Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
23-01-2024 21:38
Behavioral task
behavioral1
Sample
cd53a1eb080ca977a40f0d2f33dea711ac0b6ed4fc0a6102fe64a2b41c91f7f2.exe
Resource
win7-20231215-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
cd53a1eb080ca977a40f0d2f33dea711ac0b6ed4fc0a6102fe64a2b41c91f7f2.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
cd53a1eb080ca977a40f0d2f33dea711ac0b6ed4fc0a6102fe64a2b41c91f7f2.exe
-
Size
37KB
-
MD5
e42eb443fd6bf40ef9d7f2bfc76a1acb
-
SHA1
467365bb0ef682d45c3f1664edd1690d89d56abc
-
SHA256
cd53a1eb080ca977a40f0d2f33dea711ac0b6ed4fc0a6102fe64a2b41c91f7f2
-
SHA512
64521ad80f984166efbbd2b2357678a6956b13607da080c1ca7c04d466b1f643abcecb56e89da7a69c57cf3bfbc672e441c023503d3e3ab2c410548a4c55ed11
-
SSDEEP
384:7R6Iiu5jtD+P3V+y0bzif2tH5ssumTErAF+rMRTyN/0L+EcoinblneHQM3epzXtq:lRmV10bzif2tSNmorM+rMRa8NubOt
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 1184 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation cd53a1eb080ca977a40f0d2f33dea711ac0b6ed4fc0a6102fe64a2b41c91f7f2.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e202c6dae1aeba28a88e7bf1cebb0c19.exe svhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e202c6dae1aeba28a88e7bf1cebb0c19.exe svhost.exe -
Executes dropped EXE 1 IoCs
pid Process 4748 svhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e202c6dae1aeba28a88e7bf1cebb0c19 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe\" .." svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\e202c6dae1aeba28a88e7bf1cebb0c19 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe\" .." svhost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops autorun.inf file 1 TTPs 5 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf svhost.exe File opened for modification C:\autorun.inf svhost.exe File created D:\autorun.inf svhost.exe File created F:\autorun.inf svhost.exe File opened for modification F:\autorun.inf svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe 4748 svhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4748 svhost.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 4748 svhost.exe Token: 33 4748 svhost.exe Token: SeIncBasePriorityPrivilege 4748 svhost.exe Token: 33 4748 svhost.exe Token: SeIncBasePriorityPrivilege 4748 svhost.exe Token: 33 4748 svhost.exe Token: SeIncBasePriorityPrivilege 4748 svhost.exe Token: 33 4748 svhost.exe Token: SeIncBasePriorityPrivilege 4748 svhost.exe Token: 33 4748 svhost.exe Token: SeIncBasePriorityPrivilege 4748 svhost.exe Token: 33 4748 svhost.exe Token: SeIncBasePriorityPrivilege 4748 svhost.exe Token: 33 4748 svhost.exe Token: SeIncBasePriorityPrivilege 4748 svhost.exe Token: 33 4748 svhost.exe Token: SeIncBasePriorityPrivilege 4748 svhost.exe Token: 33 4748 svhost.exe Token: SeIncBasePriorityPrivilege 4748 svhost.exe Token: 33 4748 svhost.exe Token: SeIncBasePriorityPrivilege 4748 svhost.exe Token: 33 4748 svhost.exe Token: SeIncBasePriorityPrivilege 4748 svhost.exe Token: 33 4748 svhost.exe Token: SeIncBasePriorityPrivilege 4748 svhost.exe Token: 33 4748 svhost.exe Token: SeIncBasePriorityPrivilege 4748 svhost.exe Token: 33 4748 svhost.exe Token: SeIncBasePriorityPrivilege 4748 svhost.exe Token: 33 4748 svhost.exe Token: SeIncBasePriorityPrivilege 4748 svhost.exe Token: 33 4748 svhost.exe Token: SeIncBasePriorityPrivilege 4748 svhost.exe Token: 33 4748 svhost.exe Token: SeIncBasePriorityPrivilege 4748 svhost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4608 wrote to memory of 4748 4608 cd53a1eb080ca977a40f0d2f33dea711ac0b6ed4fc0a6102fe64a2b41c91f7f2.exe 95 PID 4608 wrote to memory of 4748 4608 cd53a1eb080ca977a40f0d2f33dea711ac0b6ed4fc0a6102fe64a2b41c91f7f2.exe 95 PID 4608 wrote to memory of 4748 4608 cd53a1eb080ca977a40f0d2f33dea711ac0b6ed4fc0a6102fe64a2b41c91f7f2.exe 95 PID 4748 wrote to memory of 1184 4748 svhost.exe 98 PID 4748 wrote to memory of 1184 4748 svhost.exe 98 PID 4748 wrote to memory of 1184 4748 svhost.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd53a1eb080ca977a40f0d2f33dea711ac0b6ed4fc0a6102fe64a2b41c91f7f2.exe"C:\Users\Admin\AppData\Local\Temp\cd53a1eb080ca977a40f0d2f33dea711ac0b6ed4fc0a6102fe64a2b41c91f7f2.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Users\Admin\AppData\Roaming\svhost.exe"C:\Users\Admin\AppData\Roaming\svhost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svhost.exe" "svhost.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1184
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5e42eb443fd6bf40ef9d7f2bfc76a1acb
SHA1467365bb0ef682d45c3f1664edd1690d89d56abc
SHA256cd53a1eb080ca977a40f0d2f33dea711ac0b6ed4fc0a6102fe64a2b41c91f7f2
SHA51264521ad80f984166efbbd2b2357678a6956b13607da080c1ca7c04d466b1f643abcecb56e89da7a69c57cf3bfbc672e441c023503d3e3ab2c410548a4c55ed11