Analysis
-
max time kernel
153s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-02-2024 21:58
Behavioral task
behavioral1
Sample
a569d0e761a74ce9324fe2acd2d8d18ba16fe7882a4c8c2d29eed0fa47083a98.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a569d0e761a74ce9324fe2acd2d8d18ba16fe7882a4c8c2d29eed0fa47083a98.exe
Resource
win10v2004-20240226-en
General
-
Target
a569d0e761a74ce9324fe2acd2d8d18ba16fe7882a4c8c2d29eed0fa47083a98.exe
-
Size
36KB
-
MD5
be620fcc4aa93db6323afb9d59f58433
-
SHA1
96c315802257494d3474d4b3dd819415bfad187f
-
SHA256
a569d0e761a74ce9324fe2acd2d8d18ba16fe7882a4c8c2d29eed0fa47083a98
-
SHA512
a31951ac3da5fec54a02c85635ce21131038e181cf07fcd73af19ec96084a3e00b8d7adc6aca33f0db87723daead6d34cf2726e2f5b57d1508bd39ab0776cdd0
-
SSDEEP
768:a8cNwislUV0bwA74K8EjrM+rMRa8Nundgt:avqlU6X4KL8+gRJNsd
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1860 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation a569d0e761a74ce9324fe2acd2d8d18ba16fe7882a4c8c2d29eed0fa47083a98.exe -
Executes dropped EXE 1 IoCs
pid Process 4668 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeDebugPrivilege 4668 svchost.exe Token: 33 4668 svchost.exe Token: SeIncBasePriorityPrivilege 4668 svchost.exe Token: 33 4668 svchost.exe Token: SeIncBasePriorityPrivilege 4668 svchost.exe Token: 33 4668 svchost.exe Token: SeIncBasePriorityPrivilege 4668 svchost.exe Token: 33 4668 svchost.exe Token: SeIncBasePriorityPrivilege 4668 svchost.exe Token: 33 4668 svchost.exe Token: SeIncBasePriorityPrivilege 4668 svchost.exe Token: 33 4668 svchost.exe Token: SeIncBasePriorityPrivilege 4668 svchost.exe Token: 33 4668 svchost.exe Token: SeIncBasePriorityPrivilege 4668 svchost.exe Token: 33 4668 svchost.exe Token: SeIncBasePriorityPrivilege 4668 svchost.exe Token: 33 4668 svchost.exe Token: SeIncBasePriorityPrivilege 4668 svchost.exe Token: 33 4668 svchost.exe Token: SeIncBasePriorityPrivilege 4668 svchost.exe Token: 33 4668 svchost.exe Token: SeIncBasePriorityPrivilege 4668 svchost.exe Token: 33 4668 svchost.exe Token: SeIncBasePriorityPrivilege 4668 svchost.exe Token: 33 4668 svchost.exe Token: SeIncBasePriorityPrivilege 4668 svchost.exe Token: 33 4668 svchost.exe Token: SeIncBasePriorityPrivilege 4668 svchost.exe Token: 33 4668 svchost.exe Token: SeIncBasePriorityPrivilege 4668 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1076 wrote to memory of 4668 1076 a569d0e761a74ce9324fe2acd2d8d18ba16fe7882a4c8c2d29eed0fa47083a98.exe 97 PID 1076 wrote to memory of 4668 1076 a569d0e761a74ce9324fe2acd2d8d18ba16fe7882a4c8c2d29eed0fa47083a98.exe 97 PID 1076 wrote to memory of 4668 1076 a569d0e761a74ce9324fe2acd2d8d18ba16fe7882a4c8c2d29eed0fa47083a98.exe 97 PID 4668 wrote to memory of 1860 4668 svchost.exe 98 PID 4668 wrote to memory of 1860 4668 svchost.exe 98 PID 4668 wrote to memory of 1860 4668 svchost.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\a569d0e761a74ce9324fe2acd2d8d18ba16fe7882a4c8c2d29eed0fa47083a98.exe"C:\Users\Admin\AppData\Local\Temp\a569d0e761a74ce9324fe2acd2d8d18ba16fe7882a4c8c2d29eed0fa47083a98.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1860
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:81⤵PID:1176
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5be620fcc4aa93db6323afb9d59f58433
SHA196c315802257494d3474d4b3dd819415bfad187f
SHA256a569d0e761a74ce9324fe2acd2d8d18ba16fe7882a4c8c2d29eed0fa47083a98
SHA512a31951ac3da5fec54a02c85635ce21131038e181cf07fcd73af19ec96084a3e00b8d7adc6aca33f0db87723daead6d34cf2726e2f5b57d1508bd39ab0776cdd0