Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
24/02/2024, 05:38
Static task
static1
Behavioral task
behavioral1
Sample
a113e103d28318c83c0d625de33e089b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a113e103d28318c83c0d625de33e089b.exe
Resource
win10v2004-20240221-en
General
-
Target
a113e103d28318c83c0d625de33e089b.exe
-
Size
488KB
-
MD5
a113e103d28318c83c0d625de33e089b
-
SHA1
023dc01fcf484ee6f23fa7f7e943a78528b5ee21
-
SHA256
051ca838d355275a998d6e3153244826c7c2fe090e775cd99063ddcce30277a5
-
SHA512
b664d85b93807c0feb7e1f9449dd505c62176786c86ddf5ddf497a8804d424fe8b30ef9a05aa298d48409fccdbbfb38dc2a0f4375de6c35f420203c850561fc8
-
SSDEEP
6144:l3H5tJ9MUsdOKKqLkMqIKdueMAgl7Qf2NaSUO9FsLeWhDER:l3HR79yVqIKseiukQOTsJh4R
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\After.exe" a113e103d28318c83c0d625de33e089b.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate a113e103d28318c83c0d625de33e089b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate After.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation a113e103d28318c83c0d625de33e089b.exe -
Executes dropped EXE 2 IoCs
pid Process 3572 After.exe 4324 After.exe -
resource yara_rule behavioral2/memory/3912-2-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/3912-4-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/3912-5-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/3912-6-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/3912-7-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/3912-9-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/3912-71-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/4324-78-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/4324-80-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/4324-81-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/4324-83-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/4324-85-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/4324-84-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/4324-86-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/4324-87-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/4324-88-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/4324-89-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/4324-90-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/4324-91-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/4324-92-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/4324-93-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/4324-94-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/4324-95-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/4324-96-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/4324-97-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/4324-98-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/4324-99-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/4324-100-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/4324-101-0x0000000000400000-0x00000000004B5000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nightmob = "C:\\Users\\Admin\\Documents\\After.exe" a113e103d28318c83c0d625de33e089b.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum a113e103d28318c83c0d625de33e089b.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\nu a113e103d28318c83c0d625de33e089b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum After.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\nu After.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2808 set thread context of 3912 2808 a113e103d28318c83c0d625de33e089b.exe 89 PID 3572 set thread context of 4324 3572 After.exe 96 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 After.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString After.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier After.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier After.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 a113e103d28318c83c0d625de33e089b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString a113e103d28318c83c0d625de33e089b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier a113e103d28318c83c0d625de33e089b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier a113e103d28318c83c0d625de33e089b.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier After.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier a113e103d28318c83c0d625de33e089b.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ a113e103d28318c83c0d625de33e089b.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 548 ping.