Overview

overview

8

Static

static

3

injector.exe

windows10-1703-x64

8

injector.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    137s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/02/2024, 17:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    injector.exe

  • Size

    507KB

  • MD5

    d2ce96fcc35f20e4707697b98912d1a3

  • SHA1

    b8f4d065d36a6c3f96d2f75f673944874f8302b7

  • SHA256

    c4ff79e810552e4191894285875fe01c9c7b957c7d76228cdbeeb1b2132338ba

  • SHA512

    4cda92e11838c1f6bacf2e0597c321678e00a7171761c2a9f5e25edfc66a7e458533e0ba646715e99962440dd9551f0d4897e1bac0860b09147565b00f036e45

  • SSDEEP

    6144:oG0Sx4x1VJswRYC8baxFIl+DJQATVbohlDOJh67V4CWWlI+8NyxNX2NnRI/d:Wi44wRrEl+DJLdo6az1mNRi

Score
8/10
persistence

Malware Config

Signatures

  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\injector.exe
    "C:\Users\Admin\AppData\Local\Temp\injector.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4936
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      2⤵
        PID:3560
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c color 9
        2⤵
          PID:4864
        • C:\Windows\SoftwareDistribution\Download\k0dgm.exe
          "C:\Windows\SoftwareDistribution\Download\k0dgm.exe"
          2⤵
          • Sets service image path in registry
          • Executes dropped EXE
          • Suspicious behavior: LoadsDriver
          • Suspicious use of AdjustPrivilegeToken
          PID:2696

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SoftwareDistribution\Download\k0dgm.exe
        Filesize

        100KB

        MD5

        9886a738e05f8a8fe04e9d0c81cc0909

        SHA1

        f659c6a123eb11f6f34f618265dbd54a9aa7f5e3

        SHA256

        abf99bd1d851c4c7015b999e81fb080e7e1147973e6a3a77c8ba7895cc8abbb6

        SHA512

        0d3b9e9a1a38efe1e963b929a33a8a13d4636d8056ab04fce958333db983b9fb401946c9b6990d18e9c2e2d4c2dbd2fb6aae5385e4234a5d86ef8adb98d56a21

        Download Submit