3ff941c75faf0a33ff1a19e5f955ad06e8c9a5d08b38cdb051cfacf252c9d0d4

Analysis

max time kernel
108s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
25-02-2024 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a384cf67f9ef927a5acc30a8b460f3ae.exe
Size

814KB
MD5

a384cf67f9ef927a5acc30a8b460f3ae
SHA1

3563afb42bc7ce287708e5048247f01dc58f5bb8
SHA256

3ff941c75faf0a33ff1a19e5f955ad06e8c9a5d08b38cdb051cfacf252c9d0d4
SHA512

39207c43ff39475e644bcc32f80967026a1306597b18a2c00a7ca6bf8ed90b1d5d68a269c1d67409da5cd1e8254c0627a75ce47cfa858acb3f22a2acc60eee48
SSDEEP

12288:kxzOgf6jCWazEF3Z4mxxl4IxSo62jDrkAS5j2E/HgD+jGEpRmmP2ArQns4j:UzFyukQmXlsohkZqMHgDSXneArqp

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation	a384cf67f9ef927a5acc30a8b460f3ae.exe

Executes dropped EXE 2 IoCs

pid	Process
2900	temp.exe
2628	Hack48.com.cn.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hack48.com.cn.exe	temp.exe
File opened for modification	C:\Windows\Hack48.com.cn.exe	temp.exe
File created	C:\Windows\uninstal.bat	temp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2900	temp.exe
Token: SeDebugPrivilege	2628	Hack48.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2628	Hack48.com.cn.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 2900	1512	a384cf67f9ef927a5acc30a8b460f3ae.exe	84
PID 1512 wrote to memory of 2900	1512	a384cf67f9ef927a5acc30a8b460f3ae.exe	84
PID 1512 wrote to memory of 2900	1512	a384cf67f9ef927a5acc30a8b460f3ae.exe	84
PID 2628 wrote to memory of 2476	2628	Hack48.com.cn.exe	89
PID 2628 wrote to memory of 2476	2628	Hack48.com.cn.exe	89
PID 2900 wrote to memory of 2552	2900	temp.exe	92
PID 2900 wrote to memory of 2552	2900	temp.exe	92
PID 2900 wrote to memory of 2552	2900	temp.exe	92

C:\Users\Admin\AppData\Local\Temp\a384cf67f9ef927a5acc30a8b460f3ae.exe
"C:\Users\Admin\AppData\Local\Temp\a384cf67f9ef927a5acc30a8b460f3ae.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Users\Admin\AppData\Local\Temp\temp.exe
  "C:\Users\Admin\AppData\Local\Temp\temp.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
    3⤵
    PID:2552

C:\Windows\Hack48.com.cn.exe
C:\Windows\Hack48.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
296KB

MD5
6c35781644ddf434656576ad99a1a80c

SHA1
fdf6c6f37afb25da622747101eba2015ef3dbd2d

SHA256
6c55c88207be917359d9255ef65051d057fb07f5f816593e992f592c70434a28

SHA512
67ce06f844310f83734f272930a11475def98795419f96e3007b54688726802f6d344d9332cd5d5e97fbc38486c651d05a3edb6e194e5add85b23e7e05b6f65e

Download Submit
C:\Windows\uninstal.bat

Filesize
134B

MD5
d844dfb0f997e4d32cdb6dafa4d7717a

SHA1
eaa7b33e52129f946e1aca0ce3cf45a7ce36b5ec

SHA256
0f38f96239893411209b61471bb7c2412a8637ce0e5cbf9cc3c23e14ee44759a

SHA512
fdeeeda586bf1d748ab962bd579ab3ef69a59ab9306bd3b29663dd496bba31e0a20b62e6076c08bfef44ad821e9dd69e88a29a56d427cbba532947cf91947be5

Download Submit
memory/1512-27-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download
memory/1512-34-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/1512-2-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/1512-3-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/1512-19-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/1512-18-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/1512-17-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/1512-16-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/1512-15-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/1512-14-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/1512-13-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/1512-12-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/1512-11-0x0000000003280000-0x0000000003282000-memory.dmp

Filesize
8KB

Download
memory/1512-10-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1512-0-0x0000000010000000-0x00000000100C1000-memory.dmp

Filesize
772KB

Download
memory/1512-8-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1512-7-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/1512-6-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/1512-5-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/1512-4-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/1512-20-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/1512-21-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/1512-9-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/1512-26-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/1512-33-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/1512-23-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/1512-22-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/1512-28-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/1512-29-0x0000000003270000-0x0000000003275000-memory.dmp

Filesize
20KB

Download
memory/1512-30-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/1512-31-0x0000000003310000-0x0000000003311000-memory.dmp

Filesize
4KB

Download
memory/1512-32-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/1512-25-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/1512-35-0x00000000032B0000-0x00000000032B1000-memory.dmp

Filesize
4KB

Download
memory/1512-1-0x00000000020A0000-0x00000000020F4000-memory.dmp

Filesize
336KB

Download
memory/1512-36-0x00000000032A0000-0x00000000032A1000-memory.dmp

Filesize
4KB

Download
memory/1512-38-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/1512-37-0x00000000032F0000-0x00000000032F1000-memory.dmp

Filesize
4KB

Download
memory/1512-46-0x0000000010000000-0x00000000100C1000-memory.dmp

Filesize
772KB

Download
memory/1512-49-0x00000000020A0000-0x00000000020F4000-memory.dmp

Filesize
336KB

Download
memory/2628-55-0x0000000000660000-0x0000000000662000-memory.dmp

Filesize
8KB

Download
memory/2628-57-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/2628-62-0x0000000000660000-0x0000000000662000-memory.dmp

Filesize
8KB

Download
memory/2628-63-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/2900-47-0x0000000000400000-0x00000000004D701C-memory.dmp

Filesize
860KB

Download
memory/2900-48-0x0000000000680000-0x0000000000682000-memory.dmp

Filesize
8KB

Download
memory/2900-50-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/2900-60-0x0000000000400000-0x00000000004D701C-memory.dmp

Filesize
860KB

Download