Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28/02/2024, 00:29
Behavioral task
behavioral1
Sample
aa8a2abca1d41fd891e4662c5db06397.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
aa8a2abca1d41fd891e4662c5db06397.exe
Resource
win10v2004-20240226-en
General
-
Target
aa8a2abca1d41fd891e4662c5db06397.exe
-
Size
175KB
-
MD5
aa8a2abca1d41fd891e4662c5db06397
-
SHA1
dbd9f1df3490c2896bbc4516b6b0ab76f7d18397
-
SHA256
16447e46c50a475f1e450a70c8ab185a6cefb7b6d9e030ea63b819c8a62246c1
-
SHA512
96c8445f65c2b73bf1fe936ca74c7644669c21ed9870bfcf97de421587dc41777a4f0c7fb4820d6dd5cd78d4004fa968690faa2ccce7192d43c29f5a0c131d66
-
SSDEEP
3072:D3DjYM/jnH/nJ99gn5MJjlPLOBAZ1iXu0encNIcoutkjcEmoUKr:D4GrHvJ9ewjpKBAZ1iX7CcicoSq/r
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation aa8a2abca1d41fd891e4662c5db06397.exe -
Executes dropped EXE 1 IoCs
pid Process 4336 ins5486.exe -
resource yara_rule behavioral2/memory/1616-0-0x0000000000A50000-0x0000000000ACD000-memory.dmp upx behavioral2/memory/1616-17-0x0000000000A50000-0x0000000000ACD000-memory.dmp upx behavioral2/memory/4336-20-0x00000000009E0000-0x00000000009F0000-memory.dmp upx behavioral2/memory/1616-26-0x0000000000A50000-0x0000000000ACD000-memory.dmp upx -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini ins5486.exe File opened for modification C:\Windows\assembly\Desktop.ini ins5486.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly ins5486.exe File created C:\Windows\assembly\Desktop.ini ins5486.exe File opened for modification C:\Windows\assembly\Desktop.ini ins5486.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4336 ins5486.exe 4336 ins5486.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4336 ins5486.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4336 ins5486.exe 4336 ins5486.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1616 wrote to memory of 4336 1616 aa8a2abca1d41fd891e4662c5db06397.exe 97 PID 1616 wrote to memory of 4336 1616 aa8a2abca1d41fd891e4662c5db06397.exe 97 PID 1616 wrote to memory of 4336 1616 aa8a2abca1d41fd891e4662c5db06397.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa8a2abca1d41fd891e4662c5db06397.exe"C:\Users\Admin\AppData\Local\Temp\aa8a2abca1d41fd891e4662c5db06397.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\ins5486\ins5486.exe"C:\Users\Admin\AppData\Local\Temp\ins5486\ins5486.exe" ins.exe /e49955 /u4dc9054e-38b0-4614-bdd5-20605bc06f262⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3608 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:81⤵PID:5080
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256KB
MD5d8256547ca0a650ea393964f69dae300
SHA1be23209fa5e30dbbfb71feb98547cb2798fba978
SHA256c7ba479a39f137ebfdb252e8eddc30567e0959990818a679e948f7cc5005c343
SHA512e83851057fa22fc5564fad01441c29fc22bf829312e86b13fb980a9fe03160673414bda68fe8789e4914929b5e1c259bc253571d24311f50ef93dfb4c32578c3