Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29-12-2023 20:24
Static task
static1
Behavioral task
behavioral1
Sample
03031e3da2b77b8ed8935d16070f1cf0.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
03031e3da2b77b8ed8935d16070f1cf0.exe
Resource
win10v2004-20231215-en
General
-
Target
03031e3da2b77b8ed8935d16070f1cf0.exe
-
Size
1.1MB
-
MD5
03031e3da2b77b8ed8935d16070f1cf0
-
SHA1
cc3fbf1d78bb14035192e4e2d9070b42162cb680
-
SHA256
8253c21a908d4340fd2a15bbf71c765e82216df28f7631bf5524b72f8fddeb2c
-
SHA512
007d920f704208c72fa0844674c6ffbfda4da3c80ac7a19a0e67d219ad0c8df6af1b9afbc8c295dc790a038a869ae205a754441c8004a9f2ad01c28f58690f4f
-
SSDEEP
12288:Evp/rM/nhpnTr0fQUyCc7384RYliO+fUl3L4KbLuajCSXoeEevbUQrk4bkISBt2l:EBg//TmRc73SlNpX9d3YBAopcFeC
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation 03031e3da2b77b8ed8935d16070f1cf0.exe -
Executes dropped EXE 1 IoCs
pid Process 3208 51244521.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\51244521 = "C:\\ProgramData\\51244521\\51244521.exe" 03031e3da2b77b8ed8935d16070f1cf0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\51244521 = "C:\\PROGRA~3\\51244521\\51244521.exe" 51244521.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 1140 taskkill.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3208 51244521.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1140 taskkill.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 3208 51244521.exe 3208 51244521.exe 3208 51244521.exe 3208 51244521.exe 3208 51244521.exe 3208 51244521.exe 3208 51244521.exe 3208 51244521.exe -
Suspicious use of SendNotifyMessage 8 IoCs
pid Process 3208 51244521.exe 3208 51244521.exe 3208 51244521.exe 3208 51244521.exe 3208 51244521.exe 3208 51244521.exe 3208 51244521.exe 3208 51244521.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3804 wrote to memory of 1984 3804 03031e3da2b77b8ed8935d16070f1cf0.exe 91 PID 3804 wrote to memory of 1984 3804 03031e3da2b77b8ed8935d16070f1cf0.exe 91 PID 3804 wrote to memory of 1984 3804 03031e3da2b77b8ed8935d16070f1cf0.exe 91 PID 1984 wrote to memory of 1140 1984 cmd.exe 93 PID 1984 wrote to memory of 1140 1984 cmd.exe 93 PID 1984 wrote to memory of 1140 1984 cmd.exe 93 PID 1984 wrote to memory of 1544 1984 cmd.exe 95 PID 1984 wrote to memory of 1544 1984 cmd.exe 95 PID 1984 wrote to memory of 1544 1984 cmd.exe 95 PID 1544 wrote to memory of 3208 1544 cmd.exe 96 PID 1544 wrote to memory of 3208 1544 cmd.exe 96 PID 1544 wrote to memory of 3208 1544 cmd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\03031e3da2b77b8ed8935d16070f1cf0.exe"C:\Users\Admin\AppData\Local\Temp\03031e3da2b77b8ed8935d16070f1cf0.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\51244521\51244521.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im 03031e3da2b77b8ed8935d16070f1cf0.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start C:\PROGRA~3\51244521\51244521.exe /install3⤵
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\PROGRA~3\51244521\51244521.exeC:\PROGRA~3\51244521\51244521.exe /install4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3208
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
290B
MD511db165c5a4bfad89f097d3b12a0f94f
SHA1e03678c708e0385145cefb3a377a33a131ac045c
SHA256c28d27e177daac4682bb3148cfcd46fbd9b9ccd5dfc4a004cd29e6ad5fb3c5e3
SHA512787204c0af9ee345f222e788d2231a8fcddb84e6d029bb6976673b19cd337bc23a5e631a77c11f0f862967f755db1eaded89f166feefc1ccb0331c6ed2f33c69
-
Filesize
1.1MB
MD503031e3da2b77b8ed8935d16070f1cf0
SHA1cc3fbf1d78bb14035192e4e2d9070b42162cb680
SHA2568253c21a908d4340fd2a15bbf71c765e82216df28f7631bf5524b72f8fddeb2c
SHA512007d920f704208c72fa0844674c6ffbfda4da3c80ac7a19a0e67d219ad0c8df6af1b9afbc8c295dc790a038a869ae205a754441c8004a9f2ad01c28f58690f4f