Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
25-02-2024 08:40
Static task
static1
Behavioral task
behavioral1
Sample
a3593e1bb1cbff5e24dfe2c56cf49a8d.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a3593e1bb1cbff5e24dfe2c56cf49a8d.exe
Resource
win10v2004-20240221-en
General
-
Target
a3593e1bb1cbff5e24dfe2c56cf49a8d.exe
-
Size
863KB
-
MD5
a3593e1bb1cbff5e24dfe2c56cf49a8d
-
SHA1
631958481f0565176351295df0bfaea81f139c60
-
SHA256
e064534d97cf20ede110465c290e99afad30967d8556775796a3a04203f48fec
-
SHA512
70c92f024236d0aaf5549d10558ccb0c1f3a21761f0bf3506473c36e9e49a613aa838c5b53469b3573b130697b3613e1d4d4d3fd78fd9bb05b7e9d1b34772976
-
SSDEEP
12288:l4lsXvtCcmVVXzzn4PJAahPl/QEdIMiVbHydEIJnJWUgaT7ddRq9MmCS:l4lavt0LkLL9IMixoEgea/HRq9MmCS
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" a3593e1bb1cbff5e24dfe2c56cf49a8d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a3593e1bb1cbff5e24dfe2c56cf49a8d.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4076 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation 5341.exe Key value queried \REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation a3593e1bb1cbff5e24dfe2c56cf49a8d.exe -
Executes dropped EXE 2 IoCs
pid Process 4256 5341.exe 1972 server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0dc24807523d3cd24b54cd0996e4c49b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0dc24807523d3cd24b54cd0996e4c49b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a3593e1bb1cbff5e24dfe2c56cf49a8d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 1972 server.exe Token: 33 1972 server.exe Token: SeIncBasePriorityPrivilege 1972 server.exe Token: 33 1972 server.exe Token: SeIncBasePriorityPrivilege 1972 server.exe Token: 33 1972 server.exe Token: SeIncBasePriorityPrivilege 1972 server.exe Token: 33 1972 server.exe Token: SeIncBasePriorityPrivilege 1972 server.exe Token: 33 1972 server.exe Token: SeIncBasePriorityPrivilege 1972 server.exe Token: 33 1972 server.exe Token: SeIncBasePriorityPrivilege 1972 server.exe Token: 33 1972 server.exe Token: SeIncBasePriorityPrivilege 1972 server.exe Token: 33 1972 server.exe Token: SeIncBasePriorityPrivilege 1972 server.exe Token: 33 1972 server.exe Token: SeIncBasePriorityPrivilege 1972 server.exe Token: 33 1972 server.exe Token: SeIncBasePriorityPrivilege 1972 server.exe Token: 33 1972 server.exe Token: SeIncBasePriorityPrivilege 1972 server.exe Token: 33 1972 server.exe Token: SeIncBasePriorityPrivilege 1972 server.exe Token: 33 1972 server.exe Token: SeIncBasePriorityPrivilege 1972 server.exe Token: 33 1972 server.exe Token: SeIncBasePriorityPrivilege 1972 server.exe Token: 33 1972 server.exe Token: SeIncBasePriorityPrivilege 1972 server.exe Token: 33 1972 server.exe Token: SeIncBasePriorityPrivilege 1972 server.exe Token: 33 1972 server.exe Token: SeIncBasePriorityPrivilege 1972 server.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1992 wrote to memory of 4256 1992 a3593e1bb1cbff5e24dfe2c56cf49a8d.exe 93 PID 1992 wrote to memory of 4256 1992 a3593e1bb1cbff5e24dfe2c56cf49a8d.exe 93 PID 1992 wrote to memory of 4256 1992 a3593e1bb1cbff5e24dfe2c56cf49a8d.exe 93 PID 4256 wrote to memory of 1972 4256 5341.exe 97 PID 4256 wrote to memory of 1972 4256 5341.exe 97 PID 4256 wrote to memory of 1972 4256 5341.exe 97 PID 1972 wrote to memory of 4076 1972 server.exe 98 PID 1972 wrote to memory of 4076 1972 server.exe 98 PID 1972 wrote to memory of 4076 1972 server.exe 98 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System a3593e1bb1cbff5e24dfe2c56cf49a8d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" a3593e1bb1cbff5e24dfe2c56cf49a8d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a3593e1bb1cbff5e24dfe2c56cf49a8d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3593e1bb1cbff5e24dfe2c56cf49a8d.exe"C:\Users\Admin\AppData\Local\Temp\a3593e1bb1cbff5e24dfe2c56cf49a8d.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\5341\5341.exe"C:\Users\Admin\AppData\Local\Temp\5341\5341.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE4⤵
- Modifies Windows Firewall
PID:4076
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD52c658b294b94ada8f4ccf02e4c682ade
SHA19f5393f9f374199070f0ad15ae17426d414053d4
SHA25632435ea75fdd3b309051fc45ec5c3ef5b1768791f5421ea25c7fd85b38496337
SHA512d8991a605721ce3adaedb8aa40b29858d8c5fa0cc8b74fb3a0e997bfa5e73629822a03c438bcc903cfb4df01eb59293a7e4b9332c28cfc3f5af7ccdec8123d52