13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882

Analysis

max time kernel
173s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

custom111.exe
Size

24.9MB
MD5

4e1c29f0c1af62ddea916c6b80548c76
SHA1

38d9f15356b6a65f4e76ee739867d55b01493793
SHA256

13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882
SHA512

f863e54437a36b53f91057f74bdbfcaed90c93256333afe978be5f7b73b417a74084d3a92afe4b6ceea96fd909997cf22b30612c43d6d0d27c64c0bba7db9c28
SSDEEP

49152:lfRW10dDWeHzJhNF/CBpOqqUe00zCMe8KfFo:lfw1yaeHLNF/22UwCL8yF

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	custom111.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	switched.exe

Executes dropped EXE 4 IoCs

pid	Process
2784	Client.exe
1608	switched.exe
4356	pulse x loader.exe
4768	tesetey.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4356	pulse x loader.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4768	tesetey.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3828 wrote to memory of 2784	3828	custom111.exe	103
PID 3828 wrote to memory of 2784	3828	custom111.exe	103
PID 3828 wrote to memory of 2784	3828	custom111.exe	103
PID 3828 wrote to memory of 1608	3828	custom111.exe	104
PID 3828 wrote to memory of 1608	3828	custom111.exe	104
PID 3828 wrote to memory of 1608	3828	custom111.exe	104
PID 1608 wrote to memory of 4356	1608	switched.exe	105
PID 1608 wrote to memory of 4356	1608	switched.exe	105
PID 1608 wrote to memory of 4768	1608	switched.exe	106
PID 1608 wrote to memory of 4768	1608	switched.exe	106
PID 1608 wrote to memory of 4768	1608	switched.exe	106
PID 4356 wrote to memory of 2768	4356	pulse x loader.exe	107
PID 4356 wrote to memory of 2768	4356	pulse x loader.exe	107
PID 2768 wrote to memory of 2232	2768	cmd.exe	110
PID 2768 wrote to memory of 2232	2768	cmd.exe	110
PID 2768 wrote to memory of 4364	2768	cmd.exe	111
PID 2768 wrote to memory of 4364	2768	cmd.exe	111
PID 2768 wrote to memory of 3504	2768	cmd.exe	112
PID 2768 wrote to memory of 3504	2768	cmd.exe	112
PID 4768 wrote to memory of 32	4768	tesetey.exe	124
PID 4768 wrote to memory of 32	4768	tesetey.exe	124
PID 4768 wrote to memory of 32	4768	tesetey.exe	124

C:\Users\Admin\AppData\Local\Temp\custom111.exe
"C:\Users\Admin\AppData\Local\Temp\custom111.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3828
- C:\Users\Admin\AppData\Local\Temp\Client.exe
  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Users\Admin\AppData\Local\Temp\switched.exe
  "C:\Users\Admin\AppData\Local\Temp\switched.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
    "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:4356
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Windows\system32\certutil.exe
        
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
        5⤵
        
        PID:2232
    - - C:\Windows\system32\find.exe
        
        find /i /v "md5"
        5⤵
        
        PID:4364
    - - C:\Windows\system32\find.exe
        
        find /i /v "certutil"
        5⤵
        
        PID:3504
- - C:\Users\Admin\AppData\Local\Temp\tesetey.exe
    "C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4768
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cww0hbcg\cww0hbcg.cmdline"
      4⤵
      PID:32

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3952 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:4236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
216KB

MD5
339fa0249a4df86a6f48b8ca5eb71c50

SHA1
893e508cf08829af4b0933426ad25597a6dcf893

SHA256
dc0a80c2d0cd372c11749f3b48c6c7d06049ff42b87e47a34ee4b227cc0fad88

SHA512
1ecc89cf4b7066fd7e31edcd60249a240e290666a14e3adaf5df25ff73a4306af6985d2e6e6d683d8c988e7dc17c092f8466fc712310b3db60d2f8667faf8adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
357KB

MD5
3ca169e7dd598b61e50b2596c8fef2b1

SHA1
81c3483719d5a4476cec71c827c0ec4feb085f34

SHA256
95257639438064d9256ffeeef2b6498a488c2f183472c79d8b3e15a7ded4fe83

SHA512
2bb8f5dc48e16d887916dbce1d2871b9640a60c5237aa0ea5d68016d4cef6315e4a3462e3cbae30ec3bca20c33dd2472b301bc7cf9fd0ab69b7871ebfb13afd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
517KB

MD5
52d1ed39a91e338853e5e569a20cc51f

SHA1
dd97d913951a496b636b2a0ec31a37cf1eba89fa

SHA256
4edc517c79a7e2612180b2b428d7f4000ba7f77fa4cf8f12551a6fac82fddbc7

SHA512
65de442cc576598e8d62dcb476e3cbee01a5d0bdb0e3a2e1769bfae622586d6986b115b69f6d4c1e2e6eab2b9c5d3847d404a504e7db0c610b2806a24202c678

