2740	3936	588442db4ad75e889a9f68009a4639f9.exe	88
PID 3936 wrote to memory of 2740	3936	588442db4ad75e889a9f68009a4639f9.exe	88
PID 3936 wrote to memory of 2740	3936	588442db4ad75e889a9f68009a4639f9.exe	88
PID 2740 wrote to memory of 4296	2740	1.exe	93
PID 2740 wrote to memory of 4296	2740	1.exe	93
PID 2740 wrote to memory of 4296	2740	1.exe	93
PID 2740 wrote to memory of 4964	2740	1.exe	91
PID 2740 wrote to memory of 4964	2740	1.exe	91
PID 2740 wrote to memory of 4964	2740	1.exe	91
PID 2684 wrote to memory of 3636	2684	wins.exe	94
PID 2684 wrote to memory of 3636	2684	wins.exe	94
PID 4296 wrote to memory of 5040	4296	Server_Setup.exe	97
PID 4296 wrote to memory of 5040	4296	Server_Setup.exe	97
PID 4296 wrote to memory of 5040	4296	Server_Setup.exe	97

C:\Users\Admin\AppData\Local\Temp\588442db4ad75e889a9f68009a4639f9.exe
"C:\Users\Admin\AppData\Local\Temp\588442db4ad75e889a9f68009a4639f9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\_xiaran.bat" "
    3⤵
    PID:4964
- - C:\Users\Admin\AppData\Local\Temp\Server_Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Server_Setup.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4296
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
      4⤵
      PID:5040

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
1⤵
PID:3636

C:\Windows\wins.exe
C:\Windows\wins.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

Filesize
124KB

MD5
65d5b0c4b3ec66e10a599df76ff08fc5

SHA1
b08792d6efd63ea53d99330c985afa964951a2dc

SHA256
5eefd1f373ac6610858a0483d1e2e5ed049abbc532e9f6b7565e19e044f36a02

SHA512
d1c25c12c1faa2ef95fde0065627517497b0eb6fa24771a924556568119f37094a7fe7acc2f13272a9ec86501d8a4ca4b0513468fef62df6b94396a9ff37f81d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

Filesize
65KB

MD5
1a96c6f2516a6bc88d13c59d449f1527

SHA1
24f6215d920e374262dad9e25407d16395088954

SHA256
4d6fc5410cc2fe6ed1b658e0ce284abf29fe3b2d6160a49360e2a9626ad30d7f

SHA512
2800568f478428a0b2119b70ab62b8f726f2835ff8176b205f31dc69fd318fcf268c5d5af1130d2cfb12d366fa3291c9687834b1454f19d05033bec1a958330a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\_xiaran.bat

Filesize
144B

MD5
aeb0a0f0ff20558122773f7a69acf150

SHA1
497477b809b9a0e8e1f2380c6b85e57658c5bb00

SHA256
c4ced11af38b5f065298c491bcda80a39c69f40de591f577bd861ae669af914f

SHA512
cbfc629b8254bdd5b07e494630231ace552d44ea088484a2f2352b5f96e7e4c101cb1b00a5374e40d84ba79734507824b1973bea987d87f17fd746c370de71a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server_Setup.exe

Filesize
118KB

MD5
bf376454af0852cfcbdd226dd42ee391

SHA1
66512f2d704526c405a24087d62dfbc2bc06e3a2

SHA256
402066a7a220769fa5453e084e1e36a63003c77c22c5d7d287efc2ff306f1e02

SHA512
878af67efd56518188ea11af562e153bd9911c09bc2d57d50ca4ac4f59c5e7af5db8ff6e0aa913525012cdfa63cd5696ab91ca3728ed441f8a2a63b1e575fea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server_Setup.exe

Filesize
73KB

MD5
a3df70febafc683af56515d578348b15

SHA1
3baef61b183e3dfca3e43b5673ecce5cc7c89858

SHA256
f7550f6b80008e2a20d68c351546734c163f118a70cf41ceda0f09ddd46add74

SHA512
80d28e06e44b97edb3db719c10ac1c86f1a5c294ddcd86f57ec71abbcd03bb18f68055a02db2cc63778dbcf99728b160272fc30b9702bee5643613bf29ce623a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server_Setup.exe

Filesize
128KB

MD5
d2098c9ff6ff6e1f874d7fd777c50855

SHA1
4c5be23052cb2dbdd505e3bd4d47dbc4d9544853

SHA256
4c0d9311f343ad3dc5ee1a42b30845d66cefecc7433946c551ae4e72ba2f75cf

SHA512
9e122d5edca932d32f1d0e8f3b30ea27a767af62c26aec38f010fe2d934f000f9553b3e5711337c30e661685fdd824d4be5cd59a19819cff0d1ac2354c122c3b

