Overview

overview

10

Static

static

3

59062d5df3...6d.exe

windows7-x64

10

59062d5df3...6d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/01/2024, 15:08

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    59062d5df3dc2cc09028e3896c1bf56d.exe

  • Size

    772KB

  • MD5

    59062d5df3dc2cc09028e3896c1bf56d

  • SHA1

    5cef9e055b823929828d2d057e68cebe9e22f20b

  • SHA256

    252a19451e03520ea608af9aae0e8e090e7854f631b87cbc6156614be287c41d

  • SHA512

    f3b29ee338c82974c6b31a54f4a5d087de3b780c75561217ccbfd49371b641cbdb0bea700180154820a4db2bd7ee1d7de4b6da5ad2f711ed384726be011445d3

  • SSDEEP

    12288:wEH4LHsAZ7qGyEQmNBhtbllYOGuRU9aQ0dcz3HEai:wEH4LHaoNBhNYOfdO3E9

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 10 IoCs
    evasion
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\59062d5df3dc2cc09028e3896c1bf56d.exe
    "C:\Users\Admin\AppData\Local\Temp\59062d5df3dc2cc09028e3896c1bf56d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4976
    • C:\Users\Admin\AppData\Local\Temp\winini.exe
      "C:\Users\Admin\AppData\Local\Temp\winini.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3636
  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
    C:\Users\Admin\AppData\Local\Temp\svchost.exe
    1⤵
    • Adds policy Run key to start application
    • Modifies Installed Components in the registry
    • Executes dropped EXE
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4984
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\8872\Scvhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\8872\Scvhost.exe:*:Enabled:Windows Messanger" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4848
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4896
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\svchost.exe:*:Enabled:Windows Messanger" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:552
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4504
  • C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\svchost.exe:*:Enabled:Windows Messanger" /f
    1⤵
    • Modifies firewall policy service
    • Modifies registry key
    PID:1996
  • C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\8872\Scvhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\8872\Scvhost.exe:*:Enabled:Windows Messanger" /f
    1⤵
    • Modifies firewall policy service
    • Modifies registry key
    PID:3736
  • C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    1⤵
    • Modifies firewall policy service
    • Modifies registry key
    PID:2404
  • C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    1⤵
    • Modifies firewall policy service
    • Modifies registry key
    PID:4144

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          Filesize

          34KB

          MD5

          e118330b4629b12368d91b9df6488be0

          SHA1

          ce90218c7e3b90df2a3409ec253048bb6472c2fd

          SHA256

          3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

          SHA512

          ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\winini.exe
          Filesize

          528KB

          MD5

          1a4b6a8edf6027aea4baf7678417b108

          SHA1

          d549b2edabe4530c3d92298700ba62f3e2149208

          SHA256

          0e2fb539c3a59336ab37569d8993715633f1077fbd3d1aa56c53b3e2f4bcbb91

          SHA512

          123ec0b5ee356430855dee767b0b6543ac9f11543b4b7eb42567878963020dc4ddaf13c2db9060d818cf98268cc87c8bf918aaed9671e948c15f9f6d0a498258

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\winini.exe
          Filesize

          185KB

          MD5

          d4a02b787134365bddba8d261ccc2968

          SHA1

          c5f0f7ef71bba27e41a3ff3ad5a6e5cd5ca20715

          SHA256

          1bfb28289f1dbda97e998cf47e5a97d8e84a5795414c1091bae20f5eba7b0614

          SHA512

          867a6c52253f6d9cae0c454cafd056fb12fb1c2043560dbf2e2deeaae49d3721be3ea4f1fe75f513c9ad572f83c48ea0c7e8d022d38c81c08192ea976ba75954

          Download Submit

        • memory/3636-20-0x00000000016E0000-0x00000000016F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3636-27-0x0000000074BD0000-0x0000000075181000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/3636-18-0x0000000074BD0000-0x0000000075181000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/3636-24-0x0000000074BD0000-0x0000000075181000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/4976-1-0x0000000074BD0000-0x0000000075181000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/4976-2-0x0000000001220000-0x0000000001230000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4976-0-0x0000000074BD0000-0x0000000075181000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/4976-15-0x0000000074BD0000-0x0000000075181000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/4984-37-0x0000000000400000-0x0000000000470000-memory.dmp

          Filesize

          448KB

          Download

        • memory/4984-50-0x0000000000400000-0x0000000000470000-memory.dmp

          Filesize

          448KB

          Download

        • memory/4984-34-0x0000000075BE0000-0x0000000075CD0000-memory.dmp

          Filesize

          960KB

          Download

        • memory/4984-35-0x0000000075CD0000-0x0000000075D4A000-memory.dmp

          Filesize

          488KB

          Download

        • memory/4984-36-0x00000000774E6000-0x00000000774E7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4984-26-0x0000000000400000-0x0000000000470000-memory.dmp

          Filesize

          448KB

          Download

        • memory/4984-40-0x0000000000400000-0x0000000000470000-memory.dmp

          Filesize

          448KB

          Download

        • memory/4984-41-0x0000000000400000-0x0000000000470000-memory.dmp

          Filesize

          448KB

          Download

        • memory/4984-44-0x0000000075BE0000-0x0000000075CD0000-memory.dmp

          Filesize

          960KB

          Download

        • memory/4984-45-0x0000000075CD0000-0x0000000075D4A000-memory.dmp

          Filesize

          488KB

          Download

        • memory/4984-47-0x0000000000400000-0x0000000000470000-memory.dmp

          Filesize

          448KB

          Download

        • memory/4984-19-0x0000000000400000-0x0000000000470000-memory.dmp

          Filesize

          448KB

          Download

        • memory/4984-53-0x0000000000400000-0x0000000000470000-memory.dmp

          Filesize

          448KB

          Download

        • memory/4984-57-0x0000000000400000-0x0000000000470000-memory.dmp

          Filesize

          448KB

          Download

        • memory/4984-60-0x0000000000400000-0x0000000000470000-memory.dmp

          Filesize

          448KB

          Download

        • memory/4984-63-0x0000000000400000-0x0000000000470000-memory.dmp

          Filesize

          448KB

          Download

        • memory/4984-67-0x0000000000400000-0x0000000000470000-memory.dmp

          Filesize

          448KB

          Download

        • memory/4984-70-0x0000000000400000-0x0000000000470000-memory.dmp

          Filesize

          448KB

          Download

        • memory/4984-73-0x0000000000400000-0x0000000000470000-memory.dmp

          Filesize

          448KB

          Download

        • memory/4984-76-0x0000000000400000-0x0000000000470000-memory.dmp

          Filesize

          448KB

          Download

        • memory/4984-80-0x0000000000400000-0x0000000000470000-memory.dmp

          Filesize

          448KB

          Download

        • memory/4984-83-0x0000000000400000-0x0000000000470000-memory.dmp

          Filesize

          448KB

          Download