Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2024, 01:51
Static task
static1
Behavioral task
behavioral1
Sample
692e59936ec86af59b779fcaa3196fdc.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
692e59936ec86af59b779fcaa3196fdc.exe
Resource
win10v2004-20231222-en
General
-
Target
692e59936ec86af59b779fcaa3196fdc.exe
-
Size
982KB
-
MD5
692e59936ec86af59b779fcaa3196fdc
-
SHA1
f1bc1a37d83db1823aafecc2c845baae0bc1f758
-
SHA256
67516c379552392727f0857f3c8c01d6f2d4bf24e8d2e6190a842b752893c5d0
-
SHA512
f463579d1e3a0352b747034f33b02aa2ea10b43473050512a3c004226a6f95afcc3068d760fce2fdffd8dd1b5f8219f839b455a80a07d9eed03ffef5a5443d41
-
SSDEEP
24576:9fmH83w6BY1oVjEySR6A9sXocCFvp1a8GmXnj:9e8g6B3VKv9IS9nRV
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation 692e59936ec86af59b779fcaa3196fdc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\drt = "C:\\Users\\Admin\\AppData\\Roaming\\drt.exe" 692e59936ec86af59b779fcaa3196fdc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\drt = "C:\\Users\\Admin\\AppData\\Roaming\\drt.exe" 692e59936ec86af59b779fcaa3196fdc.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2468 set thread context of 1032 2468 692e59936ec86af59b779fcaa3196fdc.exe 89 PID 1596 set thread context of 2608 1596 692e59936ec86af59b779fcaa3196fdc.exe 92 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2468 692e59936ec86af59b779fcaa3196fdc.exe 2468 692e59936ec86af59b779fcaa3196fdc.exe 2468 692e59936ec86af59b779fcaa3196fdc.exe 1596 692e59936ec86af59b779fcaa3196fdc.exe 1596 692e59936ec86af59b779fcaa3196fdc.exe 2468 692e59936ec86af59b779fcaa3196fdc.exe 2468 692e59936ec86af59b779fcaa3196fdc.exe 1596 692e59936ec86af59b779fcaa3196fdc.exe 1596 692e59936ec86af59b779fcaa3196fdc.exe 2468 692e59936ec86af59b779fcaa3196fdc.exe 2468 692e59936ec86af59b779fcaa3196fdc.exe 1596 692e59936ec86af59b779fcaa3196fdc.exe 1596 692e59936ec86af59b779fcaa3196fdc.exe 2468 692e59936ec86af59b779fcaa3196fdc.exe 2468 692e59936ec86af59b779fcaa3196fdc.exe 1596 692e59936ec86af59b779fcaa3196fdc.exe 1596 692e59936ec86af59b779fcaa3196fdc.exe 2468 692e59936ec86af59b779fcaa3196fdc.exe 2468 692e59936ec86af59b779fcaa3196fdc.exe 1596 692e59936ec86af59b779fcaa3196fdc.exe 1596 692e59936ec86af59b779fcaa3196fdc.exe 2468 692e59936ec86af59b779fcaa3196fdc.exe 2468 692e59936ec86af59b779fcaa3196fdc.exe 1596 692e59936ec86af59b779fcaa3196fdc.exe 1596 692e59936ec86af59b779fcaa3196fdc.exe 2468 692e59936ec86af59b779fcaa3196fdc.exe 2468 692e59936ec86af59b779fcaa3196fdc.exe 1596 692e59936ec86af59b779fcaa3196fdc.exe 1596 692e59936ec86af59b779fcaa3196fdc.exe 2468 692e59936ec86af59b779fcaa3196fdc.exe 2468 692e59936ec86af59b779fcaa3196fdc.exe 1596 692e59936ec86af59b779fcaa3196fdc.exe 1596 692e59936ec86af59b779fcaa3196fdc.exe 2468 692e59936ec86af59b779fcaa3196fdc.exe 2468 692e59936ec86af59b779fcaa3196fdc.exe 2468 692e59936ec86af59b779fcaa3196fdc.exe 2468 692e59936ec86af59b779fcaa3196fdc.exe 1596 692e59936ec86af59b779fcaa3196fdc.exe 1596 692e59936ec86af59b779fcaa3196fdc.exe 1596 