Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 04:30
Static task
static1
Behavioral task
behavioral1
Sample
0e898c8c40c28140a206e4864840de47.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0e898c8c40c28140a206e4864840de47.exe
Resource
win10v2004-20231215-en
General
-
Target
0e898c8c40c28140a206e4864840de47.exe
-
Size
156KB
-
MD5
0e898c8c40c28140a206e4864840de47
-
SHA1
8c1d1a821a09247f3c161adc91fb203196aa4108
-
SHA256
81753ba6374b2022a36f9a62c6b1df6fdc80f75e80dfff06dee05470714a2034
-
SHA512
9522d389e706c05bd582d3729f614bafea21202ac0b674aef2e336a60b06abab89962706b543862c7595586bf96a5c9c49c4249324d48e25af6c57e37d85efef
-
SSDEEP
3072:jGgb/llkYABH5Gb2cBl6JW+WvmZ4KzLDdHPFuDa9ZV1F8ZqEJzmZt:jDboYABkbZoJW+W+6KnDdH9u2d1F8Mo0
Malware Config
Signatures
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Irmon\Parameters\ServiceDll = "%SystemRoot%\\system32\\0e898c8c40c28140a206e4864840de47.dll" rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation 0e898c8c40c28140a206e4864840de47.exe -
Loads dropped DLL 2 IoCs
pid Process 2292 rundll32.exe 2352 svchost.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\0e898c8c40c28140a206e4864840de47.dll 0e898c8c40c28140a206e4864840de47.exe File opened for modification C:\Windows\SysWOW64\xinstall.log rundll32.exe File opened for modification C:\Windows\SysWOW64\xinstall.log svchost.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\win.ini rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2292 rundll32.exe 2292 rundll32.exe 2352 svchost.exe 2352 svchost.exe 2352 svchost.exe 2352 svchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1980 wrote to memory of 3432 1980 0e898c8c40c28140a206e4864840de47.exe 32 PID 1980 wrote to memory of 3432 1980 0e898c8c40c28140a206e4864840de47.exe 32 PID 1980 wrote to memory of 3432 1980 0e898c8c40c28140a206e4864840de47.exe 32 PID 1980 wrote to memory of 5000 1980 0e898c8c40c28140a206e4864840de47.exe 30 PID 1980 wrote to memory of 5000 1980 0e898c8c40c28140a206e4864840de47.exe 30 PID 1980 wrote to memory of 5000 1980 0e898c8c40c28140a206e4864840de47.exe 30 PID 3432 wrote to memory of 2292 3432 cmd.exe 29 PID 3432 wrote to memory of 2292 3432 cmd.exe 29 PID 3432 wrote to memory of 2292 3432 cmd.exe 29 PID 5000 wrote to memory of 3132 5000 cmd.exe 25 PID 5000 wrote to memory of 3132 5000 cmd.exe 25 PID 5000 wrote to memory of 3132 5000 cmd.exe 25 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 3132 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e898c8c40c28140a206e4864840de47.exe"C:\Users\Admin\AppData\Local\Temp\0e898c8c40c28140a206e4864840de47.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\\240600203_selfdel.bat2⤵
- Suspicious use of WriteProcessMemory
PID:5000
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240599953_install.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3432
-
-
C:\Windows\SysWOW64\attrib.exeattrib -a -r -s -h "C:\Users\Admin\AppData\Local\Temp\0e898c8c40c28140a206e4864840de47.exe"1⤵
- Views/modifies file attributes
PID:3132
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s Irmon1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2352
-
C:\Windows\SysWOW64\rundll32.exerundll32 C:\Windows\system32\0e898c8c40c28140a206e4864840de47.dll,InstallSA Irmon Microsoft IR Monitor Services1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2292