Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31-12-2023 02:13
Static task
static1
Behavioral task
behavioral1
Sample
241d6106ba1b70901bd21adfb93e654a.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
241d6106ba1b70901bd21adfb93e654a.exe
Resource
win10v2004-20231215-en
General
-
Target
241d6106ba1b70901bd21adfb93e654a.exe
-
Size
119KB
-
MD5
241d6106ba1b70901bd21adfb93e654a
-
SHA1
5d3e2035e12a7f6e0453bf5f1d030a50c9f6a26e
-
SHA256
0a2c849b16b29ec9300cee1e218f71a519fd5c507b1047bd4692a4b42ff83580
-
SHA512
000b805db2bfe62db028ed20f1889e6ec364878b36d845af25db2235112c9b52f819d559925391da23c5f54f7f04c9e889b6d75e8f486946c2e07911c643cbaa
-
SSDEEP
1536:q9CP6Azl6VEuIkL9VobQ5UwqAL2pp/rkww/ijc3OM6Xc+E1uYEXcfTxXciZsOn:q9CPxAdIkL7olwl0poKjc3O7DYEXsHT
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
241d6106ba1b70901bd21adfb93e654a.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile 241d6106ba1b70901bd21adfb93e654a.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications 241d6106ba1b70901bd21adfb93e654a.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\M-1-52-5782-8754-5245\winsam.exe = "C:\\Users\\Admin\\M-1-52-5782-8754-5245\\winsam.exe:*:Enabled:Microsoft® Windows System" 241d6106ba1b70901bd21adfb93e654a.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List 241d6106ba1b70901bd21adfb93e654a.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
241d6106ba1b70901bd21adfb93e654a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation 241d6106ba1b70901bd21adfb93e654a.exe -
Executes dropped EXE 2 IoCs
Processes:
winsam.exewinsam.exepid process 4596 winsam.exe 4084 winsam.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
241d6106ba1b70901bd21adfb93e654a.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows System = "C:\\Users\\Admin\\M-1-52-5782-8754-5245\\winsam.exe" 241d6106ba1b70901bd21adfb93e654a.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
241d6106ba1b70901bd21adfb93e654a.exewinsam.exedescription pid process target process PID 2200 set thread context of 1156 2200 241d6106ba1b70901bd21adfb93e654a.exe 241d6106ba1b70901bd21adfb93e654a.exe PID 4596 set thread context of 4084 4596 winsam.exe winsam.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
241d6106ba1b70901bd21adfb93e654a.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 241d6106ba1b70901bd21adfb93e654a.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
241d6106ba1b70901bd21adfb93e654a.exe241d6106ba1b70901bd21adfb93e654a.exewinsam.exedescription pid process target process PID 2200 wrote to memory of 1156 2200 241d6106ba1b70901bd21adfb93e654a.exe 241d6106ba1b70901bd21adfb93e654a.exe PID 2200 wrote to memory of 1156 2200 241d6106ba1b70901bd21adfb93e654a.exe 241d6106ba1b70901bd21adfb93e654a.exe PID 2200 wrote to memory of 1156 2200 241d6106ba1b70901bd21adfb93e654a.exe 241d6106ba1b70901bd21adfb93e654a.exe PID 2200 wrote to memory of 1156 2200 241d6106ba1b70901bd21adfb93e654a.exe 241d6106ba1b70901bd21adfb93e654a.exe PID 2200 wrote to memory of 1156 2200 241d6106ba1b70901bd21adfb93e654a.exe 241d6106ba1b70901bd21adfb93e654a.exe PID 2200 wrote to memory of 1156 2200 241d6106ba1b70901bd21adfb93e654a.exe 241d6106ba1b70901bd21adfb93e654a.exe PID 2200 wrote to memory of 1156 2200 241d6106ba1b70901bd21adfb93e654a.exe 241d6106ba1b70901bd21adfb93e654a.exe PID 2200 wrote to memory of 1156 2200 241d6106ba1b70901bd21adfb93e654a.exe 241d6106ba1b70901bd21adfb93e654a.exe PID 2200 wrote to memory of 1156 2200 241d6106ba1b70901bd21adfb93e654a.exe 241d6106ba1b70901bd21adfb93e654a.exe PID 2200 wrote to memory of 1156 2200 241d6106ba1b70901bd21adfb93e654a.exe 241d6106ba1b70901bd21adfb93e654a.exe PID 1156 wrote to memory of 4596 1156 241d6106ba1b70901bd21adfb93e654a.exe winsam.exe PID 1156 wrote to memory of 4596 1156 241d6106ba1b70901bd21adfb93e654a.exe winsam.exe PID 1156 wrote to memory of 4596 1156 241d6106ba1b70901bd21adfb93e654a.exe winsam.exe PID 4596 wrote to memory of 4084 4596 winsam.exe winsam.exe PID 4596 wrote to memory of 4084 4596 winsam.exe winsam.exe PID 4596 wrote to memory of 4084 4596 winsam.exe winsam.exe PID 4596 wrote to memory of 4084 4596 winsam.exe winsam.exe PID 4596 wrote to memory of 4084 4596 winsam.exe winsam.exe PID 4596 wrote to memory of 4084 4596 winsam.exe winsam.exe PID 4596 wrote to memory of 4084 4596 winsam.exe winsam.exe PID 4596 wrote to memory of 4084 4596 winsam.exe winsam.exe PID 4596 wrote to memory of 4084 4596 winsam.exe winsam.exe PID 4596 wrote to memory of 4084 4596 winsam.exe winsam.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\241d6106ba1b70901bd21adfb93e654a.exe"C:\Users\Admin\AppData\Local\Temp\241d6106ba1b70901bd21adfb93e654a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\241d6106ba1b70901bd21adfb93e654a.exe"C:\Users\Admin\AppData\Local\Temp\241d6106ba1b70901bd21adfb93e654a.exe"2⤵
- Modifies firewall policy service
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\M-1-52-5782-8754-5245\winsam.exe"C:\Users\Admin\M-1-52-5782-8754-5245\winsam.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\M-1-52-5782-8754-5245\winsam.exe"C:\Users\Admin\M-1-52-5782-8754-5245\winsam.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1156-4-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/1156-5-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/1156-2-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2200-1-0x0000000002270000-0x0000000002278000-memory.dmpFilesize
32KB
-
memory/2200-0-0x0000000002270000-0x0000000002278000-memory.dmpFilesize
32KB
-
memory/4596-68-0x0000000000580000-0x0000000000588000-memory.dmpFilesize
32KB
-
memory/4596-67-0x0000000000580000-0x0000000000588000-memory.dmpFilesize
32KB