d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 05:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b.exe
Size

883KB
MD5

e971fbdaaa67de4306e72738e3a10392
SHA1

bac689957e126c88435f22ef0b0df10c3b52e1fc
SHA256

d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b
SHA512

bee73df1600df0184876d86f16193bd8c86353ff2608524debf84fad1a52730dfab91186bea5e89d60338f6ee0f007f2ffe2cd11ec9598d4245a3043a023ca34
SSDEEP

12288:Wj6mRlmDKClMfkrPEBuGKw3f+s2geR3VJgx3ZGBnxxSmOMrXJK45d1b:W2a4KCycrPQIo+aePmx6nxxSm1J11

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype.lnk	d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b.exe

Executes dropped EXE 1 IoCs

pid	Process
3884	skype.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3884 set thread context of 4012	3884	skype.exe	98
PID 4012 set thread context of 3444	4012	AddInProcess32.exe	40
PID 4012 set thread context of 368	4012	AddInProcess32.exe	99
PID 368 set thread context of 3444	368	rundll32.exe	40

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1300	PING.EXE
4856	PING.EXE

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
3260	d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b.exe
3248	skype.exe
3248	skype.exe
3248	skype.exe
3248	skype.exe
3248	skype.exe
3248	skype.exe
3248	skype.exe
3248	skype.exe
3248	skype.exe
3248	skype.exe
3248	skype.exe
3248	skype.exe
3248	skype.exe
3248	skype.exe
3248	skype.exe
3248	skype.exe
3248	skype.exe
3248	skype.exe
3248	skype.exe
3248	skype.exe
3248	skype.exe
3248	skype.exe
3248	skype.exe
3248	skype.exe
3248	skype.exe
3884	skype.exe
3884	skype.exe
4012	AddInProcess32.exe
4012	AddInProcess32.exe
4012	AddInProcess32.exe
4012	AddInProcess32.exe
4012	AddInProcess32.exe
4012	AddInProcess32.exe
4012	AddInProcess32.exe
4012	AddInProcess32.exe
4012	AddInProcess32.exe
4012	AddInProcess32.exe
4012	AddInProcess32.exe
4012	AddInProcess32.exe
4012	AddInProcess32.exe
4012	AddInProcess32.exe
4012	AddInProcess32.exe
4012	AddInProcess32.exe
368	rundll32.exe
368	rundll32.exe
368	rundll32.exe
368	rundll32.exe
368	rundll32.exe
368	rundll32.exe
368	rundll32.exe
368	rundll32.exe
368	rundll32.exe
368	rundll32.exe
368	rundll32.exe
368	rundll32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
4012	AddInProcess32.exe
3444	Explorer.EXE
3444	Explorer.EXE
368	rundll32.exe
368	rundll32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3260	d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3260	d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b.exe
Token: SeDebugPrivilege	3248	skype.exe
Token: SeDebugPrivilege	3884	skype.exe
Token: SeDebugPrivilege	4012	AddInProcess32.exe
Token: SeDebugPrivilege	368	rundll32.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 3248	3260	d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b.exe	88
PID 3260 wrote to memory of 3248	3260	d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b.exe	88
PID 3260 wrote to memory of 3248	3260	d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b.exe	88
PID 3248 wrote to memory of 4472	3248	skype.exe	92
PID 3248 wrote to memory of 4472	3248	skype.exe	92
PID 3248 wrote to memory of 4472	3248	skype.exe	92
PID 4472 wrote to memory of 1300	4472	cmd.exe	94
PID 4472 wrote to memory of 1300	4472	cmd.exe	94
PID 4472 wrote to memory of 1300	4472	cmd.exe	94
PID 4472 wrote to memory of 4856	4472	cmd.exe	96
PID 4472 wrote to memory of 4856	4472	cmd.exe	96
PID 4472 wrote to memory of 4856	4472	cmd.exe	96
PID 4472 wrote to memory of 3884	4472	cmd.exe	97
PID 4472 wrote to memory of 3884	4472	cmd.exe	97
PID 4472 wrote to memory of 3884	4472	cmd.exe	97
PID 3884 wrote to memory of 4012	3884	skype.exe	98
PID 3884 wrote to memory of 4012	3884	skype.exe	98
PID 3884 wrote to memory of 4012	3884	skype.exe	98
PID 3884 wrote to memory of 4012	3884	skype.exe	98
PID 3884 wrote to memory of 4012	3884	skype.exe	98
PID 3884 wrote to memory of 4012	3884	skype.exe	98
PID 3444 wrote to memory of 368	3444	Explorer.EXE	99
PID 3444 wrote to memory of 368	3444	Explorer.EXE	99
PID 3444 wrote to memory of 368	3444	Explorer.EXE	99