Download Submit
C:\Windows\uninstal.bat

Filesize
150B

MD5
62910137f26a7556f8455428a5552794

SHA1
ccc0eff43a5d1a26a6bf96f592782b1089249cf6

SHA256
f419ad8b229fc195a23cb31b21c444030053738baa5e1de8cc158746a318cedd

SHA512
a8a1a4b661caf26d13469ddd0fa54b275d668caa7846f53b4af4f6b3a1558c0689c9f8280fc1fa843671cb7638ce0bcc78cfe97035d1522781b805aa2bfcf912

Download Submit
C:\Windows\wins.exe

Filesize
273KB

MD5
2c4ceb84a2450915771060a4499e8f62

SHA1
5744df97d583d2bbdb66cfb06866eb021ae7a6d3

SHA256
156098ffae1b9b41b027363dd6b932f793c6c342247644600b4706ac0b7b4787

SHA512
bac635f377df6f881b9a6fdd88dbc9a4e0085d1b30d1d4cbc00194cbe56ad4ab92070bb5a44ee8434e2afa03c1a7a1e5f9da6ec5d742f1972db6248f138bec31

Download Submit
memory/2684-70-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2684-72-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2684-77-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2684-78-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2740-49-0x00000000004A0000-0x00000000004B0000-memory.dmp

Filesize
64KB

Download
memory/2740-48-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2740-47-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2740-65-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3936-33-0x0000000000B90000-0x0000000000BA0000-memory.dmp

Filesize
64KB

Download
memory/3936-22-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/3936-1-0x0000000000600000-0x0000000000654000-memory.dmp

Filesize
336KB

Download
memory/3936-40-0x0000000000B90000-0x0000000000BA0000-memory.dmp

Filesize
64KB

Download
memory/3936-67-0x0000000001000000-0x0000000001101000-memory.dmp

Filesize
1.0MB

Download
memory/3936-68-0x0000000000600000-0x0000000000654000-memory.dmp

Filesize
336KB

Download
memory/3936-42-0x0000000000B90000-0x0000000000BA0000-memory.dmp

Filesize
64KB

Download
memory/3936-43-0x0000000000B90000-0x0000000000BA0000-memory.dmp

Filesize
64KB

Download
memory/3936-41-0x0000000000B90000-0x0000000000BA0000-memory.dmp

Filesize
64KB

Download
memory/3936-38-0x0000000000B90000-0x0000000000BA0000-memory.dmp

Filesize
64KB

Download
memory/3936-37-0x0000000000B90000-0x0000000000BA0000-memory.dmp

Filesize
64KB

Download
memory/3936-36-0x0000000000B90000-0x0000000000BA0000-memory.dmp

Filesize
64KB

Download
memory/3936-35-0x0000000000B90000-0x0000000000BA0000-memory.dmp

Filesize
64KB

Download
memory/3936-34-0x0000000000B90000-0x0000000000BA0000-memory.dmp

Filesize
64KB

Download
memory/3936-0-0x0000000001000000-0x0000000001101000-memory.dmp

Filesize
1.0MB

Download
memory/3936-32-0x0000000000B90000-0x0000000000BA0000-memory.dmp

Filesize
64KB

Download
memory/3936-29-0x0000000000B90000-0x0000000000BA0000-memory.dmp

Filesize
64KB

Download
memory/3936-28-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/3936-27-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/3936-26-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/3936-25-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/3936-24-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/3936-23-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/3936-2-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/3936-21-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/3936-20-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3936-19-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/3936-18-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/3936-17-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/3936-16-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/3936-39-0x0000000000B90000-0x0000000000BA0000-memory.dmp

Filesize
64KB

Download
memory/3936-13-0x00000000031D0000-0x00000000031D1000-memory.dmp

Filesize
4KB

Download
memory/3936-14-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/3936-12-0x00000000031D0000-0x00000000031D1000-memory.dmp

Filesize
4KB

Download
memory/3936-11-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/3936-10-0x00000000031D0000-0x00000000031D1000-memory.dmp

Filesize
4KB

Download
memory/3936-9-0x00000000031D0000-0x00000000031D1000-memory.dmp

Filesize
4KB

Download
memory/3936-8-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/3936-7-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/3936-6-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/3936-5-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/3936-4-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/3936-3-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/3936-15-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/4296-75-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/4296-58-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/4296-61-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download