d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b.exe
Size

883KB
MD5

e971fbdaaa67de4306e72738e3a10392
SHA1

bac689957e126c88435f22ef0b0df10c3b52e1fc
SHA256

d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b
SHA512

bee73df1600df0184876d86f16193bd8c86353ff2608524debf84fad1a52730dfab91186bea5e89d60338f6ee0f007f2ffe2cd11ec9598d4245a3043a023ca34
SSDEEP

12288:Wj6mRlmDKClMfkrPEBuGKw3f+s2geR3VJgx3ZGBnxxSmOMrXJK45d1b:W2a4KCycrPQIo+aePmx6nxxSm1J11

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype.lnk	d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1176	skype.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1176 set thread context of 2204	1176	skype.exe	98
PID 2204 set thread context of 3424	2204	AddInProcess32.exe	60
PID 2204 set thread context of 2700	2204	AddInProcess32.exe	99
PID 2700 set thread context of 3424	2700	svchost.exe	60

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	svchost.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
4712	PING.EXE
4728	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4600	d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b.exe
4152	skype.exe
4152	skype.exe
4152	skype.exe
4152	skype.exe
4152	skype.exe
4152	skype.exe
4152	skype.exe
4152	skype.exe
4152	skype.exe
4152	skype.exe
4152	skype.exe
4152	skype.exe
4152	skype.exe
4152	skype.exe
4152	skype.exe
4152	skype.exe
4152	skype.exe
4152	skype.exe
4152	skype.exe
4152	skype.exe
4152	skype.exe
4152	skype.exe
4152	skype.exe
4152	skype.exe
4152	skype.exe
1176	skype.exe
1176	skype.exe
2204	AddInProcess32.exe
2204	AddInProcess32.exe
2204	AddInProcess32.exe
2204	AddInProcess32.exe
2204	AddInProcess32.exe
2204	AddInProcess32.exe
2204	AddInProcess32.exe
2204	AddInProcess32.exe
2204	AddInProcess32.exe
2204	AddInProcess32.exe
2204	AddInProcess32.exe
2204	AddInProcess32.exe
2204	AddInProcess32.exe
2204	AddInProcess32.exe
2204	AddInProcess32.exe
2204	AddInProcess32.exe
2700	svchost.exe
2700	svchost.exe
2700	svchost.exe
2700	svchost.exe
2700	svchost.exe
2700	svchost.exe
2700	svchost.exe
2700	svchost.exe
2700	svchost.exe
2700	svchost.exe
2700	svchost.exe
2700	svchost.exe
2700	svchost.exe
2700	svchost.exe
2700	svchost.exe
2700	svchost.exe
2700	svchost.exe
2700	svchost.exe
2700	svchost.exe
2700	svchost.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
2204	AddInProcess32.exe
3424	Explorer.EXE
3424	Explorer.EXE
2700	svchost.exe
2700	svchost.exe
2700	svchost.exe
2700	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4600	d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4600	d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b.exe
Token: SeDebugPrivilege	4152	skype.exe
Token: SeDebugPrivilege	1176	skype.exe
Token: SeDebugPrivilege	2204	AddInProcess32.exe
Token: SeDebugPrivilege	2700	svchost.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 4152	4600	d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b.exe	88
PID 4600 wrote to memory of 4152	4600	d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b.exe	88
PID 4600 wrote to memory of 4152	4600	d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b.exe	88
PID 4152 wrote to memory of 448	4152	skype.exe	90
PID 4152 wrote to memory of 448	4152	skype.exe	90
PID 4152 wrote to memory of 448	4152	skype.exe	90
PID 448 wrote to memory of 4712	448	cmd.exe	92
PID 448 wrote to memory of 4712	448	cmd.exe	92
PID 448 wrote to memory of 4712	448	cmd.exe	92
PID 448 wrote to memory of 4728	448	cmd.exe	95
PID 448 wrote to memory of 4728	448	cmd.exe	95
PID 448 wrote to memory of 4728	448	cmd.exe	95
PID 448 wrote to memory of 1176	448	cmd.exe	96
PID 448 wrote to memory of 1176	448	cmd.exe	96
PID 448 wrote to memory of 1176	448	cmd.exe	96
PID 1176 wrote to memory of 2204	1176	skype.exe	98
PID 1176 wrote to memory of 2204	1176	skype.exe	98
PID 1176 wrote to memory of 2204	1176	skype.exe	98
PID 1176 wrote to memory of 2204	1176	skype.exe	98
PID 1176 wrote to memory of 2204	1176	skype.exe	98
PID 1176 wrote to memory of 2204	1176	skype.exe	98
PID 3424 wrote to memory of 2700	3424	Explorer.EXE	99
PID 3424 wrote to memory of 2700	3424	Explorer.EXE	99
PID 3424 wrote to memory of 2700	3424	Explorer.EXE	99
PID 2700 wrote to memory of 2920	2700	svchost.exe	100
PID 2700 wrote to memory of 2920	2700	svchost.exe	100
PID 2700 wrote to memory of 2920	2700	svchost.exe	100

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Users\Admin\AppData\Local\Temp\d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b.exe
  "C:\Users\Admin\AppData\Local\Temp\d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Users\Admin\AppData\Local\Temp\skype.exe
    "C:\Users\Admin\AppData\Local\Temp\skype.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4152
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 10 > nul && copy "C:\Users\Admin\AppData\Local\Temp\skype.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe" && ping 127.0.0.1 -n 10 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe"
      4⤵
      Drops startup file
      Suspicious use of WriteProcessMemory
      PID:448
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        5⤵
        Runs ping.exe
        