692e59936ec86af59b779fcaa3196fdc.exe 1596 692e59936ec86af59b779fcaa3196fdc.exe 2468 692e59936ec86af59b779fcaa3196fdc.exe 2468 692e59936ec86af59b779fcaa3196fdc.exe 2468 692e59936ec86af59b779fcaa3196fdc.exe 2468 692e59936ec86af59b779fcaa3196fdc.exe 1596 692e59936ec86af59b779fcaa3196fdc.exe 1596 692e59936ec86af59b779fcaa3196fdc.exe 1596 692e59936ec86af59b779fcaa3196fdc.exe 1596 692e59936ec86af59b779fcaa3196fdc.exe 2468 692e59936ec86af59b779fcaa3196fdc.exe 2468 692e59936ec86af59b779fcaa3196fdc.exe 2468 692e59936ec86af59b779fcaa3196fdc.exe 2468 692e59936ec86af59b779fcaa3196fdc.exe 1596 692e59936ec86af59b779fcaa3196fdc.exe 1596 692e59936ec86af59b779fcaa3196fdc.exe 1596 692e59936ec86af59b779fcaa3196fdc.exe 1596 692e59936ec86af59b779fcaa3196fdc.exe 2468 692e59936ec86af59b779fcaa3196fdc.exe 2468 692e59936ec86af59b779fcaa3196fdc.exe 2468 692e59936ec86af59b779fcaa3196fdc.exe 2468 692e59936ec86af59b779fcaa3196fdc.exe 1596 692e59936ec86af59b779fcaa3196fdc.exe 1596 692e59936ec86af59b779fcaa3196fdc.exe 1596 692e59936ec86af59b779fcaa3196fdc.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeDebugPrivilege 2468 692e59936ec86af59b779fcaa3196fdc.exe Token: SeIncreaseQuotaPrivilege 1032 vbc.exe Token: SeSecurityPrivilege 1032 vbc.exe Token: SeTakeOwnershipPrivilege 1032 vbc.exe Token: SeLoadDriverPrivilege 1032 vbc.exe Token: SeSystemProfilePrivilege 1032 vbc.exe Token: SeSystemtimePrivilege 1032 vbc.exe Token: SeProfSingleProcessPrivilege 1032 vbc.exe Token: SeIncBasePriorityPrivilege 1032 vbc.exe Token: SeCreatePagefilePrivilege 1032 vbc.exe Token: SeBackupPrivilege 1032 vbc.exe Token: SeRestorePrivilege 1032 vbc.exe Token: SeShutdownPrivilege 1032 vbc.exe Token: SeDebugPrivilege 1032 vbc.exe Token: SeSystemEnvironmentPrivilege 1032 vbc.exe Token: SeChangeNotifyPrivilege 1032 vbc.exe Token: SeRemoteShutdownPrivilege 1032 vbc.exe Token: SeUndockPrivilege 1032 vbc.exe Token: SeManageVolumePrivilege 1032 vbc.exe Token: SeImpersonatePrivilege 1032 vbc.exe Token: SeCreateGlobalPrivilege 1032 vbc.exe Token: 33 1032 vbc.exe Token: 34 1032 vbc.exe Token: 35 1032 vbc.exe Token: 36 1032 vbc.exe Token: SeDebugPrivilege 1596 692e59936ec86af59b779fcaa3196fdc.exe Token: SeIncreaseQuotaPrivilege 2608 vbc.exe Token: SeSecurityPrivilege 2608 vbc.exe Token: SeTakeOwnershipPrivilege 2608 vbc.exe Token: SeLoadDriverPrivilege 2608 vbc.exe Token: SeSystemProfilePrivilege 2608 vbc.exe Token: SeSystemtimePrivilege 2608 vbc.exe Token: SeProfSingleProcessPrivilege 2608 vbc.exe Token: SeIncBasePriorityPrivilege 2608 vbc.exe Token: SeCreatePagefilePrivilege 2608 vbc.exe Token: SeBackupPrivilege 2608 vbc.exe Token: SeRestorePrivilege 2608 vbc.exe Token: SeShutdownPrivilege 2608 vbc.exe Token: SeDebugPrivilege 2608 vbc.exe Token: SeSystemEnvironmentPrivilege 2608 vbc.exe Token: SeChangeNotifyPrivilege 2608 vbc.exe Token: SeRemoteShutdownPrivilege 2608 vbc.exe Token: SeUndockPrivilege 2608 vbc.exe Token: SeManageVolumePrivilege 2608 vbc.exe Token: SeImpersonatePrivilege 2608 vbc.exe Token: SeCreateGlobalPrivilege 2608 vbc.exe Token: 33 2608 vbc.exe Token: 34 2608 vbc.exe Token: 35 2608 vbc.exe Token: 36 2608 vbc.