Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2024, 16:36
Static task
static1
Behavioral task
behavioral1
Sample
injector.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
injector.exe
Resource
win10v2004-20240226-en
General
-
Target
injector.exe
-
Size
507KB
-
MD5
d2ce96fcc35f20e4707697b98912d1a3
-
SHA1
b8f4d065d36a6c3f96d2f75f673944874f8302b7
-
SHA256
c4ff79e810552e4191894285875fe01c9c7b957c7d76228cdbeeb1b2132338ba
-
SHA512
4cda92e11838c1f6bacf2e0597c321678e00a7171761c2a9f5e25edfc66a7e458533e0ba646715e99962440dd9551f0d4897e1bac0860b09147565b00f036e45
-
SSDEEP
6144:oG0Sx4x1VJswRYC8baxFIl+DJQATVbohlDOJh67V4CWWlI+8NyxNX2NnRI/d:Wi44wRrEl+DJLdo6az1mNRi
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\lenpFVYYWFYbWnkvFUkJD\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\lenpFVYYWFYbWnkvFUkJD" 5repV.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation injector.exe -
Executes dropped EXE 1 IoCs
pid Process 1356 5repV.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\SoftwareDistribution\Download\5repV.exe injector.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 1356 5repV.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeLoadDriverPrivilege 1356 5repV.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 524 wrote to memory of 1268 524 injector.exe 89 PID 524 wrote to memory of 1268 524 injector.exe 89 PID 524 wrote to memory of 3252 524 injector.exe 90 PID 524 wrote to memory of 3252 524 injector.exe 90 PID 524 wrote to memory of 1356 524 injector.exe 91 PID 524 wrote to memory of 1356 524 injector.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\injector.exe"C:\Users\Admin\AppData\Local\Temp\injector.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color 92⤵PID:3252
-
-
C:\Windows\SoftwareDistribution\Download\5repV.exe"C:\Windows\SoftwareDistribution\Download\5repV.exe"2⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1356
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD59886a738e05f8a8fe04e9d0c81cc0909
SHA1f659c6a123eb11f6f34f618265dbd54a9aa7f5e3
SHA256abf99bd1d851c4c7015b999e81fb080e7e1147973e6a3a77c8ba7895cc8abbb6
SHA5120d3b9e9a1a38efe1e963b929a33a8a13d4636d8056ab04fce958333db983b9fb401946c9b6990d18e9c2e2d4c2dbd2fb6aae5385e4234a5d86ef8adb98d56a21