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3912 a113e103d28318c83c0d625de33e089b.exe Token: SeSecurityPrivilege 3912 a113e103d28318c83c0d625de33e089b.exe Token: SeTakeOwnershipPrivilege 3912 a113e103d28318c83c0d625de33e089b.exe Token: SeLoadDriverPrivilege 3912 a113e103d28318c83c0d625de33e089b.exe Token: SeSystemProfilePrivilege 3912 a113e103d28318c83c0d625de33e089b.exe Token: SeSystemtimePrivilege 3912 a113e103d28318c83c0d625de33e089b.exe Token: SeProfSingleProcessPrivilege 3912 a113e103d28318c83c0d625de33e089b.exe Token: SeIncBasePriorityPrivilege 3912 a113e103d28318c83c0d625de33e089b.exe Token: SeCreatePagefilePrivilege 3912 a113e103d28318c83c0d625de33e089b.exe Token: SeBackupPrivilege 3912 a113e103d28318c83c0d625de33e089b.exe Token: SeRestorePrivilege 3912 a113e103d28318c83c0d625de33e089b.exe Token: SeShutdownPrivilege 3912 a113e103d28318c83c0d625de33e089b.exe Token: SeDebugPrivilege 3912 a113e103d28318c83c0d625de33e089b.exe Token: SeSystemEnvironmentPrivilege 3912 a113e103d28318c83c0d625de33e089b.exe Token: SeChangeNotifyPrivilege 3912 a113e103d28318c83c0d625de33e089b.exe Token: SeRemoteShutdownPrivilege 3912 a113e103d28318c83c0d625de33e089b.exe Token: SeUndockPrivilege 3912 a113e103d28318c83c0d625de33e089b.exe Token: SeManageVolumePrivilege 3912 a113e103d28318c83c0d625de33e089b.exe Token: SeImpersonatePrivilege 3912 a113e103d28318c83c0d625de33e089b.exe Token: SeCreateGlobalPrivilege 3912 a113e103d28318c83c0d625de33e089b.exe Token: 33 3912 a113e103d28318c83c0d625de33e089b.exe Token: 34 3912 a113e103d28318c83c0d625de33e089b.exe Token: 35 3912 a113e103d28318c83c0d625de33e089b.exe Token: 36 3912 a113e103d28318c83c0d625de33e089b.exe Token: SeIncreaseQuotaPrivilege 4324 After.exe Token: SeSecurityPrivilege 4324 After.exe Token: SeTakeOwnershipPrivilege 4324 After.exe Token: SeLoadDriverPrivilege 4324 After.exe Token: SeSystemProfilePrivilege 4324 After.exe Token: SeSystemtimePrivilege 4324 After.exe Token: SeProfSingleProcessPrivilege 4324 After.exe Token: SeIncBasePriorityPrivilege 4324 After.exe Token: SeCreatePagefilePrivilege 4324 After.exe Token: SeBackupPrivilege 4324 After.exe Token: SeRestorePrivilege 4324 After.exe Token: SeShutdownPrivilege 4324 After.exe Token: SeDebugPrivilege 4324 After.exe Token: SeSystemEnvironmentPrivilege 4324 After.exe Token: SeChangeNotifyPrivilege 4324 After.exe Token: SeRemoteShutdownPrivilege 4324 After.exe Token: SeUndockPrivilege 4324 After.exe Token: SeManageVolumePrivilege 4324 After.exe Token: SeImpersonatePrivilege 4324 After.exe Token: SeCreateGlobalPrivilege 4324 After.exe Token: 33 4324 After.exe Token: 34 4324 After.exe Token: 35 4324 After.exe Token: 36 4324 After.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2808 a113e103d28318c83c0d625de33e089b.exe 3572 After.exe 4324 After.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2808 wrote to memory of 3912 2808 a113e103d28318c83c0d625de33e089b.exe 89 PID 2808 wrote to memory of 3912 2808 a113e103d28318c83c0d625de33e089b.exe 89 PID 2808 wrote to memory of 3912 2808 a113e103d28318c83c0d625de33e089b.exe 89 PID 2808 wrote to memory of 3912 2808 a113e103d28318c83c0d625de33e089b.exe 89 PID 2808 wrote to memory of 3912 2808 a113e103d28318c83c0d625de33e089b.exe 89 PID 2808 wrote to memory of 3912 2808 a113e103d28318c83c0d625de33e089b.exe 89 PID 2808 wrote to memory of 3912 2808 a113e103d28318c83c0d625de33e089b.exe 89 PID 2808 wrote to memory of 3912 2808 a113e103d28318c83c0d625de33e089b.exe 89 PID 3912 wrote to memory of 4372 3912 a113e103d28318c83c0d625de33e089b.exe 92 PID 3912 wrote to memory of 4372 3912 a113e103d28318c83c0d625de33e089b.exe 92 PID 3912 wrote to memory of 4372 3912 a113e103d28318c83c0d625de33e089b.exe 92 PID 3912 wrote to memory of 3572 3912 a113e103d28318c83c0d625de33e089b.exe 93 PID 3912 wrote to memory of 3572 3912 a113e103d28318c83c0d625de33e089b.exe 93 PID 3912 wrote to memory of 3572 3912 a113e103d28318c83c0d625de33e089b.exe 93 PID 3912 wrote to memory of 548 3912 a113e103d28318c83c0d625de33e089b.exe 94 PID 3912 wrote to memory of 548 3912 a113e103d28318c83c0d625de33e089b.exe 94 PID 3912 wrote to memory of 548 3912 a113e103d28318c83c0d625de33e089b.exe 94 PID 3572 wrote to memory of 4324 3572 After.exe 96 PID 3572 wrote to memory of 4324 3572 After.exe 96 PID 3572 wrote to memory of 4324 3572 After.exe 96 PID 3572 wrote to memory of 4324 3572 After.exe 96 PID 3572 wrote to memory of 4324 3572 After.exe 96 PID 3572 wrote to memory of 4324 3572 After.exe 96 PID 3572 wrote to memory of 4324 3572 After.exe 96 PID 3572 wrote to memory of 4324 3572 After.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\a113e103d28318c83c0d625de33e089b.exe"C:\Users\Admin\AppData\Local\Temp\a113e103d28318c83c0d625de33e089b.exe"1⤵
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\a113e103d28318c83c0d625de33e089b.exeC:\Users\Admin\AppData\Local\Temp\a113e103d28318c83c0d625de33e089b.exe2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵PID:4372
-
-
C:\Users\Admin\Documents\After.exe"C:\Users\Admin\Documents\After.exe"3⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Users\Admin\Documents\After.exeC:\Users\Admin\Documents\After.exe4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4324
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Users\Admin\AppData\Local\Temp\a113e103d28318c83c0d625de33e089b.exe"3⤵
- Runs ping.exe
PID:548
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
488KB
MD5a113e103d28318c83c0d625de33e089b
SHA1023dc01fcf484ee6f23fa7f7e943a78528b5ee21
SHA256051ca838d355275a998d6e3153244826c7c2fe090e775cd99063ddcce30277a5
SHA512b664d85b93807c0feb7e1f9449dd505c62176786c86ddf5ddf497a8804d424fe8b30ef9a05aa298d48409fccdbbfb38dc2a0f4375de6c35f420203c850561fc8