b756f04d1cd713bb11d5ae1032f8e8580d7cb11ad9e58f0219c9a9fb02c20d42

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 04:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b756f04d1cd713bb11d5ae1032f8e8580d7cb11ad9e58f0219c9a9fb02c20d42.exe
Size

1.1MB
MD5

fe92fd358fb079b60a6a38bf212e8b76
SHA1

f26e19331f124564c89d091733267ac261265c69
SHA256

b756f04d1cd713bb11d5ae1032f8e8580d7cb11ad9e58f0219c9a9fb02c20d42
SHA512

642f979d05c4c099f0322de6d6d086153d174ec875714e99063fec6f316c95e3f6731c1225ff1487d58dd35b723a4609905341da9c25a2277c1fb834e44f4588
SSDEEP

24576:qxCiG4tPQ1OgCwH1Wz3rhbNyeAjykZUDwHob0mtI:0CiGL1Og23rhxyeAOkun0mtI

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	b756f04d1cd713bb11d5ae1032f8e8580d7cb11ad9e58f0219c9a9fb02c20d42.exe

Executes dropped EXE 1 IoCs

pid	Process
3984	Immigrants.pif

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1712	tasklist.exe
4816	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
848	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3984	Immigrants.pif
3984	Immigrants.pif
3984	Immigrants.pif
3984	Immigrants.pif
3984	Immigrants.pif
3984	Immigrants.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	tasklist.exe
Token: SeDebugPrivilege	4816	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3984	Immigrants.pif
3984	Immigrants.pif
3984	Immigrants.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3984	Immigrants.pif
3984	Immigrants.pif
3984	Immigrants.pif

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 4684	1104	b756f04d1cd713bb11d5ae1032f8e8580d7cb11ad9e58f0219c9a9fb02c20d42.exe	86
PID 1104 wrote to memory of 4684	1104	b756f04d1cd713bb11d5ae1032f8e8580d7cb11ad9e58f0219c9a9fb02c20d42.exe	86
PID 1104 wrote to memory of 4684	1104	b756f04d1cd713bb11d5ae1032f8e8580d7cb11ad9e58f0219c9a9fb02c20d42.exe	86
PID 4684 wrote to memory of 1712	4684	cmd.exe	87
PID 4684 wrote to memory of 1712	4684	cmd.exe	87
PID 4684 wrote to memory of 1712	4684	cmd.exe	87
PID 4684 wrote to memory of 3856	4684	cmd.exe	88
PID 4684 wrote to memory of 3856	4684	cmd.exe	88
PID 4684 wrote to memory of 3856	4684	cmd.exe	88
PID 4684 wrote to memory of 4816	4684	cmd.exe	91
PID 4684 wrote to memory of 4816	4684	cmd.exe	91
PID 4684 wrote to memory of 4816	4684	cmd.exe	91
PID 4684 wrote to memory of 5008	4684	cmd.exe	90
PID 4684 wrote to memory of 5008	4684	cmd.exe	90
PID 4684 wrote to memory of 5008	4684	cmd.exe	90
PID 4684 wrote to memory of 1216	4684	cmd.exe	92
PID 4684 wrote to memory of 1216	4684	cmd.exe	92
PID 4684 wrote to memory of 1216	4684	cmd.exe	92
PID 4684 wrote to memory of 5088	4684	cmd.exe	96
PID 4684 wrote to memory of 5088	4684	cmd.exe	96
PID 4684 wrote to memory of 5088	4684	cmd.exe	96
PID 4684 wrote to memory of 2128	4684	cmd.exe	93
PID 4684 wrote to memory of 2128	4684	cmd.exe	93
PID 4684 wrote to memory of 2128	4684	cmd.exe	93
PID 4684 wrote to memory of 3984	4684	cmd.exe	94
PID 4684 wrote to memory of 3984	4684	cmd.exe	94
PID 4684 wrote to memory of 3984	4684	cmd.exe	94
PID 4684 wrote to memory of 848	4684	cmd.exe	95
PID 4684 wrote to memory of 848	4684	cmd.exe	95
PID 4684 wrote to memory of 848	4684	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\b756f04d1cd713bb11d5ae1032f8e8580d7cb11ad9e58f0219c9a9fb02c20d42.exe
"C:\Users\Admin\AppData\Local\Temp\b756f04d1cd713bb11d5ae1032f8e8580d7cb11ad9e58f0219c9a9fb02c20d42.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k move Guest Guest.bat & Guest.bat & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4684
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1712
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
    3⤵
    PID:3856
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa.exe opssvc.exe"
    3⤵
    PID:5008
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4816
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 7204
    3⤵
    PID:1216
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Viking + Chaos + Participated 7204\Z
    3⤵
    PID:2128
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7204\Immigrants.pif
    7204\Immigrants.pif 7204\Z
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3984
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 localhost
    3⤵
    - Runs ping.exe
    PID:848
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Earn + Program + Asset + Reserve + Slowly 7204\Immigrants.pif
    3⤵
    PID:5088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7204\Immigrants.pif

