349f818c8c3a633f33ecc50c2b214dcde69681268b1d9e24c03a801f74426818

Analysis

max time kernel
92s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2024, 15:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8caef48540d67a717431ffbe50e37712.exe
Size

34KB
MD5

8caef48540d67a717431ffbe50e37712
SHA1

c541c3116cc8bc0058370e08088519b58bb477f0
SHA256

349f818c8c3a633f33ecc50c2b214dcde69681268b1d9e24c03a801f74426818
SHA512

dabe5679a131c235993b70785d2856852e13a376a2df531cf3d282df7201b14d6331369ec2b0066597edbce5cf2ccfa664562e3b2cbb6494577a4af685bbebd7
SSDEEP

768:7SAQonWy9JTF/lZaNIg2PkO+YkQG3+g0Vixlyxut10y3O/x:7rNWynTpryIgZO4Rug04xeut10aO/x

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	8caef48540d67a717431ffbe50e37712.exe

Executes dropped EXE 1 IoCs

pid	Process
1048	9129837.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttool = "C:\\Windows\\9129837.exe"	8caef48540d67a717431ffbe50e37712.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttool = "C:\\Windows\\9129837.exe"	9129837.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\9129837.exe	8caef48540d67a717431ffbe50e37712.exe
File opened for modification	C:\Windows\9129837.exe	8caef48540d67a717431ffbe50e37712.exe
File created	C:\Windows\hide_evr2.sys	9129837.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1048	9129837.exe
1048	9129837.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3624	8caef48540d67a717431ffbe50e37712.exe
Token: SeDebugPrivilege	1048	9129837.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3624 wrote to memory of 1048	3624	8caef48540d67a717431ffbe50e37712.exe	86
PID 3624 wrote to memory of 1048	3624	8caef48540d67a717431ffbe50e37712.exe	86
PID 3624 wrote to memory of 1048	3624	8caef48540d67a717431ffbe50e37712.exe	86
PID 1048 wrote to memory of 612	1048	9129837.exe	3
PID 1048 wrote to memory of 668	1048	9129837.exe	1
PID 1048 wrote to memory of 776	1048	9129837.exe	8
PID 1048 wrote to memory of 784	1048	9129837.exe	9
PID 1048 wrote to memory of 792	1048	9129837.exe	83
PID 1048 wrote to memory of 900	1048	9129837.exe	82
PID 1048 wrote to memory of 948	1048	9129837.exe	81
PID 1048 wrote to memory of 1020	1048	9129837.exe	10
PID 1048 wrote to memory of 432	1048	9129837.exe	11
PID 1048 wrote to memory of 688	1048	9129837.exe	80
PID 1048 wrote to memory of 892	1048	9129837.exe	79
PID 1048 wrote to memory of 1076	1048	9129837.exe	78
PID 1048 wrote to memory of 1088	1048	9129837.exe	12
PID 1048 wrote to memory of 1096	1048	9129837.exe	13
PID 1048 wrote to memory of 1200	1048	9129837.exe	14
PID 1048 wrote to memory of 1236	1048	9129837.exe	77
PID 1048 wrote to memory of 1268	1048	9129837.exe	76
PID 1048 wrote to memory of 1344	1048	9129837.exe	15
PID 1048 wrote to memory of 1436	1048	9129837.exe	75
PID 1048 wrote to memory of 1472	1048	9129837.exe	74
PID 1048 wrote to memory of 1480	1048	9129837.exe	73
PID 1048 wrote to memory of 1528	1048	9129837.exe	72
PID 1048 wrote to memory of 1604	1048	9129837.exe	16
PID 1048 wrote to memory of 1632	1048	9129837.exe	71
PID 1048 wrote to memory of 1688	1048	9129837.exe	70
PID 1048 wrote to memory of 1728	1048	9129837.exe	69
PID 1048 wrote to memory of 1760	1048	9129837.exe	68
PID 1048 wrote to memory of 1860	1048	9129837.exe	17
PID 1048 wrote to memory of 1868	1048	9129837.exe	67
PID 1048 wrote to memory of 1908	1048	9129837.exe	66
PID 1048 wrote to memory of 1916	1048	9129837.exe	65
PID 1048 wrote to memory of 2016	1048	9129837.exe	64
PID 1048 wrote to memory of 1004	1048	9129837.exe	63
PID 1048 wrote to memory of 1812	1048	9129837.exe	62
PID 1048 wrote to memory of 2080	1048	9129837.exe	61
PID 1048 wrote to memory of 2212	1048	9129837.exe	60
PID 1048 wrote to memory of 2256	1048	9129837.exe	59
PID 1048 wrote to memory of 2264	1048	9129837.exe	18
PID 1048 wrote to memory of 2392	1048	9129837.exe	58
PID 1048 wrote to memory of 2432	1048	9129837.exe	57
PID 1048 wrote to memory of 2520	1048	9129837.exe	56
PID 1048 wrote to memory of 2544	1048	9129837.exe	20
PID 1048 wrote to memory of 2560	1048	9129837.exe	19
PID 1048 wrote to memory of 2568	1048	9129837.exe	55
PID 1048 wrote to memory of 2892	1048	9129837.exe	21
PID 1048 wrote to memory of 2912	1048	9129837.exe	54
PID 1048 wrote to memory of 3044	1048	9129837.exe	52
PID 1048 wrote to memory of 404	1048	9129837.exe	51
PID 1048 wrote to memory of 1644	1048	9129837.exe	50
PID 1048 wrote to memory of 3364	1048	9129837.exe	22
PID 1048 wrote to memory of 3428	1048	9129837.exe	49
PID 1048 wrote to memory of 3596	1048	9129837.exe	48
PID 1048 wrote to memory of 3800	1048	9129837.exe	47
PID 1048 wrote to memory of 3912	1048	9129837.exe	23
PID 1048 wrote to memory of 3980	1048	9129837.exe	24
PID 1048 wrote to memory of 4064	1048	9129837.exe	46
PID 1048 wrote to memory of 3968	1048	9129837.exe	45
PID 1048 wrote to memory of 4644	1048	9129837.exe	25
PID 1048 wrote to memory of 2344	1048	9129837.exe	41
PID 1048 wrote to memory of 2116	1048	9129837.exe	40
PID 1048 wrote to memory of 1468	1048	9129837.exe	39

