Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03/02/2024, 04:06
Behavioral task
behavioral1
Sample
8b5a798a5aefc7817f4ad1412e69a6ce.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8b5a798a5aefc7817f4ad1412e69a6ce.exe
Resource
win10v2004-20231215-en
General
-
Target
8b5a798a5aefc7817f4ad1412e69a6ce.exe
-
Size
291KB
-
MD5
8b5a798a5aefc7817f4ad1412e69a6ce
-
SHA1
cef0d699332025e8da7fe747eb69346be932cb9d
-
SHA256
36bcbc6f042482039ffd4e6f5c4c83ce5b86394da2506670b86d3d7525f79549
-
SHA512
0af6f31e22c82890d5e81424fa2ff7a47d2c98e43d5d3ba4541c045920a536158cdc080f32194ccfb84d1e802be3e5192e5d0bdeb89740fcadca33bf08fefafd
-
SSDEEP
768:crKFygpFRA/vMHTi9bDoMVpb0mjv8gx5poyKcMYocg3arRw:uKFygOnYi9bRVBjv8YoyIYxgy
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 8b5a798a5aefc7817f4ad1412e69a6ce.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe Payload.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk 8b5a798a5aefc7817f4ad1412e69a6ce.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Payload.exe -
Executes dropped EXE 1 IoCs
pid Process 3252 Payload.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe" 8b5a798a5aefc7817f4ad1412e69a6ce.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 3252 Payload.exe Token: 33 3252 Payload.exe Token: SeIncBasePriorityPrivilege 3252 Payload.exe Token: 33 3252 Payload.exe Token: SeIncBasePriorityPrivilege 3252 Payload.exe Token: 33 3252 Payload.exe Token: SeIncBasePriorityPrivilege 3252 Payload.exe Token: 33 3252 Payload.exe Token: SeIncBasePriorityPrivilege 3252 Payload.exe Token: 33 3252 Payload.exe Token: SeIncBasePriorityPrivilege 3252 Payload.exe Token: 33 3252 Payload.exe Token: SeIncBasePriorityPrivilege 3252 Payload.exe Token: 33 3252 Payload.exe Token: SeIncBasePriorityPrivilege 3252 Payload.exe Token: 33 3252 Payload.exe Token: SeIncBasePriorityPrivilege 3252 Payload.exe Token: 33 3252 Payload.exe Token: SeIncBasePriorityPrivilege 3252 Payload.exe Token: 33 3252 Payload.exe Token: SeIncBasePriorityPrivilege 3252 Payload.exe Token: 33 3252 Payload.exe Token: SeIncBasePriorityPrivilege 3252 Payload.exe Token: 33 3252 Payload.exe Token: SeIncBasePriorityPrivilege 3252 Payload.exe Token: 33 3252 Payload.exe Token: SeIncBasePriorityPrivilege 3252 Payload.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 740 wrote to memory of 3252 740 8b5a798a5aefc7817f4ad1412e69a6ce.exe 90 PID 740 wrote to memory of 3252 740 8b5a798a5aefc7817f4ad1412e69a6ce.exe 90 PID 740 wrote to memory of 3252 740 8b5a798a5aefc7817f4ad1412e69a6ce.exe 90 PID 740 wrote to memory of 4072 740 8b5a798a5aefc7817f4ad1412e69a6ce.exe 91 PID 740 wrote to memory of 4072 740 8b5a798a5aefc7817f4ad1412e69a6ce.exe 91 PID 740 wrote to memory of 4072 740 8b5a798a5aefc7817f4ad1412e69a6ce.exe 91 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4072 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b5a798a5aefc7817f4ad1412e69a6ce.exe"C:\Users\Admin\AppData\Local\Temp\8b5a798a5aefc7817f4ad1412e69a6ce.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Users\Admin\AppData\Local\Temp\Payload.exe"C:\Users\Admin\AppData\Local\Temp\Payload.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3252
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"2⤵
- Views/modifies file attributes
PID:4072
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
291KB
MD58b5a798a5aefc7817f4ad1412e69a6ce
SHA1cef0d699332025e8da7fe747eb69346be932cb9d
SHA25636bcbc6f042482039ffd4e6f5c4c83ce5b86394da2506670b86d3d7525f79549
SHA5120af6f31e22c82890d5e81424fa2ff7a47d2c98e43d5d3ba4541c045920a536158cdc080f32194ccfb84d1e802be3e5192e5d0bdeb89740fcadca33bf08fefafd
-
Filesize
1KB
MD5371e9f5c5222743275e228f1b3d27fb1
SHA131b0a7ada0ee8c593d1f7d4b8fa3f830566a5fd6
SHA2565684b6a81a92bef5cd5eb049a0e905dc99e7db95d907443f182614b9b48602f1
SHA51214f203f243e9c69a3b3e1beaf8599d5cd0f18627e446a3beac78cb611bb4259ffb4c47ece4da3d3ff4ee1dd01aa379b081a3548844070d3b7312f56d22ffc78f
-
Filesize
1KB
MD5a0e21c3cda955b529c05da3ebc737559
SHA17cede9bd6a34b2ddb326c3733057cf76b11e3d45
SHA256b34c6f792079e84046ce8c2049f6f233e6c235f025770a028dfc8d57bc54af8c
SHA512e37365ed423d523ca996460ab7adab0a19923906413d22cccde2f1ce144ea25deef5e1a2a6d3cc8580952ebd58438f36f5eb2cb82348e1e3d126fa248d5fc18a