81753ba6374b2022a36f9a62c6b1df6fdc80f75e80dfff06dee05470714a2034

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 04:30

Target

0e898c8c40c28140a206e4864840de47.exe
Size

156KB
MD5

0e898c8c40c28140a206e4864840de47
SHA1

8c1d1a821a09247f3c161adc91fb203196aa4108
SHA256

81753ba6374b2022a36f9a62c6b1df6fdc80f75e80dfff06dee05470714a2034
SHA512

9522d389e706c05bd582d3729f614bafea21202ac0b674aef2e336a60b06abab89962706b543862c7595586bf96a5c9c49c4249324d48e25af6c57e37d85efef
SSDEEP

3072:jGgb/llkYABH5Gb2cBl6JW+WvmZ4KzLDdHPFuDa9ZV1F8ZqEJzmZt:jDboYABkbZoJW+W+6KnDdH9u2d1F8Mo0

Score

8^/10

persistence

Sets DLL path for service in the registry 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Irmon\Parameters\ServiceDll = "%SystemRoot%\\system32\\0e898c8c40c28140a206e4864840de47.dll"	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	0e898c8c40c28140a206e4864840de47.exe

Loads dropped DLL 2 IoCs

pid	Process
2292	rundll32.exe
2352	svchost.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\0e898c8c40c28140a206e4864840de47.dll	0e898c8c40c28140a206e4864840de47.exe
File opened for modification	C:\Windows\SysWOW64\xinstall.log	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\xinstall.log	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 3432	1980	0e898c8c40c28140a206e4864840de47.exe	32
PID 1980 wrote to memory of 3432	1980	0e898c8c40c28140a206e4864840de47.exe	32
PID 1980 wrote to memory of 3432	1980	0e898c8c40c28140a206e4864840de47.exe	32
PID 1980 wrote to memory of 5000	1980	0e898c8c40c28140a206e4864840de47.exe	30
PID 1980 wrote to memory of 5000	1980	0e898c8c40c28140a206e4864840de47.exe	30
PID 1980 wrote to memory of 5000	1980	0e898c8c40c28140a206e4864840de47.exe	30
PID 3432 wrote to memory of 2292	3432	cmd.exe	29
PID 3432 wrote to memory of 2292	3432	cmd.exe	29
PID 3432 wrote to memory of 2292	3432	cmd.exe	29
PID 5000 wrote to memory of 3132	5000	cmd.exe	25
PID 5000 wrote to memory of 3132	5000	cmd.exe	25
PID 5000 wrote to memory of 3132	5000	cmd.exe	25

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

pid	Process
3132	attrib.exe

C:\Users\Admin\AppData\Local\Temp\0e898c8c40c28140a206e4864840de47.exe
"C:\Users\Admin\AppData\Local\Temp\0e898c8c40c28140a206e4864840de47.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\\240600203_selfdel.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240599953_install.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3432

C:\Windows\SysWOW64\attrib.exe
attrib -a -r -s -h "C:\Users\Admin\AppData\Local\Temp\0e898c8c40c28140a206e4864840de47.exe"
1⤵
- Views/modifies file attributes
PID:3132