Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29/02/2024, 06:12
Behavioral task
behavioral1
Sample
addfc1ec8a277f7692892fff20e5490e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
addfc1ec8a277f7692892fff20e5490e.exe
Resource
win10v2004-20240226-en
General
-
Target
addfc1ec8a277f7692892fff20e5490e.exe
-
Size
133KB
-
MD5
addfc1ec8a277f7692892fff20e5490e
-
SHA1
583c8d6eced0c465c2dd2a9afb47739a4d163c03
-
SHA256
ad2983c9d385ee2e332d76e417818e7c86a74c753255541631290e917e1e4db6
-
SHA512
1c93eeb62b428bf5c4aac5a91de7819565775a107d82e07be84dbefda8a4643b9aedbebb76f13e133d1fb23d29326ca86671f6dcbbd8dd04add5eb895f7f762a
-
SSDEEP
3072:fRMqjl4A6wDzmRIFulk6BLMuqT995Zoole5TJj4:pMCGA60zVW2uqTXlevj
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run sgcxcxxaspf080615.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\nyuserinit = "C:\\Windows\\system32\\inf\\svchostc.exe C:\\Windows\\twftadfia16_080615.dll tanlt88" sgcxcxxaspf080615.exe -
resource yara_rule behavioral2/files/0x00080000000231fd-62.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation addfc1ec8a277f7692892fff20e5490e.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation svchostc.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation sgcxcxxaspf080615.exe -
Deletes itself 1 IoCs
pid Process 2948 svchostc.exe -
Executes dropped EXE 2 IoCs
pid Process 2948 svchostc.exe 3924 sgcxcxxaspf080615.exe -
Loads dropped DLL 1 IoCs
pid Process 2948 svchostc.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\inf\svchostc.exe addfc1ec8a277f7692892fff20e5490e.exe File opened for modification C:\Windows\SysWOW64\inf\svchostc.exe addfc1ec8a277f7692892fff20e5490e.exe File created C:\Windows\SysWOW64\inf\sppdcrs080615.scr addfc1ec8a277f7692892fff20e5490e.exe File created C:\Windows\SysWOW64\inf\scsys16_080615.dll addfc1ec8a277f7692892fff20e5490e.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File opened for modification C:\Windows\twisys.ini addfc1ec8a277f7692892fff20e5490e.exe File created C:\Windows\system\sgcxcxxaspf080615.exe addfc1ec8a277f7692892fff20e5490e.exe File created C:\Windows\tdcbdcasys32_080615.dll addfc1ec8a277f7692892fff20e5490e.exe File created C:\Windows\twftadfia16_080615.dll addfc1ec8a277f7692892fff20e5490e.exe File opened for modification C:\Windows\twisys.ini svchostc.exe File opened for modification C:\Windows\twisys.ini sgcxcxxaspf080615.exe File created C:\Windows\tdcbdcasys32_080615.dll sgcxcxxaspf080615.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no" sgcxcxxaspf080615.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A4348B60-D6C9-11EE-9216-EA08C850D01B} = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2022689320" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "415952177" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31091414" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31091414" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31091414" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2025345639" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2022689320" IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 