754267cec0b3c0f16face2284a06b6784d3efb51b89945009fd9151b8b025284

Analysis

max time kernel
92s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24/01/2024, 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

723ff06c0d26d85627ddb19c5a16a4ac.exe
Size

1.6MB
MD5

723ff06c0d26d85627ddb19c5a16a4ac
SHA1

d6e6212c2155fbe8a69afcf150eb040b356177dc
SHA256

754267cec0b3c0f16face2284a06b6784d3efb51b89945009fd9151b8b025284
SHA512

4165e825659a51c60c7338c26e7f2a52d999dac7f9eb8448b76068e4f6f2db7c45af0349bfbf43889bb6da4ee4ad96251840e70ab045d8bb2f2600f5af42aa13
SSDEEP

24576:7vLeIcAphAkJu8HtuW5thgxKk13yx1Gq3UBTcYjoxxqGvqRZKyCwTdJ1Gik9M5hY:7vLUBF2ntIy1mcTqgvyCmz12myM0u+

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	723ff06c0d26d85627ddb19c5a16a4ac.exe

Executes dropped EXE 1 IoCs

pid	Process
3604	World Bot V2 Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1520	723ff06c0d26d85627ddb19c5a16a4ac.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1520	723ff06c0d26d85627ddb19c5a16a4ac.exe
Token: 33	1520	723ff06c0d26d85627ddb19c5a16a4ac.exe
Token: SeIncBasePriorityPrivilege	1520	723ff06c0d26d85627ddb19c5a16a4ac.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 3604	1520	723ff06c0d26d85627ddb19c5a16a4ac.exe	31
PID 1520 wrote to memory of 3604	1520	723ff06c0d26d85627ddb19c5a16a4ac.exe	31
PID 1520 wrote to memory of 3604	1520	723ff06c0d26d85627ddb19c5a16a4ac.exe	31

C:\Users\Admin\AppData\Local\Temp\723ff06c0d26d85627ddb19c5a16a4ac.exe
"C:\Users\Admin\AppData\Local\Temp\723ff06c0d26d85627ddb19c5a16a4ac.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Local\Temp\World Bot V2 Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\World Bot V2 Installer.exe"
  2⤵
  - Executes dropped EXE
  PID:3604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\World Bot V2 Installer.exe

Filesize
87KB

MD5
da32d2b269dedd4d2f7bab6b16ec2c68

SHA1
d8bb7d6a8876af9075cf707f49e54a4805a1b3a0

SHA256
c2d206c1c53d52252b13364649ce8fd2094b5018255f75ce44de2541b6fc1d47

SHA512
34f06792fe2399e994288a3de7f6e2656bf618905285f18889afb02e8d84bdaed2e2235c65334825648cc33b8bc1b8ed9acd09b19343b4961d311be0bf55c3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\World Bot V2 Installer.exe

Filesize
127KB

MD5
a89d79939a8b6c014732b949b830c3c5

SHA1
8b8f037dd21f7122e7a25e20c83fe63181d8a30e

SHA256
5672dad7a47bf5597b5a50234ef53a951c76d1b76c345ec450c3d804ee13996a

SHA512
97885e0a5de94569876567d0a18bc977906b7cebee3ffc59e9cafa45ac06d8fb2dc56604cde34d11c9c3e956422558806a67d6050b4259760a74862df54425f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\World Bot V2 Installer.exe

Filesize
38KB

MD5
104760e13e859fc8b25f3710151db212

SHA1
4adfe5332d881048a6bccb0c98d66acbfef9c40f

SHA256
72e2a233d1f1e19f6bfd78385d86d1558c1893e177badfcd43cdea6c30efb0ee

SHA512
cc2b4b4e665053390e2917559fa8380b5498c96a8596e4a23eb0df51f7e1529648c062f8c39df26721aa0b2ed8658ca9709ba2023be4d42ca7c1446d9265ff7c

Download Submit
memory/1520-1-0x00000000017B0000-0x00000000017C0000-memory.dmp

Filesize
64KB

Download
memory/1520-3-0x00007FFD1F960000-0x00007FFD20301000-memory.dmp

Filesize
9.6MB

Download
memory/1520-5-0x000000001CAA0000-0x000000001CB3C000-memory.dmp

Filesize
624KB

Download
memory/1520-4-0x000000001C940000-0x000000001C9E6000-memory.dmp

Filesize
664KB

Download
memory/1520-7-0x000000001CC00000-0x000000001CC4C000-memory.dmp

Filesize
304KB

Download
memory/1520-6-0x0000000001A60000-0x0000000001A68000-memory.dmp

Filesize
32KB

Download
memory/1520-2-0x000000001C470000-0x000000001C93E000-memory.dmp

Filesize
4.8MB

Download
memory/1520-0-0x00007FFD1F960000-0x00007FFD20301000-memory.dmp

Filesize
9.6MB

Download
memory/1520-20-0x00007FFD1F960000-0x00007FFD20301000-memory.dmp

Filesize
9.6MB

Download