7cea1767baeaf202fd525460218ce036a08405a49b3d0a20d5211d22d0272e55

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7cea1767baeaf202fd525460218ce036a08405a49b3d0a20d5211d22d0272e55.exe
Size

196KB
MD5

f1808d127abeb2b08d82a2c7c876704a
SHA1

a5700b817afc5f3225beccd0806233fee20e8e2c
SHA256

7cea1767baeaf202fd525460218ce036a08405a49b3d0a20d5211d22d0272e55
SHA512

69550c93dbf33b663168c60475f808aefda15e4bd150b49bdeaf2915e7836714a1c506d21740fe744ed4311806c5d36843c3b3b7832a9301c6ebc116a7b8488a
SSDEEP

6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCOa:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXX3

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	7cea1767baeaf202fd525460218ce036a08405a49b3d0a20d5211d22d0272e55.exe

Executes dropped EXE 1 IoCs

pid	Process
1172	boohost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Debug\boohost.exe	7cea1767baeaf202fd525460218ce036a08405a49b3d0a20d5211d22d0272e55.exe
File opened for modification	C:\Windows\Debug\boohost.exe	7cea1767baeaf202fd525460218ce036a08405a49b3d0a20d5211d22d0272e55.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4000	7cea1767baeaf202fd525460218ce036a08405a49b3d0a20d5211d22d0272e55.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 3060	4000	7cea1767baeaf202fd525460218ce036a08405a49b3d0a20d5211d22d0272e55.exe	89
PID 4000 wrote to memory of 3060	4000	7cea1767baeaf202fd525460218ce036a08405a49b3d0a20d5211d22d0272e55.exe	89
PID 4000 wrote to memory of 3060	4000	7cea1767baeaf202fd525460218ce036a08405a49b3d0a20d5211d22d0272e55.exe	89

C:\Users\Admin\AppData\Local\Temp\7cea1767baeaf202fd525460218ce036a08405a49b3d0a20d5211d22d0272e55.exe
"C:\Users\Admin\AppData\Local\Temp\7cea1767baeaf202fd525460218ce036a08405a49b3d0a20d5211d22d0272e55.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\7CEA17~1.EXE > nul
  2⤵
  PID:3060

C:\Windows\Debug\boohost.exe
C:\Windows\Debug\boohost.exe
1⤵
- Executes dropped EXE
PID:1172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\debug\boohost.exe

Filesize
196KB

MD5
0b3e6df53d8ebc5ac9683922eb275761

SHA1
f4744a48b879ce7e989ef74eedd537e27029a4f8

SHA256
760b71f5ec84d2d7ad7eceaecc039ec2af7859f3b88de58e41ab595f919999ef

SHA512
c921a16a1b620e7a61b3a480fe2e3e79f77539698f79d36febd74ce6e88b9e244f7beb13cd6d54241596d8860e8977805503744e441f0ab02f5333105e7f14c6

Download Submit