1748 addfc1ec8a277f7692892fff20e5490e.exe 1748 addfc1ec8a277f7692892fff20e5490e.exe 1748 addfc1ec8a277f7692892fff20e5490e.exe 1748 addfc1ec8a277f7692892fff20e5490e.exe 3924 sgcxcxxaspf080615.exe 3924 sgcxcxxaspf080615.exe 3924 sgcxcxxaspf080615.exe 3924 sgcxcxxaspf080615.exe 3924 sgcxcxxaspf080615.exe 3924 sgcxcxxaspf080615.exe 3924 sgcxcxxaspf080615.exe 3924 sgcxcxxaspf080615.exe 3924 sgcxcxxaspf080615.exe 3924 sgcxcxxaspf080615.exe 3924 sgcxcxxaspf080615.exe 3924 sgcxcxxaspf080615.exe 3924 sgcxcxxaspf080615.exe 3924 sgcxcxxaspf080615.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 1748 addfc1ec8a277f7692892fff20e5490e.exe Token: SeDebugPrivilege 1748 addfc1ec8a277f7692892fff20e5490e.exe Token: SeDebugPrivilege 3924 sgcxcxxaspf080615.exe Token: SeDebugPrivilege 3924 sgcxcxxaspf080615.exe Token: SeDebugPrivilege 3924 sgcxcxxaspf080615.exe Token: SeDebugPrivilege 3924 sgcxcxxaspf080615.exe Token: SeDebugPrivilege 3924 sgcxcxxaspf080615.exe Token: SeDebugPrivilege 3924 sgcxcxxaspf080615.exe Token: SeDebugPrivilege 3924 sgcxcxxaspf080615.exe Token: SeDebugPrivilege 3924 sgcxcxxaspf080615.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1008 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1008 IEXPLORE.EXE 1008 IEXPLORE.EXE 2200 IEXPLORE.EXE 2200 IEXPLORE.EXE 2200 IEXPLORE.EXE 2200 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1748 wrote to memory of 2948 1748 addfc1ec8a277f7692892fff20e5490e.exe 92 PID 1748 wrote to memory of 2948 1748 addfc1ec8a277f7692892fff20e5490e.exe 92 PID 1748 wrote to memory of 2948 1748 addfc1ec8a277f7692892fff20e5490e.exe 92 PID 2948 wrote to memory of 3540 2948 svchostc.exe 93 PID 2948 wrote to memory of 3540 2948 svchostc.exe 93 PID 2948 wrote to memory of 3540 2948 svchostc.exe 93 PID 3540 wrote to memory of 3924 3540 cmd.exe 95 PID 3540 wrote to memory of 3924 3540 cmd.exe 95 PID 3540 wrote to memory of 3924 3540 cmd.exe 95 PID 3924 wrote to memory of 1008 3924 sgcxcxxaspf080615.exe 98 PID 3924 wrote to memory of 1008 3924 sgcxcxxaspf080615.exe 98 PID 1008 wrote to memory of 2200 1008 IEXPLORE.EXE 99 PID 1008 wrote to memory of 2200 1008 IEXPLORE.EXE 99 PID 1008 wrote to memory of 2200 1008 IEXPLORE.EXE 99 PID 3924 wrote to memory of 1008 3924 sgcxcxxaspf080615.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe"C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\inf\svchostc.exe"C:\Windows\system32\inf\svchostc.exe" C:\Windows\twftadfia16_080615.dll tanlt882⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "c:\mylstecj.bat"3⤵
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\system\sgcxcxxaspf080615.exe"C:\Windows\system\sgcxcxxaspf080615.exe" i4⤵
- Adds policy Run key to start application
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1008 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2200
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
133KB
MD5addfc1ec8a277f7692892fff20e5490e
SHA1583c8d6eced0c465c2dd2a9afb47739a4d163c03
SHA256ad2983c9d385ee2e332d76e417818e7c86a74c753255541631290e917e1e4db6
