Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 11:48
Behavioral task
behavioral1
Sample
17820a3f5b449a18367048096f35e07e.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
17820a3f5b449a18367048096f35e07e.exe
Resource
win10v2004-20231215-en
General
-
Target
17820a3f5b449a18367048096f35e07e.exe
-
Size
187KB
-
MD5
17820a3f5b449a18367048096f35e07e
-
SHA1
ac1b5befc490f4ebaa0276e17f18918d002892a3
-
SHA256
94421be3f113142c7f2703720069fbe8cbf24bca5d415255ec732a7963ec37b0
-
SHA512
578a2e3048d2cbc8fd4d1b1f0e8542418ef6ba920380690a4311ca9978c662d2897a41d2c36ac6669d9b26520e15eac17f3517f7cdfa781954074afb32b7cd3c
-
SSDEEP
3072:GYpYkfmmuJDJMCrUEk0WLLBjMw26RVTk3V2r65W2/YRPHAp7nvSozjFur:G4YSjuoCrfs2EW3Mr61aHAhnvDR
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41070-b2b1-21d1-b5c1-0305f4055515} svcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41070-b2b1-21d1-b5c1-0305f4055515}\StubPath = "C:\\windows\\svcr.exe" svcr.exe -
resource yara_rule behavioral2/files/0x0007000000023207-11.dat aspack_v212_v242 behavioral2/files/0x0007000000023207-9.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation 17820a3f5b449a18367048096f35e07e.exe -
Deletes itself 1 IoCs
pid Process 4868 svcr.exe -
Executes dropped EXE 1 IoCs
pid Process 4868 svcr.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\svcr.exe" 17820a3f5b449a18367048096f35e07e.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\svcr.exe" 17820a3f5b449a18367048096f35e07e.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\svcr.exe 17820a3f5b449a18367048096f35e07e.exe File created C:\Windows\svcr.exe 17820a3f5b449a18367048096f35e07e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31079969" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2073844693" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2098063799" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31079969" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31079969" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2073844693" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31079969" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2073844693" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "411036592" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A71AF95F-AA14-11EE-9ECD-EA184F49D407} = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31079969" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2073844693" IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2068 17820a3f5b449a18367048096f35e07e.exe 2068 17820a3f5b449a18367048096f35e07e.exe 4868 svcr.exe 4868 svcr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4868 svcr.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2208 IEXPLORE.EXE 2208 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2208 IEXPLORE.EXE 2208 IEXPLORE.EXE 3640 IEXPLORE.EXE 3640 IEXPLORE.EXE 2208 IEXPLORE.EXE 2208 IEXPLORE.EXE 1108 IEXPLORE.EXE 1108 IEXPLORE.EXE 1108 IEXPLORE.EXE 1108 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2068 wrote to memory of 1504 2068 17820a3f5b449a18367048096f35e07e.exe 16 PID 2068 wrote to memory of 1504 2068 17820a3f5b449a18367048096f35e07e.exe 16 PID 2068 wrote to memory of 1504 2068 17820a3f5b449a18367048096f35e07e.exe 16 PID 1504 wrote to memory of 2208 1504 IEXPLORE.EXE 17 PID 1504 wrote to memory of 2208 1504 IEXPLORE.EXE 17 PID 2208 wrote to memory of 3640 2208 IEXPLORE.EXE 19 PID 2208 wrote to memory of 3640 2208 IEXPLORE.EXE 19 PID 2208 wrote to memory of 3640 2208 IEXPLORE.EXE 19 PID 2068 wrote to memory of 4868 2068 17820a3f5b449a18367048096f35e07e.exe 30 PID 2068 wrote to memory of 4868 2068 17820a3f5b449a18367048096f35e07e.exe 30 PID 2068 wrote to memory of 4868 2068 17820a3f5b449a18367048096f35e07e.exe 30 PID 4868 wrote to memory of 4660 4868 svcr.exe 28 PID 4868 wrote to memory of 4660 4868 svcr.exe 28 PID 4868 wrote to memory of 4660 4868 svcr.exe 28 PID 4660 wrote to memory of 2164 4660 IEXPLORE.EXE 26 PID 4660 wrote to memory of 2164 4660 IEXPLORE.EXE 26 PID 2208 wrote to memory of 1108 2208 IEXPLORE.EXE 27 PID 2208 wrote to memory of 1108 2208 IEXPLORE.EXE 27 PID 2208 wrote to memory of 1108 2208 IEXPLORE.EXE 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27 PID 4868 wrote to memory of 1108 4868 svcr.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\17820a3f5b449a18367048096f35e07e.exe"C:\Users\Admin\AppData\Local\Temp\17820a3f5b449a18367048096f35e07e.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"2⤵
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2208 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3640
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2208 CREDAT:82948 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1108
-
-
-
-
C:\Windows\svcr.exe"C:\Windows\svcr.exe" "C:\Users\Admin\AppData\Local\Temp\17820a3f5b449a18367048096f35e07e.exe"2⤵
- Modifies Installed Components in the registry
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4868
-
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"1⤵
- Modifies Internet Explorer settings
PID:2164
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"1⤵
- Suspicious use of WriteProcessMemory
PID:4660
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187KB
MD517820a3f5b449a18367048096f35e07e
SHA1ac1b5befc490f4ebaa0276e17f18918d002892a3
SHA25694421be3f113142c7f2703720069fbe8cbf24bca5d415255ec732a7963ec37b0
SHA512578a2e3048d2cbc8fd4d1b1f0e8542418ef6ba920380690a4311ca9978c662d2897a41d2c36ac6669d9b26520e15eac17f3517f7cdfa781954074afb32b7cd3c