ad64ee9e5377ff432665066f5e75c299e5663ea3bac389f0fdf7e74949fef613

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 00:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad64ee9e5377ff432665066f5e75c299e5663ea3bac389f0fdf7e74949fef613.exe
Size

195KB
MD5

9364523d20a7e76f5cb114750ebf6e10
SHA1

2850076675214c7d70a00a0781e6559904aa7442
SHA256

ad64ee9e5377ff432665066f5e75c299e5663ea3bac389f0fdf7e74949fef613
SHA512

8c434c94265d726ce85cea4a05babd34cb2f808c7be7e6c7882f9ae0fc313117a555a7000e5c5fdcf14cdabe2904aac01fe54f7f67366e88063c93d3d733397e
SSDEEP

6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCOm:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXXL

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	ad64ee9e5377ff432665066f5e75c299e5663ea3bac389f0fdf7e74949fef613.exe

Executes dropped EXE 1 IoCs

pid	Process
5032	vewhost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Debug\vewhost.exe	ad64ee9e5377ff432665066f5e75c299e5663ea3bac389f0fdf7e74949fef613.exe
File opened for modification	C:\Windows\Debug\vewhost.exe	ad64ee9e5377ff432665066f5e75c299e5663ea3bac389f0fdf7e74949fef613.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	vewhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vewhost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2468	ad64ee9e5377ff432665066f5e75c299e5663ea3bac389f0fdf7e74949fef613.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 1108	2468	ad64ee9e5377ff432665066f5e75c299e5663ea3bac389f0fdf7e74949fef613.exe	90
PID 2468 wrote to memory of 1108	2468	ad64ee9e5377ff432665066f5e75c299e5663ea3bac389f0fdf7e74949fef613.exe	90
PID 2468 wrote to memory of 1108	2468	ad64ee9e5377ff432665066f5e75c299e5663ea3bac389f0fdf7e74949fef613.exe	90

C:\Users\Admin\AppData\Local\Temp\ad64ee9e5377ff432665066f5e75c299e5663ea3bac389f0fdf7e74949fef613.exe
"C:\Users\Admin\AppData\Local\Temp\ad64ee9e5377ff432665066f5e75c299e5663ea3bac389f0fdf7e74949fef613.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\AD64EE~1.EXE > nul
  2⤵
  PID:1108

C:\Windows\Debug\vewhost.exe
C:\Windows\Debug\vewhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\debug\vewhost.exe

Filesize
195KB

MD5
a7425634145e9df1d3b98a6dce6ea95a

SHA1
ee3cc6de6aa26a6b01d5c9dea637b12493e3b709

SHA256
d84b63ec97ec33dd9ea82946fb41d892c244eb49b622cfbd56cf5e25a95424ac

SHA512
076e3194cfe7f15a4c5088e05a164fabec00837de3a96429ac81d8212de2ac9c0dc7407049f71587793700ada510c9a12be260e9e114c16d3ac72588e1cf0d48

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads