Analysis
-
max time kernel
130s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2024, 19:20
Static task
static1
Behavioral task
behavioral1
Sample
a44a78759af5b0c48feca4412b21d018.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
a44a78759af5b0c48feca4412b21d018.exe
Resource
win10v2004-20231222-en
General
-
Target
a44a78759af5b0c48feca4412b21d018.exe
-
Size
68KB
-
MD5
a44a78759af5b0c48feca4412b21d018
-
SHA1
9e0746c6658658e3a9b5b1128d313dd7214fef2a
-
SHA256
bdd04fcdbac5e8df6aca7e74040103317ff268a11193f94b1be7fd9c87622d60
-
SHA512
9188be7e531d18497761f7d72d37c9c95c2a560557ba0b4c211a06c2df770be7d9a04a79e0ea11de5ce4ed5dfc3aa32b1a1c92e201996e94e621415be74833e4
-
SSDEEP
768:wcEliTdmYAl+qOQSgFrhKo//WomvdfQXwYt1IEDIefZsK:/EIxXAcqOK3qowgnt1d
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" a44a78759af5b0c48feca4412b21d018.exe Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Admin.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation a44a78759af5b0c48feca4412b21d018.exe -
Executes dropped EXE 1 IoCs
pid Process 2868 Admin.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe" a44a78759af5b0c48feca4412b21d018.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe" Admin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4944 a44a78759af5b0c48feca4412b21d018.exe 4944 a44a78759af5b0c48feca4412b21d018.exe 4944 a44a78759af5b0c48feca4412b21d018.exe 4944 a44a78759af5b0c48feca4412b21d018.exe 4944 a44a78759af5b0c48feca4412b21d018.exe 4944 a44a78759af5b0c48feca4412b21d018.exe 2868 Admin.exe 2868 Admin.exe 4944 a44a78759af5b0c48feca4412b21d018.exe 4944 a44a78759af5b0c48feca4412b21d018.exe 2868 Admin.exe 2868 Admin.exe 4944 a44a78759af5b0c48feca4412b21d018.exe 4944 a44a78759af5b0c48feca4412b21d018.exe 2868 Admin.exe 2868 Admin.exe 2868 Admin.exe 4944 a44a78759af5b0c48feca4412b21d018.exe 2868 Admin.exe 4944 a44a78759af5b0c48feca4412b21d018.exe 4944 a44a78759af5b0c48feca4412b21d018.exe 2868 Admin.exe 4944 a44a78759af5b0c48feca4412b21d018.exe 2868 Admin.exe 4944 a44a78759af5b0c48feca4412b21d018.exe 2868 Admin.exe 4944 a44a78759af5b0c48feca4412b21d018.exe 2868 Admin.exe 2868 Admin.exe 4944 a44a78759af5b0c48feca4412b21d018.exe 4944 a44a78759af5b0c48feca4412b21d018.exe 2868 Admin.exe 2868 Admin.exe 4944 a44a78759af5b0c48feca4412b21d018.exe 4944 a44a78759af5b0c48feca4412b21d018.exe 2868 Admin.exe 2868 Admin.exe 4944 a44a78759af5b0c48feca4412b21d018.exe 2868 Admin.exe 4944 a44a78759af5b0c48feca4412b21d018.exe 2868 Admin.exe 4944 a44a78759af5b0c48feca4412b21d018.exe 2868 Admin.exe 4944 a44a78759af5b0c48feca4412b21d018.exe 2868 Admin.exe 4944 a44a78759af5b0c48feca4412b21d018.exe 2868 Admin.exe 4944 a44a78759af5b0c48feca4412b21d018.exe 2868 Admin.exe 4944 a44a78759af5b0c48feca4412b21d018.exe 4944 a44a78759af5b0c48feca4412b21d018.exe 2868 Admin.exe 2868 Admin.exe 4944 a44a78759af5b0c48feca4412b21d018.exe 4944 a44a78759af5b0c48feca4412b21d018.exe 2868 Admin.exe 4944 a44a78759af5b0c48feca4412b21d018.exe 2868 Admin.exe 4944 a44a78759af5b0c48feca4412b21d018.exe 2868 Admin.exe 2868 Admin.exe 4944 a44a78759af5b0c48feca4412b21d018.exe 2868 Admin.exe 4944 a44a78759af5b0c48feca4412b21d018.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4944 a44a78759af5b0c48feca4412b21d018.exe 2868 Admin.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4944 wrote to memory of 2868 4944 a44a78759af5b0c48feca4412b21d018.exe 52 PID 4944 wrote to memory of 2868 4944 a44a78759af5b0c48feca4412b21d018.exe 52 PID 4944 wrote to memory of 2868 4944 a44a78759af5b0c48feca4412b21d018.exe 52
Processes
-
C:\Users\Admin\AppData\Local\Temp\a44a78759af5b0c48feca4412b21d018.exe"C:\Users\Admin\AppData\Local\Temp\a44a78759af5b0c48feca4412b21d018.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Users\Admin\Admin.exe"C:\Users\Admin\Admin.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2868
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD525bddff425095b5b63ad5df50ef8e2d1
SHA12e8f60a0e6938187545d915c5d1ba0bc38b74c48
SHA25627835c742a967efb20b632df59fadf2ed706d58eacbf123d41335ed5fbd42e68
SHA512e102b6b1b630d387487556646aae0738f0bc83fb4b799ddb1624fd38b93b68a8f69921e70689cfc15bd2e8df2da923355d5ab0e152a5c577fa83f27f6511a401