        PID:4712
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        5⤵
        Runs ping.exe
        
        PID:4728
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1176
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\skype.exe.log

Filesize
1KB

MD5
b18bd43958115cd3b7b22e45103c10c5

SHA1
ff9fd020e81b03fd84c878ea24f27e8b41389435

SHA256
67cb85ee85191bd3203adf49b1d0199867ac66f0b114a09a8392d5d5b1dd36d4

SHA512
5101dd146815472c878a05cd345eae6a7f730c2059a368c56673e9c3ec47696e788162f15390b54b4e1d066fd56cae56fc6e8bf7ea6e5af250aaf1e8c8e68c00

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe

Filesize
883KB

MD5
e971fbdaaa67de4306e72738e3a10392

SHA1
bac689957e126c88435f22ef0b0df10c3b52e1fc

SHA256
d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b

SHA512
bee73df1600df0184876d86f16193bd8c86353ff2608524debf84fad1a52730dfab91186bea5e89d60338f6ee0f007f2ffe2cd11ec9598d4245a3043a023ca34

Download Submit
memory/1176-31-0x0000000002600000-0x0000000002610000-memory.dmp

Filesize
64KB

Download
memory/1176-29-0x0000000074730000-0x0000000074EE0000-memory.dmp

Filesize
7.7MB

Download
memory/1176-26-0x0000000002600000-0x0000000002610000-memory.dmp

Filesize
64KB

Download
memory/1176-25-0x0000000002600000-0x0000000002610000-memory.dmp

Filesize
64KB

Download
memory/1176-24-0x0000000074730000-0x0000000074EE0000-memory.dmp

Filesize
7.7MB

Download
memory/1176-23-0x0000000000660000-0x0000000000742000-memory.dmp

Filesize
904KB

Download
memory/1176-33-0x0000000074730000-0x0000000074EE0000-memory.dmp

Filesize
7.7MB

Download
memory/1176-28-0x0000000005200000-0x0000000005206000-memory.dmp

Filesize
24KB

Download
memory/1176-27-0x0000000006A80000-0x0000000006A9A000-memory.dmp

Filesize
104KB

Download
memory/1176-30-0x0000000002600000-0x0000000002610000-memory.dmp

Filesize
64KB

Download
memory/2204-34-0x00000000016C0000-0x0000000001A0A000-memory.dmp

Filesize
3.3MB

Download
memory/2204-32-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2204-42-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2204-43-0x0000000001650000-0x0000000001672000-memory.dmp

Filesize
136KB

Download
memory/2204-37-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2204-35-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2204-36-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2204-38-0x0000000001650000-0x0000000001672000-memory.dmp

Filesize
136KB

Download
memory/2700-40-0x0000000000B30000-0x0000000000B66000-memory.dmp

Filesize
216KB

Download
memory/2700-50-0x0000000000B30000-0x0000000000B66000-memory.dmp

Filesize
216KB

Download
memory/2700-45-0x0000000000B30000-0x0000000000B66000-memory.dmp

Filesize
216KB

Download
memory/2700-41-0x0000000000B30000-0x0000000000B66000-memory.dmp

Filesize
216KB

Download
memory/2700-46-0x00000000016F0000-0x0000000001791000-memory.dmp

Filesize
644KB

Download
memory/2700-44-0x0000000001800000-0x0000000001B4A000-memory.dmp

Filesize
3.3MB

Download
memory/2700-57-0x00000000016F0000-0x0000000001791000-memory.dmp

Filesize
644KB

Download
memory/3424-49-0x0000000008EE0000-0x0000000009000000-memory.dmp

Filesize
1.1MB

Download
memory/3424-48-0x0000000008EE0000-0x0000000009000000-memory.dmp

Filesize
1.1MB

Download
memory/3424-47-0x000000000CF60000-0x000000000D53B000-memory.dmp

Filesize
5.9MB

Download
memory/3424-39-0x000000000CF60000-0x000000000D53B000-memory.dmp

Filesize
5.9MB

Download
memory/3424-58-0x0000000008EE0000-0x0000000009000000-memory.dmp

Filesize
1.1MB

Download
memory/4152-16-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4152-11-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4152-13-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/4152-14-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/4600-7-0x0000000005770000-0x000000000577A000-memory.dmp

Filesize
40KB

Download
memory/4600-1-0x00000000006E0000-0x00000000007C2000-memory.dmp

Filesize
904KB

Download
memory/4600-2-0x0000000005150000-0x00000000051EC000-memory.dmp

Filesize
624KB

Download
memory/4600-0-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4600-3-0x0000000005830000-0x0000000005DD4000-memory.dmp

Filesize
5.6MB

Download
memory/4600-4-0x0000000005320000-0x00000000053B2000-memory.dmp

Filesize
584KB

Download
memory/4600-5-0x00000000054D0000-0x00000000054E0000-memory.dmp

Filesize
64KB

Download
memory/4600-6-0x00000000055E0000-0x0000000005624000-memory.dmp

Filesize
272KB

Download
memory/4600-9-0x00000000078D0000-0x0000000007DFC000-memory.dmp

Filesize
5.2MB

Download
memory/4600-12-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download