839b5490987b6b7beda3726ac2bd3a254b113930c06b881c9ab1655515ff52c9

Analysis

max time kernel
145s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/01/2024, 10:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f9e5e5bb0bc922b0fa6fb8db9e80167.exe
Size

60KB
MD5

7f9e5e5bb0bc922b0fa6fb8db9e80167
SHA1

86807d164d4e1606ce7f2b009652ee02ad0bb565
SHA256

839b5490987b6b7beda3726ac2bd3a254b113930c06b881c9ab1655515ff52c9
SHA512

6f6a8c48aecb1c4cc57107fc509e975f5b2213e1f24e15e27f64229c3ce8b19a5181b336fad5f748042aa8e88bf41aa58cf08065ad299a423e583597ae610a2d
SSDEEP

1536:wQXKJBUgcZtPGatcvVULLQV4wiyPDREQoAqXEL:wfUPGasV5gEDRviEL

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	7f9e5e5bb0bc922b0fa6fb8db9e80167.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	7f9e5e5bb0bc922b0fa6fb8db9e80167.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Payload.exe

Executes dropped EXE 1 IoCs

pid	Process
4868	Payload.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe"	7f9e5e5bb0bc922b0fa6fb8db9e80167.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeDebugPrivilege	3200	7f9e5e5bb0bc922b0fa6fb8db9e80167.exe
Token: 33	3200	7f9e5e5bb0bc922b0fa6fb8db9e80167.exe
Token: SeIncBasePriorityPrivilege	3200	7f9e5e5bb0bc922b0fa6fb8db9e80167.exe
Token: SeDebugPrivilege	4868	Payload.exe
Token: 33	4868	Payload.exe
Token: SeIncBasePriorityPrivilege	4868	Payload.exe
Token: 33	4868	Payload.exe
Token: SeIncBasePriorityPrivilege	4868	Payload.exe
Token: 33	4868	Payload.exe
Token: SeIncBasePriorityPrivilege	4868	Payload.exe
Token: 33	4868	Payload.exe
Token: SeIncBasePriorityPrivilege	4868	Payload.exe
Token: 33	4868	Payload.exe
Token: SeIncBasePriorityPrivilege	4868	Payload.exe
Token: 33	4868	Payload.exe
Token: SeIncBasePriorityPrivilege	4868	Payload.exe
Token: 33	4868	Payload.exe
Token: SeIncBasePriorityPrivilege	4868	Payload.exe
Token: 33	4868	Payload.exe
Token: SeIncBasePriorityPrivilege	4868	Payload.exe
Token: 33	4868	Payload.exe
Token: SeIncBasePriorityPrivilege	4868	Payload.exe
Token: 33	4868	Payload.exe
Token: SeIncBasePriorityPrivilege	4868	Payload.exe
Token: 33	4868	Payload.exe
Token: SeIncBasePriorityPrivilege	4868	Payload.exe
Token: 33	4868	Payload.exe
Token: SeIncBasePriorityPrivilege	4868	Payload.exe
Token: 33	4868	Payload.exe
Token: SeIncBasePriorityPrivilege	4868	Payload.exe
Token: 33	4868	Payload.exe
Token: SeIncBasePriorityPrivilege	4868	Payload.exe
Token: 33	4868	Payload.exe
Token: SeIncBasePriorityPrivilege	4868	Payload.exe
Token: 33	4868	Payload.exe
Token: SeIncBasePriorityPrivilege	4868	Payload.exe
Token: 33	4868	Payload.exe
Token: SeIncBasePriorityPrivilege	4868	Payload.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3200 wrote to memory of 4868	3200	7f9e5e5bb0bc922b0fa6fb8db9e80167.exe	89
PID 3200 wrote to memory of 4868	3200	7f9e5e5bb0bc922b0fa6fb8db9e80167.exe	89
PID 3200 wrote to memory of 4868	3200	7f9e5e5bb0bc922b0fa6fb8db9e80167.exe	89
PID 3200 wrote to memory of 5036	3200	7f9e5e5bb0bc922b0fa6fb8db9e80167.exe	90
PID 3200 wrote to memory of 5036	3200	7f9e5e5bb0bc922b0fa6fb8db9e80167.exe	90
PID 3200 wrote to memory of 5036	3200	7f9e5e5bb0bc922b0fa6fb8db9e80167.exe	90

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5036	attrib.exe

C:\Users\Admin\AppData\Local\Temp\7f9e5e5bb0bc922b0fa6fb8db9e80167.exe
"C:\Users\Admin\AppData\Local\Temp\7f9e5e5bb0bc922b0fa6fb8db9e80167.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3200
- C:\Users\Admin\AppData\Local\Temp\Payload.exe
  "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4868
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
  2⤵
  - Views/modifies file attributes
  PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Payload.exe

Filesize
60KB

MD5
7f9e5e5bb0bc922b0fa6fb8db9e80167

SHA1
86807d164d4e1606ce7f2b009652ee02ad0bb565

SHA256
839b5490987b6b7beda3726ac2bd3a254b113930c06b881c9ab1655515ff52c9

SHA512
6f6a8c48aecb1c4cc57107fc509e975f5b2213e1f24e15e27f64229c3ce8b19a5181b336fad5f748042aa8e88bf41aa58cf08065ad299a423e583597ae610a2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Filesize
1KB

MD5
69371c1f18ff097d5fd980c4655b6ce9

SHA1
867bb02fe9d7091eeeba8bb9fd6ada9976916acd

SHA256
4c88c28efba4af6fdcc00eb53f609ef2916dc2c4d5282f5240762f105918ba91

SHA512
48c8d3d87ecb35501ce21e557ff87fc39af3fcd4e16b61d82c73d1cccd16286d303b714c6170b129864a3b7ac23fcae4a5f0a9e87f797718b4c957b3c31385df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

Filesize
1KB

MD5
20c7236157a0d5b1882852f9bf81c540

SHA1
442af1a64dbe7e8c06c506e6a88e31e7855cc658

SHA256
75fbf8a3c5398e7515a38ca90f2e5a3950791e7b29470d5e8fdc16e0fdfca4ba

SHA512
556b48ce2b0f741059cf24feedb6733471b804522c6f1b9725066427fd1205b2272c3ba870a1ced507080eb4569dee27d5e9466a8d415188ed0d5e3b441bb6d8

Download Submit
memory/3200-0-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/3200-1-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/3200-2-0x0000000000CB0000-0x0000000000CC0000-memory.dmp

Filesize
64KB

Download
memory/3200-17-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/4868-18-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/4868-19-0x00000000011C0000-0x00000000011D0000-memory.dmp

Filesize
64KB

Download
memory/4868-20-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/4868-25-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/4868-26-0x00000000011C0000-0x00000000011D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads