e67910442a47a80b2d0f01be4e99339586d2476000a9ada39b3787ee8361f8fc

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
29/01/2024, 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8018688837cddbc6e01a729ebd88cb41.exe
Size

540KB
MD5

8018688837cddbc6e01a729ebd88cb41
SHA1

dd1d4341340c77ecd7345f2b537fa6281ca186a3
SHA256

e67910442a47a80b2d0f01be4e99339586d2476000a9ada39b3787ee8361f8fc
SHA512

4e5ecab5b4576627bb474cacaf9ab135f22a5e11e99a935c7b136f0874fd425a56041eaa594d049cf8ec835168359b99079b371a8efe57d2146f710c20ed9bec
SSDEEP

12288:oFZCv7TnOqMiWaf7BI3aJdJZie1LRgT4y9MMnMMMMMtM/E:UZCzTOqx97BRa0OLMMnMMMMMt

Score

8^/10

evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	8018688837cddbc6e01a729ebd88cb41.exe

Executes dropped EXE 1 IoCs

pid	Process
4492	sAaAVcAvvOACS.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sAaAVcAvvOACS = "C:\\ProgramData\\sAaAVcAvvOACS.exe"	8018688837cddbc6e01a729ebd88cb41.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Download	8018688837cddbc6e01a729ebd88cb41.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	8018688837cddbc6e01a729ebd88cb41.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1216	8018688837cddbc6e01a729ebd88cb41.exe
1216	8018688837cddbc6e01a729ebd88cb41.exe
1216	8018688837cddbc6e01a729ebd88cb41.exe
1216	8018688837cddbc6e01a729ebd88cb41.exe
4492	sAaAVcAvvOACS.exe
4492	sAaAVcAvvOACS.exe
4492	sAaAVcAvvOACS.exe
4492	sAaAVcAvvOACS.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1216	8018688837cddbc6e01a729ebd88cb41.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 4492	1216	8018688837cddbc6e01a729ebd88cb41.exe	77
PID 1216 wrote to memory of 4492	1216	8018688837cddbc6e01a729ebd88cb41.exe	77
PID 1216 wrote to memory of 4492	1216	8018688837cddbc6e01a729ebd88cb41.exe	77

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	8018688837cddbc6e01a729ebd88cb41.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	8018688837cddbc6e01a729ebd88cb41.exe

C:\Users\Admin\AppData\Local\Temp\8018688837cddbc6e01a729ebd88cb41.exe
"C:\Users\Admin\AppData\Local\Temp\8018688837cddbc6e01a729ebd88cb41.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1216
- C:\ProgramData\sAaAVcAvvOACS.exe
  "C:\ProgramData\sAaAVcAvvOACS.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\sAaAVcAvvOACS.exe

Filesize
338KB

MD5
4454d483b9294fb8f225de3c9de6cc1f

SHA1
6aef119f2dadb048cd5389251380bc1530d178a3

SHA256
3072d261ed659927112167513668876a4e2a15ee0bc6933de783c6afab59c531

SHA512
7fa996f26657419d8ca2b210c980a6b6087fc17489834b1bcf23aeacb1e2634fac1b535fd4af317683a5456354884c40979fb63801467146fbf5766548f0535f

Download Submit
C:\ProgramData\sAaAVcAvvOACS.exe

Filesize
298KB

MD5
62bb0d6b475354e53e7fd73d8e3b02ec

SHA1
e522c95a89f53b33a920ade37bd51d87ff93d685

SHA256
e0f1a29ad69a073f1ebc509852728e7d58509f83c833f4ad9aa326551d62d3fc

SHA512
170a2466f3e233237c02091ab8efc03d143ed5b1554b5da089e530a22469dfa0e82649a55d6f1bd89b5d0842683eb6d3b4a276e6d606bb2dddd453341680e456

Download Submit
C:\ProgramData\sAaAVcAvvOACS.exe

Filesize
399KB

MD5
5ac99f1f6a847b6bea0e9bfedf889d60

SHA1
6757566c9c1314cb12bf77798b9f690086f83610

SHA256
c567c3f1e595d8f60aa13fd2c279aad03bce50f735c53026d9928508f6faf5a7

SHA512
86f370961a92db1c7a94f0c1270403ee63494192c43fcbba588315b36fe5b6b1bbf9282618bada95a389eab561c0032b50f8876c446ca4334f156138bfe58a7a

Download Submit
memory/1216-1-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/1216-0-0x0000000002490000-0x0000000002630000-memory.dmp

Filesize
1.6MB

Download
memory/1216-21-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/4492-13-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download