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:668

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:776
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1020

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1088
- C:\Windows\system32\MusNotification.exe
  C:\Windows\system32\MusNotification.exe
  2⤵
  PID:3124
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1344
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2560

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3364

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3912

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3980

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4644

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:3528

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:1620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:5084

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3808

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:3164

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2608

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2344

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3968

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4064

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3596

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3428
- C:\Users\Admin\AppData\Local\Temp\8caef48540d67a717431ffbe50e37712.exe
  "C:\Users\Admin\AppData\Local\Temp\8caef48540d67a717431ffbe50e37712.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a.bat" "C:\Users\Admin\AppData\Local\Temp\8caef48540d67a717431ffbe50e37712.exe""
    3⤵
    PID:2288
- - C:\Windows\9129837.exe
    "C:\Windows\9129837.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:1644

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2568

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2256

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
PID:2080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:1812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:1004

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2016

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1236

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:792

C:\Windows\system32\WerFault.exe
"C:\Windows\system32\WerFault.exe" -k -lc NDIS NDIS-20240203-1529.dmp
1⤵
PID:4008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a.bat

Filesize
38B

MD5
50a94effec08179504ef46949486ef63

SHA1
c36bcfbc6d85d0ae7b5642655985ecc2ab1f9e1d

SHA256
149194e913c7900de706a6a48db7695059b91fd63ebc75b373355c7009fb62e2

SHA512
095c1914e290377676cfbf07c52fb321d8e51638229810e560447e4db51d2e4dff8bfa870b009029692e12c0b9fe9c1fcf74dde30c3f68297631ff4ea6bbe283

Download Submit
C:\Windows\9129837.exe

Filesize
34KB

MD5
8caef48540d67a717431ffbe50e37712

SHA1
c541c3116cc8bc0058370e08088519b58bb477f0

SHA256
349f818c8c3a633f33ecc50c2b214dcde69681268b1d9e24c03a801f74426818

SHA512
dabe5679a131c235993b70785d2856852e13a376a2df531cf3d282df7201b14d6331369ec2b0066597edbce5cf2ccfa664562e3b2cbb6494577a4af685bbebd7

Download Submit
memory/1048-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1048-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3624-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3624-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3624-13-0x0000000002F40000-0x0000000002F44000-memory.dmp

Filesize
16KB

Download