C:\Users\Admin\AppData\Local\Temp\d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b.exe
"C:\Users\Admin\AppData\Local\Temp\d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Users\Admin\AppData\Local\Temp\skype.exe
  "C:\Users\Admin\AppData\Local\Temp\skype.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3248
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c ping 127.0.0.1 -n 13 > nul && copy "C:\Users\Admin\AppData\Local\Temp\skype.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe" && ping 127.0.0.1 -n 13 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe"
    3⤵
    - Drops startup file
    - Suspicious use of WriteProcessMemory
    PID:4472
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 13
      4⤵
      Runs ping.exe
      PID:1300
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 13
      4⤵
      Runs ping.exe
      PID:4856
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3884
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\skype.exe.log

Filesize
1KB

MD5
b18bd43958115cd3b7b22e45103c10c5

SHA1
ff9fd020e81b03fd84c878ea24f27e8b41389435

SHA256
67cb85ee85191bd3203adf49b1d0199867ac66f0b114a09a8392d5d5b1dd36d4

SHA512
5101dd146815472c878a05cd345eae6a7f730c2059a368c56673e9c3ec47696e788162f15390b54b4e1d066fd56cae56fc6e8bf7ea6e5af250aaf1e8c8e68c00

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe

Filesize
883KB

MD5
e971fbdaaa67de4306e72738e3a10392

SHA1
bac689957e126c88435f22ef0b0df10c3b52e1fc

SHA256
d174a885ddd228e34d9e7086b97062694c0f828edc0d4cc37150519407e09f5b

SHA512
bee73df1600df0184876d86f16193bd8c86353ff2608524debf84fad1a52730dfab91186bea5e89d60338f6ee0f007f2ffe2cd11ec9598d4245a3043a023ca34

Download Submit
memory/368-39-0x00000000004C0000-0x00000000004F6000-memory.dmp

Filesize
216KB

Download
memory/368-40-0x00000000004C0000-0x00000000004F6000-memory.dmp

Filesize
216KB

Download
memory/368-43-0x0000000002630000-0x000000000297A000-memory.dmp

Filesize
3.3MB

Download
memory/368-44-0x00000000004C0000-0x00000000004F6000-memory.dmp

Filesize
216KB

Download
memory/368-45-0x00000000022C0000-0x0000000002361000-memory.dmp

Filesize
644KB

Download
memory/3248-12-0x0000000005800000-0x0000000005810000-memory.dmp

Filesize
64KB

Download
memory/3248-14-0x0000000005800000-0x0000000005810000-memory.dmp

Filesize
64KB

Download
memory/3248-11-0x0000000074B40000-0x00000000752F0000-memory.dmp

Filesize
7.7MB

Download
memory/3248-16-0x0000000074B40000-0x00000000752F0000-memory.dmp

Filesize
7.7MB

Download
memory/3260-7-0x0000000005500000-0x000000000550A000-memory.dmp

Filesize
40KB

Download
memory/3260-13-0x0000000074B40000-0x00000000752F0000-memory.dmp

Filesize
7.7MB

Download
memory/3260-9-0x0000000007750000-0x0000000007C7C000-memory.dmp

Filesize
5.2MB

Download
memory/3260-6-0x0000000005220000-0x0000000005264000-memory.dmp

Filesize
272KB

Download
memory/3260-5-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/3260-4-0x0000000005170000-0x0000000005202000-memory.dmp

Filesize
584KB

Download
memory/3260-3-0x0000000005680000-0x0000000005C24000-memory.dmp

Filesize
5.6MB

Download
memory/3260-0-0x0000000074B40000-0x00000000752F0000-memory.dmp

Filesize
7.7MB

Download
memory/3260-2-0x0000000004FB0000-0x000000000504C000-memory.dmp

Filesize
624KB

Download
memory/3260-1-0x0000000000B30000-0x0000000000C12000-memory.dmp

Filesize
904KB

Download
memory/3444-38-0x000000000E570000-0x0000000010DEC000-memory.dmp

Filesize
40.5MB

Download
memory/3444-46-0x000000000E570000-0x0000000010DEC000-memory.dmp

Filesize
40.5MB

Download
memory/3884-27-0x0000000006F70000-0x0000000006F8A000-memory.dmp

Filesize
104KB

Download
memory/3884-26-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/3884-23-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/3884-33-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/3884-24-0x0000000000570000-0x0000000000652000-memory.dmp

Filesize
904KB

Download
memory/3884-25-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/3884-31-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/3884-28-0x0000000006F10000-0x0000000006F16000-memory.dmp

Filesize
24KB

Download
memory/3884-30-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/3884-29-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/4012-36-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4012-42-0x00000000038E0000-0x0000000003902000-memory.dmp

Filesize
136KB

Download
memory/4012-41-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4012-37-0x00000000038E0000-0x0000000003902000-memory.dmp

Filesize
136KB

Download
memory/4012-35-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4012-34-0x0000000000B10000-0x0000000000E5A000-memory.dmp

Filesize
3.3MB

Download
memory/4012-32-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download