Analysis
-
max time kernel
146s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04-03-2024 05:04
Static task
static1
Behavioral task
behavioral1
Sample
b1493c9c3de438c1d925f3a4af556f04.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b1493c9c3de438c1d925f3a4af556f04.exe
Resource
win10v2004-20240226-en
General
-
Target
b1493c9c3de438c1d925f3a4af556f04.exe
-
Size
2.2MB
-
MD5
b1493c9c3de438c1d925f3a4af556f04
-
SHA1
16ba06f5872a5d79ad1dd835669a9d5f55cf10d2
-
SHA256
418f4beab3913272a5ce86075202e67fe89a273c7840b53d0eccb0229dfea020
-
SHA512
9556f48f59abd27cdd919fcb892de800d5291b012ebef9c4042804662f58f671fff8f700f3c22e9c6566f7994fcbd7cbadd35625faa1e17e5f72285b4359fad9
-
SSDEEP
24576:0KtlfLm3/4s8krM4hsJgqGMDA2Q0CDwuJZqrMNCYjef9juun4MoTq0:Hj44VTgfH2r6qfpo2
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation b1493c9c3de438c1d925f3a4af556f04.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe b1493c9c3de438c1d925f3a4af556f04.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe b1493c9c3de438c1d925f3a4af556f04.exe -
Executes dropped EXE 2 IoCs
pid Process 4496 svchost.exe 4040 AddInProcess32.exe -
resource yara_rule behavioral2/memory/4040-30-0x0000000000900000-0x0000000000CE4000-memory.dmp upx behavioral2/memory/4040-31-0x0000000000900000-0x0000000000CE4000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4496 set thread context of 4040 4496 svchost.exe 94 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1532 4040 WerFault.exe 94 -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 3244 b1493c9c3de438c1d925f3a4af556f04.exe 3244 b1493c9c3de438c1d925f3a4af556f04.exe 3244 b1493c9c3de438c1d925f3a4af556f04.exe 3244 b1493c9c3de438c1d925f3a4af556f04.exe 3244 b1493c9c3de438c1d925f3a4af556f04.exe 3244 b1493c9c3de438c1d925f3a4af556f04.exe 3244 b1493c9c3de438c1d925f3a4af556f04.exe 3244 b1493c9c3de438c1d925f3a4af556f04.exe 3244 b1493c9c3de438c1d925f3a4af556f04.exe 3244 b1493c9c3de438c1d925f3a4af556f04.exe 3244 b1493c9c3de438c1d925f3a4af556f04.exe 3244 b1493c9c3de438c1d925f3a4af556f04.exe 3244 b1493c9c3de438c1d925f3a4af556f04.exe 3244 b1493c9c3de438c1d925f3a4af556f04.exe 3244 b1493c9c3de438c1d925f3a4af556f04.exe 3244 b1493c9c3de438c1d925f3a4af556f04.exe 3244 b1493c9c3de438c1d925f3a4af556f04.exe 3244 b1493c9c3de438c1d925f3a4af556f04.exe 3244 b1493c9c3de438c1d925f3a4af556f04.exe 3244 b1493c9c3de438c1d925f3a4af556f04.exe 4496 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3244 b1493c9c3de438c1d925f3a4af556f04.exe Token: SeDebugPrivilege 4496 svchost.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3244 wrote to memory of 5032 3244 b1493c9c3de438c1d925f3a4af556f04.exe 89 PID 3244 wrote to memory of 5032 3244 b1493c9c3de438c1d925f3a4af556f04.exe 89 PID 3244 wrote to memory of 5032 3244 b1493c9c3de438c1d925f3a4af556f04.exe 89 PID 5032 wrote to memory of 2904 5032 cmd.exe 91 PID 5032 wrote to memory of 2904 5032 cmd.exe 91 PID 5032 wrote to memory of 2904 5032 cmd.exe 91 PID 3244 wrote to memory of 4496 3244 b1493c9c3de438c1d925f3a4af556f04.exe 92 PID 3244 wrote to memory of 4496 3244 b1493c9c3de438c1d925f3a4af556f04.exe 92 PID 3244 wrote to memory of 4496 3244 b1493c9c3de438c1d925f3a4af556f04.exe 92 PID 4496 wrote to memory of 4040 4496 svchost.exe 94 PID 4496 wrote to memory of 4040 4496 svchost.exe 94 PID 4496 wrote to memory of 4040 4496 svchost.exe 94 PID 4496 wrote to memory of 4040 4496 svchost.exe 94 PID 4496 wrote to memory of 4040 4496 svchost.exe 94 PID 4496 wrote to memory of 4040 4496 svchost.exe 94 PID 4496 wrote to memory of 4040 4496 svchost.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1493c9c3de438c1d925f3a4af556f04.exe"C:\Users\Admin\AppData\Local\Temp\b1493c9c3de438c1d925f3a4af556f04.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "svchost" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "svchost" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"3⤵
- Adds Run key to start application
PID:2904
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"C:\Users\Admin\AppData\Local\Temp\\AddInProcess32.exe"3⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 1884⤵
- Program crash
PID:1532
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4040 -ip 40401⤵PID:4084
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42KB
MD59827ff3cdf4b83f9c86354606736ca9c
SHA1e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723
SHA256c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a
SHA5128261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579
-
Filesize
1.4MB
MD5217647354f5d8fef9793b87848a5e5c6
SHA1f6c04b6afb8574833619293651a7c6aeab999644
SHA25644c0477b08b80765788d30738d24caaad26b217ba11880fd92d8ce5e254b88aa
SHA512f140e830447dc96cd10db1652b072bb6fb403bca34322783408a5181716a3c568d96abc067821462ff724c1dc70f4755559c7cf788c86f31f0658e24570d9458
-
Filesize
2.2MB
MD5b1493c9c3de438c1d925f3a4af556f04
SHA116ba06f5872a5d79ad1dd835669a9d5f55cf10d2
SHA256418f4beab3913272a5ce86075202e67fe89a273c7840b53d0eccb0229dfea020
SHA5129556f48f59abd27cdd919fcb892de800d5291b012ebef9c4042804662f58f671fff8f700f3c22e9c6566f7994fcbd7cbadd35625faa1e17e5f72285b4359fad9