Filesize
192KB

MD5
0913c70a2adf107fdc15ee1d956be459

SHA1
ab4e49e9e3e611a2ec9054ce36507f6dc96caa93

SHA256
d47fe9ee5cacb1f3fffa6c30e8de481c1663f2523fce9b4017dd8eb7a92d2c9e

SHA512
49940d4680bcc3a888f4db09f3cb35c5a1085e8ca9f241b70f5486a184bf80445ff9bab519f7098ece3faea57a01d9e5881585c37d390f3394f603152b196322

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7204\Immigrants.pif

Filesize
331KB

MD5
2ead06adfbfe0ae5793a4c10c1d6acc5

SHA1
db28585e1587a234c5c91ed39c6b264117a30ce4

SHA256
85871dbbedf9b223fc99042a7a15903100b6b5114306ee7fdfee93a3f02ecbab

SHA512
ca3b43549aef2650bfd783f45d6577b1f90d67e7c37c64b56a034fe1d94e0af3598caab5bb947fb81aa8422122720d63230e1ac895ce0751f6fa14dd4cb0a22a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7204\Z

Filesize
294KB

MD5
f2648f14c155770a4b9da446cf0fcbcc

SHA1
f096833e1ac6285d10d72db0b4795d5a8fc75548

SHA256
0c2f50beede6b99f45ac1e8c2ed174df3ee9c60e94e2424d704f77e4b25f7d7f

SHA512
fb443ca494304d771c692ba13b3857bdf7865701b2e34a723583579dc564fa6e08356419741a7ea8489f449c0e0b3227f634e5b200615fafb28bb0b9964ef90e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Asset

Filesize
149KB

MD5
8ac1baefdc2ded378686004cb4fff9e1

SHA1
d0a34045d2cfa3b7cac9e89cbcaeb93a5f84d01a

SHA256
5249e4b2628e7d35a52bd49445883b5e0b11efde03c508aa6c026c87cf6b2ac8

SHA512
2a3dba0bf40c27174a9958496b5fd8f7221763f6e9b44fc4282fd7ae720c313289048f419e0ffbd4ed74831bd201c7658c14649f9a1ff00869efa7f448286dbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chaos

Filesize
274KB

MD5
976f4d8ea6d739b81dfdb4c1108290c3

SHA1
aae0a98e87ec6ea53162f50dc7cfbbc2ac3b4e5e

SHA256
dc425304584e9452af008c8f595ccc2250badac89c161e805dec407da1287c3f

SHA512
117238c5fc8e63d444cfa7ca40db6ca3aea47d296db5b43bc7345d7758cbd016c2bb167431faf28397d45845cdba64a2e687e9d64cae9d25c2a047298e96cbb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Earn

Filesize
242KB

MD5
3dc2a9b76a1d6565091a348e2b1f8751

SHA1
79565e6821e0f4c1a8d28494365d3b3deb354140

SHA256
acf6ace5d4162c30d687204df636013d66167a1a01af56e7c2721fe32a156558

SHA512
ae6861c940bb3609d361e043f73c54882091adb1de34e8217b5787639fb7035e6d358cd2418e1c967c97886193ec9a54c95b9ea9fb681b18a6c682897e24656d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Guest