SHA5121c93eeb62b428bf5c4aac5a91de7819565775a107d82e07be84dbefda8a4643b9aedbebb76f13e133d1fb23d29326ca86671f6dcbbd8dd04add5eb895f7f762a
-
Filesize
219KB
MD59ffcad679063d56de00784483f203367
SHA1ae617a526451e6e286ba393d49bde048f43ec4c6
SHA256ecc842b207eb390c9b17215975f409719ca323064783c8646f1e15a01ea7e939
SHA5127ba6f805fbbbbd78fe2ddf3c47ea0b284a9d5046690c1ebdb498b594c5345b77b0fce84c1e3848ed707299f7a7a788fb21bd6702ea3461e9db9f54d7bb767b7f
-
Filesize
31KB
MD54b0a833136e7db417c3553674fae561e
SHA18cec9a200575227bbc45566b7f16d688e2dcedda
SHA2567502fe8ead3a2d449643981fc9aa06370675ea4c3348161f1926c6bdf0a563cc
SHA512b945ce854f58857d6d7f2624a6f98aa5fa3e6188e9f3baafa91ee920fb0818e486a9e521179f15500370a8b18ea07ab7ad33683165af154d3a962090cf16dcb6
-
Filesize
46B
MD5033bcec777267cf4358ac0da4cac6dc9
SHA1b8127384122b57e301988bf059fac49d86f83c14
SHA25678313879e727cfc88bbc95ae05af2893e7699a29c14fb3ca421c72c3b0b357a7
SHA51212fb21c483a752606fd51ce44fbdf1ca2cbfe9694ffc466ab89fcc7f71fcfe6832ab958148d12f7fe66cd043893b32d72544628ba577704a7fbd916fe0f3c768
-
Filesize
434B
MD50fb7f4692482afc5f6f3ccbf08f62948
SHA1a534f4dee03ce489c32bb2515d2324a03c0ef24a
SHA2566190340f935e87c36666da60370fdddac8ecefc482494ccd5aa56803a51a20d0
SHA512f6f090fc7a1848bd4ca4553ef3751b478b4f95d171bd48d55e6668c1381f37e4fe4cee88e26141a9687a3a086aa21d558a658330a1438ac4aef14bc3393c18b0
-
Filesize
364B
MD5cc72aef041857e3e9ff2f15086e2ae99
SHA13afb52c396174e2604c78c8c807a246c8619f1e4
SHA256418c868147c2f2aa1c9b988ef8f489ab312229be4bc346ce88e0823fbfb9f101
SHA5124dbe7201d2021dd0e08d8f3d6bb56a94cd1e213606eb8f629ba7ea73c74928c2f1bcf77107bf732ded22067663cce3d0d2089ebd5e6048472643aa22d8b05b37
-
Filesize
392B
MD587c70147b275110dff5c42d2db300398
SHA125a35b0297783b2f3b46998072d1e3deeb9f8aa0
SHA256f98de0d242dfb3a3c393be55c74c7f1c0e4f7f5fd9da16e5ad56079b596f99dc
SHA5121d77f90a865bec01b56e9afeccfc006b4896d1963a6468a6b6285f180870da0acb9594eb6822f4fb533bd107a2d59eb03325adee047a86778e3ccf0d2e459ddc
-
Filesize
398B
MD5e9f1507c7900c1ae4af3a2186f145c9f
SHA100ffa170d8972a2fa2d756308b73b9ccbac5adb2
SHA256de39ea4dd4d0502427dfb422cf63ffb06eaa984cb87605210c5b9ea221169246
SHA512ac7755bfb33375b1f85bb1687f26d61ab0b2b8ed0981c3ddfddef59a421cd5904e054e5fd5d321bc7b370661bc56a07efd9391b42925dd172c857c37bbacf186
-
Filesize
431B
MD5cf5a25fcbd841f46d05bf61739112940
SHA14a6cee80fc764aa0ddb582dc769769600c1103a2
SHA25638831f11afb10e5f9f4deca22b71857eaa957560754513efc56037cc2e4f5557
SHA5123ec2655904c162c2004f62aa5124140460aac999d21b4fae448b8a3fe59cc3d562e70603484508659408137a99302e993e6dae5e3319459d2a738cf24ebad72d
-
Filesize
458B
MD5c6a0598d2f107431eff2e13f692a9dff
SHA12a238988a95f6d2af9e578694e7f6e9ff483f2e8
SHA256b86a02746049603c2e2f4931fc184dc906ba30039e4dfcd62f88854156a87bd4
SHA5124a4f02c1047f83b1f54b128bde5ef00b3e53f6c277a094f75a3dcb94ca8f6b452efd0213179e937d3855de1bcbe108433407a54322fa279f1c67d415b02f0c60
-
Filesize
53B
MD5da1246d60fb14fd94892aed08d4efdea
SHA19cbb3efeb757112bea4538923727eb6aac9d852e
SHA256676b0f775d503b049bddbdc12898718483b6a4dfc692fc4c3d9fc07fdd0be234
SHA5120d6ecbc5ed71133ba1ea3b83fdcd29162d6972edc3524bcc47c233c394f24c6b1c09a7b3cbb00cda10ce9497610ecfcb5b8714f0eb8a7750e953b084e623cdc9