Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
24/02/2024, 05:49
Static task
static1
Behavioral task
behavioral1
Sample
a118dfe5b9dfaa5fc6819d8e9292a2f6.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a118dfe5b9dfaa5fc6819d8e9292a2f6.exe
Resource
win10v2004-20240221-en
General
-
Target
a118dfe5b9dfaa5fc6819d8e9292a2f6.exe
-
Size
1.1MB
-
MD5
a118dfe5b9dfaa5fc6819d8e9292a2f6
-
SHA1
7248a337d145e30b104aa5e0b769b20ff11ed0df
-
SHA256
77eb19ad6576fd74501a40e59f23273d430b66eed7c7efe95f50f1b7b0ffa3db
-
SHA512
0a5163d47dd7b2ba38c227db4c141d4e2c7a22776fc1e1b05558d961be036b1f1d437db13fb7c67bbebb8f8a6eea0587e9c175c25afbcf86ad506b4d2269280e
-
SSDEEP
24576:oURxV5Qk44owLqYTCOiDFXRIr3mFJoSI15kXiLICm49:oAxnrfoeqrOKFXR+3+of1qSU49
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation a118dfe5b9dfaa5fc6819d8e9292a2f6.exe -
Executes dropped EXE 2 IoCs
pid Process 5100 svchost.exe 1748 svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Keygen.exe" a118dfe5b9dfaa5fc6819d8e9292a2f6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Keygen.exe" a118dfe5b9dfaa5fc6819d8e9292a2f6.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4524 set thread context of 5100 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 89 PID 2692 set thread context of 1748 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 91 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeDebugPrivilege 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe Token: SeIncreaseQuotaPrivilege 5100 svchost.exe Token: SeSecurityPrivilege 5100 svchost.exe Token: SeTakeOwnershipPrivilege 5100 svchost.exe Token: SeLoadDriverPrivilege 5100 svchost.exe Token: SeSystemProfilePrivilege 5100 svchost.exe Token: SeSystemtimePrivilege 5100 svchost.exe Token: SeProfSingleProcessPrivilege 5100 svchost.exe Token: SeIncBasePriorityPrivilege 5100 svchost.exe Token: SeCreatePagefilePrivilege 5100 svchost.exe Token: SeBackupPrivilege 5100 svchost.exe Token: SeRestorePrivilege 5100 svchost.exe Token: SeShutdownPrivilege 5100 svchost.exe Token: SeDebugPrivilege 5100 svchost.exe Token: SeSystemEnvironmentPrivilege 5100 svchost.exe Token: SeChangeNotifyPrivilege 5100 svchost.exe Token: SeRemoteShutdownPrivilege 5100 svchost.exe Token: SeUndockPrivilege 5100 svchost.exe Token: SeManageVolumePrivilege 5100 svchost.exe Token: SeImpersonatePrivilege 5100 svchost.exe Token: SeCreateGlobalPrivilege 5100 svchost.exe Token: 33 5100 svchost.exe Token: 34 5100 svchost.exe Token: 35 5100 svchost.exe Token: 36 5100 svchost.exe Token: SeDebugPrivilege 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe Token: SeIncreaseQuotaPrivilege 1748 svchost.exe Token: SeSecurityPrivilege 1748 svchost.exe Token: SeTakeOwnershipPrivilege 1748 svchost.exe Token: SeLoadDriverPrivilege 1748 svchost.exe Token: SeSystemProfilePrivilege 1748 svchost.exe Token: SeSystemtimePrivilege 1748 svchost.exe Token: SeProfSingleProcessPrivilege 1748 svchost.exe Token: SeIncBasePriorityPrivilege 1748 svchost.exe Token: SeCreatePagefilePrivilege 1748 svchost.exe Token: SeBackupPrivilege 1748 svchost.exe Token: SeRestorePrivilege 1748 svchost.exe Token: SeShutdownPrivilege 1748 svchost.exe Token: SeDebugPrivilege 1748 svchost.exe Token: SeSystemEnvironmentPrivilege 1748 svchost.exe Token: SeChangeNotifyPrivilege 1748 svchost.exe Token: SeRemoteShutdownPrivilege 1748 svchost.exe Token: SeUndockPrivilege 1748 svchost.exe Token: SeManageVolumePrivilege 1748 svchost.exe Token: SeImpersonatePrivilege 1748 svchost.exe Token: SeCreateGlobalPrivilege 1748 svchost.exe Token: 33 1748 svchost.exe Token: 34 1748 svchost.exe Token: 35 1748 svchost.exe Token: 36 1748 svchost.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 4524 wrote to memory of 5100 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 89 PID 4524 wrote to memory of 5100 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 89 PID 4524 wrote to memory of 5100 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 89 PID 4524 wrote to memory of 5100 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 89 PID 4524 wrote to memory of 5100 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 89 PID 4524 wrote to memory of 5100 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 89 PID 4524 wrote to memory of 5100 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 89 PID 4524 wrote to memory of 5100 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 89 PID 4524 wrote to memory of 5100 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 89 PID 4524 wrote to memory of 5100 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 89 PID 4524 wrote to memory of 5100 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 89 PID 4524 wrote to memory of 5100 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 89 PID 4524 wrote to memory of 5100 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 89 PID 4524 wrote to memory of 5100 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 89 PID 4524 wrote to memory of 2692 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 90 PID 4524 wrote to memory of 2692 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 90 PID 4524 wrote to memory of 2692 4524 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 90 PID 2692 wrote to memory of 1748 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 91 PID 2692 wrote to memory of 1748 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 91 PID 2692 wrote to memory of 1748 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 91 PID 2692 wrote to memory of 1748 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 91 PID 2692 wrote to memory of 1748 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 91 PID 2692 wrote to memory of 1748 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 91 PID 2692 wrote to memory of 1748 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 91 PID 2692 wrote to memory of 1748 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 91 PID 2692 wrote to memory of 1748 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 91 PID 2692 wrote to memory of 1748 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 91 PID 2692 wrote to memory of 1748 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 91 PID 2692 wrote to memory of 1748 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 91 PID 2692 wrote to memory of 1748 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 91 PID 2692 wrote to memory of 1748 2692 a118dfe5b9dfaa5fc6819d8e9292a2f6.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\a118dfe5b9dfaa5fc6819d8e9292a2f6.exe"C:\Users\Admin\AppData\Local\Temp\a118dfe5b9dfaa5fc6819d8e9292a2f6.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5100
-
-
C:\Users\Admin\AppData\Local\Temp\a118dfe5b9dfaa5fc6819d8e9292a2f6.exe"C:\Users\Admin\AppData\Local\Temp\a118dfe5b9dfaa5fc6819d8e9292a2f6.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1748
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57c32886c3cd06d6036c0462301ad289c
SHA1a0a54552a7ecf7082bac0af6c5bca610225b05df
SHA25672c341969754f9e11b85119ca8db22eba2f4a6173c6bac14a032360073799009
SHA51208613b8dc53125c6ff051a98989eb9c4eb447ad05243db1b956ae2969e8463c2a216ed6873274d5b3e890307ad219d761324aa702b3ee45f776b80336147d523