Analysis
-
max time kernel
162s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 05:30
Behavioral task
behavioral1
Sample
100866ba17da997902f151c321545421.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
100866ba17da997902f151c321545421.exe
Resource
win10v2004-20231215-en
General
-
Target
100866ba17da997902f151c321545421.exe
-
Size
27KB
-
MD5
100866ba17da997902f151c321545421
-
SHA1
f9a7525b5db9f9eebe61569069be9ecc5741f781
-
SHA256
0f761a060c842a652d54b7314db73fd650ae5b65b042ac59d03f9f8b867c35b8
-
SHA512
3d9a2d565e4d74f0e00993fda030b1768b88e95e1d3d92f0354c0f0861c728c2f6c374318040d24710784dc65e957aecfc2d12437b0a9aaf6c6127b960c6671d
-
SSDEEP
768:HiZun3CCvBYghyWyAd6DxgjP3zxeEX44jjte:Hz+gh9y1xY3zxNX4upe
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 100866ba17da997902f151c321545421.exe -
Loads dropped DLL 1 IoCs
pid Process 2248 rundll32.exe -
resource yara_rule behavioral2/memory/1012-0-0x0000000000400000-0x0000000000413000-memory.dmp upx behavioral2/memory/1012-1-0x0000000000400000-0x0000000000413000-memory.dmp upx behavioral2/memory/1012-3-0x0000000000400000-0x0000000000413000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\xpsp0res.dll 100866ba17da997902f151c321545421.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3112 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1652 2248 WerFault.exe 97 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1012 100866ba17da997902f151c321545421.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1012 wrote to memory of 2296 1012 100866ba17da997902f151c321545421.exe 95 PID 1012 wrote to memory of 2296 1012 100866ba17da997902f151c321545421.exe 95 PID 1012 wrote to memory of 2296 1012 100866ba17da997902f151c321545421.exe 95 PID 2296 wrote to memory of 2248 2296 cmd.exe 97 PID 2296 wrote to memory of 2248 2296 cmd.exe 97 PID 2296 wrote to memory of 2248 2296 cmd.exe 97 PID 1012 wrote to memory of 1308 1012 100866ba17da997902f151c321545421.exe 99 PID 1012 wrote to memory of 1308 1012 100866ba17da997902f151c321545421.exe 99 PID 1012 wrote to memory of 1308 1012 100866ba17da997902f151c321545421.exe 99 PID 1012 wrote to memory of 4856 1012 100866ba17da997902f151c321545421.exe 101 PID 1012 wrote to memory of 4856 1012 100866ba17da997902f151c321545421.exe 101 PID 1012 wrote to memory of 4856 1012 100866ba17da997902f151c321545421.exe 101 PID 1308 wrote to memory of 3112 1308 cmd.exe 102 PID 1308 wrote to memory of 3112 1308 cmd.exe 102 PID 1308 wrote to memory of 3112 1308 cmd.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\100866ba17da997902f151c321545421.exe"C:\Users\Admin\AppData\Local\Temp\100866ba17da997902f151c321545421.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rundll32 xpsp0res.dll,RundllInstall IPRIP2⤵
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\rundll32.exerundll32 xpsp0res.dll,RundllInstall IPRIP3⤵
- Loads dropped DLL
PID:2248 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 6324⤵
- Program crash
PID:1652
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc start iprip 'cmd /k whoami' 12⤵
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\sc.exesc start iprip 'cmd /k whoami' 13⤵
- Launches sc.exe
PID:3112
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\100866~1.EXE > nul2⤵PID:4856
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2248 -ip 22481⤵PID:3308
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD5dd393f5b7b35a3aaf6af0c997f3c7ecb
SHA1a6431c9e7b03b96e979e2cdbbcfd282bbf9e574e
SHA2565515e4d7a30c611984f6128fb7d1b56e940fc4a1e6b8dca664d8b08375cfa75d
SHA512371e99cee85f635d41028bc7de1d81e2d9778670f7f46c161289039ec95d225bb25a968599e0c978e9ea1ce91b1e7ae41cf0fcf8d7d90253266afa91d17a1e3e