Filesize
12KB

MD5
501aca372cb3df2ad5581521fd1e67d5

SHA1
f63c4e28c7acded78b9d29d55cee98bb7b869229

SHA256
a8ed85ff54eaf2817cde494e8260069c14366edfc42358f057df6382a77da0f1

SHA512
696ae629e0ed5a353fdba3521a45e33b013ffb12d274e90ea96ce271e8c6e660280eb437140f5eec1e617cdb41be220d1a1cb39b476bbba229857cd42fb8242a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Participated

Filesize
108KB

MD5
70e099c6462c8ef9dbec213f5ce0496f

SHA1
f9fed8482e75329372eda0ec5ef5d9b228a7ffd5

SHA256
b84d99acccf17a6ca04803a2a3d8f115b610b6ee3ddf86353b79fc88748c037c

SHA512
e8176abb52afb32d962eca35ee756c99eef3592fcda2f3f3853392e8f6258ec027a20f48e8a1ca23e22494369efc091de6bf8ad636fdccd39a1eefa58acf611e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Program

Filesize
176KB

MD5
0b6b9db466bb6f816784ee7380ea9572

SHA1
fa236a7c914ece18bce4e9538f7497df17a214ed

SHA256
ba01cc5b82a5ccb4087e3e430c6ede046c336a071e768300ccd976422da83847

SHA512
670ee24b2b98dbe8eda5bac654de21d759786f4eb797bda9ac5848102f2a652463c45a518ca92adf3351e0efd5e0c4947226effeb164fdc10306584781267507

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Reserve

Filesize
183KB

MD5
6145b2986f61b8dd11c301bc6b0279db

SHA1
d2142316774e6e920ec594071de22b48ca30630c

SHA256
e8ac10eda692a57273edcdecd449fdd8f37d6fea1f17829811ba46148ae3dc49

SHA512
4ee8a582c7a334063703393fb690fd48fef12eb631de2643efe4a7fde6b5a599de754043159bf0f42dca4235b4a0d68f38cf0a9f34ea3c6232c78662d3a0daf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Slowly

Filesize
174KB

MD5
7cef207172cbdf6768101f8a2602f787

SHA1
20e50bd7257e773fab11928da0a6500693fbad11

SHA256
6c3482c9f62da91208f4f67fe2a41211f8a2a7929bfda4841495d20d29bf1e9c

SHA512
42e38ae3e936cadbb6b4d0eb013977bcbe3c80a9a44fd22f49ec1ba593625a4146122941e3b90f3a4c20680eb50d074607086cc1f52a851f4e5ae2eaf0ce44f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Viking

Filesize
433KB

MD5
d2241c8bced7ee96287bc6e8b0deb59d

SHA1
e8c360585688cea64381f827950d302b6faebc94

SHA256
f11bbadb34467256d62f93ffc984813a7360dd52598937078916f9f1e8c10aa2

SHA512
50e7116a121ab71ec008229a9ddfa5b95092909c791575385c5db2a465a457ca83e77acc03107f8d9e3bc6a0e998d15a03705c5f890b680efe50cd3d89d3f5d3

Download Submit
memory/3984-32-0x0000000076F41000-0x0000000077061000-memory.dmp

Filesize
1.1MB

Download
memory/3984-34-0x0000000004320000-0x0000000004321000-memory.dmp

Filesize
4KB

Download
memory/3984-35-0x0000000004AE0000-0x0000000004B5B000-memory.dmp

Filesize
492KB

Download
memory/3984-36-0x0000000004AE0000-0x0000000004B5B000-memory.dmp

Filesize
492KB

Download
memory/3984-37-0x0000000004AE0000-0x0000000004B5B000-memory.dmp

Filesize
492KB

Download
memory/3984-38-0x0000000004AE0000-0x0000000004B5B000-memory.dmp

Filesize
492KB

Download
memory/3984-39-0x0000000004AE0000-0x0000000004B5B000-memory.dmp

Filesize
492KB

Download
memory/3984-40-0x0000000004AE0000-0x0000000004B5B000-memory.dmp

Filesize
492KB

Download
memory/3984-41-0x0000000004AE0000-0x0000000004B5B000-memory.dmp

Filesize
492KB

Download