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 2468 wrote to memory of 1032 2468 692e59936ec86af59b779fcaa3196fdc.exe 89 PID 2468 wrote to memory of 1032 2468 692e59936ec86af59b779fcaa3196fdc.exe 89 PID 2468 wrote to memory of 1032 2468 692e59936ec86af59b779fcaa3196fdc.exe 89 PID 2468 wrote to memory of 1032 2468 692e59936ec86af59b779fcaa3196fdc.exe 89 PID 2468 wrote to memory of 1032 2468 692e59936ec86af59b779fcaa3196fdc.exe 89 PID 2468 wrote to memory of 1032 2468 692e59936ec86af59b779fcaa3196fdc.exe 89 PID 2468 wrote to memory of 1032 2468 692e59936ec86af59b779fcaa3196fdc.exe 89 PID 2468 wrote to memory of 1032 2468 692e59936ec86af59b779fcaa3196fdc.exe 89 PID 2468 wrote to memory of 1032 2468 692e59936ec86af59b779fcaa3196fdc.exe 89 PID 2468 wrote to memory of 1032 2468 692e59936ec86af59b779fcaa3196fdc.exe 89 PID 2468 wrote to memory of 1032 2468 692e59936ec86af59b779fcaa3196fdc.exe 89 PID 2468 wrote to memory of 1032 2468 692e59936ec86af59b779fcaa3196fdc.exe 89 PID 2468 wrote to memory of 1032 2468 692e59936ec86af59b779fcaa3196fdc.exe 89 PID 2468 wrote to memory of 1032 2468 692e59936ec86af59b779fcaa3196fdc.exe 89 PID 2468 wrote to memory of 1596 2468 692e59936ec86af59b779fcaa3196fdc.exe 91 PID 2468 wrote to memory of 1596 2468 692e59936ec86af59b779fcaa3196fdc.exe 91 PID 2468 wrote to memory of 1596 2468 692e59936ec86af59b779fcaa3196fdc.exe 91 PID 1596 wrote to memory of 2608 1596 692e59936ec86af59b779fcaa3196fdc.exe 92 PID 1596 wrote to memory of 2608 1596 692e59936ec86af59b779fcaa3196fdc.exe 92 PID 1596 wrote to memory of 2608 1596 692e59936ec86af59b779fcaa3196fdc.exe 92 PID 1596 wrote to memory of 2608 1596 692e59936ec86af59b779fcaa3196fdc.exe 92 PID 1596 wrote to memory of 2608 1596 692e59936ec86af59b779fcaa3196fdc.exe 92 PID 1596 wrote to memory of 2608 1596 692e59936ec86af59b779fcaa3196fdc.exe 92 PID 1596 wrote to memory of 2608 1596 692e59936ec86af59b779fcaa3196fdc.exe 92 PID 1596 wrote to memory of 2608 1596 692e59936ec86af59b779fcaa3196fdc.exe 92 PID 1596 wrote to memory of 2608 1596 692e59936ec86af59b779fcaa3196fdc.exe 92 PID 1596 wrote to memory of 2608 1596 692e59936ec86af59b779fcaa3196fdc.exe 92 PID 1596 wrote to memory of 2608 1596 692e59936ec86af59b779fcaa3196fdc.exe 92 PID 1596 wrote to memory of 2608 1596 692e59936ec86af59b779fcaa3196fdc.exe 92 PID 1596 wrote to memory of 2608 1596 692e59936ec86af59b779fcaa3196fdc.exe 92 PID 1596 wrote to memory of 2608 1596 692e59936ec86af59b779fcaa3196fdc.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\692e59936ec86af59b779fcaa3196fdc.exe"C:\Users\Admin\AppData\Local\Temp\692e59936ec86af59b779fcaa3196fdc.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1032
-
-
C:\Users\Admin\AppData\Local\Temp\692e59936ec86af59b779fcaa3196fdc.exe"C:\Users\Admin\AppData\Local\Temp\692e59936ec86af59b779fcaa3196fdc.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
-