Download Submit
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

Filesize
941KB

MD5
49ff0d28046935ef1a54a71b8c4c49af

SHA1
64b89355e3c097eb90e789cd7e0605665879508e

SHA256
2ae5003110440596247b9a3a992af5e0b97da6591abec0d0b72ac91c265ffe65

SHA512
6e276f5d58de26fcbe5be9661ea268a4749d7833405480cc530a67093b10c2ba6dfabf2ae61c5e48a06372f6431196c1f6fef9e2955019bf1b012c9b38c931e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

Filesize
328KB

MD5
ba12cb4a3ac2edad168c4a560aa267b4

SHA1
29aaf147a426164ecca7a2d285a44c3a3c0008c1

SHA256
30a3041e4ae5f1afcaea92d31279f326715ef8c32f9466c74975bc4d3db9e482

SHA512
44413dd70987672a9cb127c7ac52636568fe004fca2d1128b32863a3ac28d8a8c6a393d30757df25698b3fe7252ca2ddbbb5db2ca78db76d10d97f82046eabff

Download Submit
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

Filesize
549KB

MD5
332a5c22c058b271f27ac3d7c0cd82f0

SHA1
3fcf1b35a61cfecdc153bc3c3f66f25dee5d07f0

SHA256
a549601f701734185b84b2157ce62a144a20b2d7587b127c6d218e8765e14c2a

SHA512
f37cd81fc02b6112989b8c69087f5fff26de0175647594794356e1b664875b7ca2baa39ed8fe877d9a86aa7429a235e21b4a8e49bc6fcae0364797329aeae1ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\switched.exe

Filesize
2.9MB

MD5
1a585b268ae3dfc74601794a69b27b3d

SHA1
fb9156c02f684b8ef052e5a3ef29769a337377de

SHA256
107c642f5a6301a00d8de2684a1cee41faef8f12f9325888ff0a9400f895fd03

SHA512
2b4f10eabc9dbef226cc5f962bb301e5745b3a632be9171f5f0ea665f4d0824a499abcf6be01171352fc2423172fd37eae0f30870680e649eb037d8b64408dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\switched.exe

Filesize
3.0MB

MD5
9d70b31636f98dd714093f0370028fec

SHA1
aa9754cb8aaff2480635475e3e0580a91ebd2e39

SHA256
9395fb97b98370192b7a9703dc6692b990c82edb016c771b38070a74fb6132ea

SHA512
217b8d873219eeade58baa0e64ba3f487c38ee064c4e605d89f2b85322641e3ed3595d96e41eb0b4f31c8327053c95df418c6fcdb3190fcb8701fd68fe760888

Download Submit
C:\Users\Admin\AppData\Local\Temp\switched.exe

Filesize
2.3MB

MD5
8acd36edfeff37e0994c1987cf94a714

SHA1
ecaf0cc174c3539feb90d79a9a3c22d16e5c54f7

SHA256
7b771c4bda57f4d118f7b208d8c4f0af9225dffa36d41ca152f4466a27303df6

SHA512
f8b45d5ac9fb7ad122ac1c6d2b18f8cbefb11138ba772de310093ed33c121257ebb727b48275cc02140ae1a3d3bd4d28ca126c89e5acabdb04d1f6cbf09b2f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\tesetey.exe

Filesize
494KB

MD5
0f0838bc6642dd6bc603368e50b4aba3

SHA1
932bd4d1c11996bf8ac3ac74a94b266e96d44c36

SHA256
4acfa7fccfdd11c17fbb2e7a861683f749cbf6420f0d83d484a6024ff280a7a9

SHA512
a39605eaa160d4f918393c600d42873f2e6bfb54506edfbe590aac0f75d12b4aa66ff91192c0522c235695a9c6b95cd2dbe308b548b5f121ca6b6b7696029860

Download Submit
C:\Users\Admin\AppData\Local\Temp\tesetey.exe

Filesize
200KB

MD5
42fd033140c0e5ce96c34756615d095a

SHA1
6b9c25b23cfa2a398a4ea67021c43b6030eac5dd

SHA256
ef397a59c2c231186b6171c8524f187ee92bcf42b8670fca1e05d0c3a356fc4b

SHA512
d32cd706d0c2f51f2c114b8f5aad298890af94d3736285b987761a2da3028265d2d142f4b40c9f0d2f8c9a68da1419c28527abc3568354d17e5ba6aef0dd5001

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cww0hbcg\cww0hbcg.cmdline

Filesize
449B

MD5
eab87d0fb9657854c23af86ad9eb9310

SHA1
041c96e0e1fe47acdbcf546f8f4ef0ae9e29d0d4

SHA256
f125e4128785432ee40c8fff5281d38bf021189b35236a6f89e8931e0cac31ab

SHA512
7166dfcee42c5269ab89514db9e71050296e5895e94757b0f022916ccd4bbcd40ad8a32ea65729f3661aa6298079803201313a033b9bfdc15f8e024040446aaa

Download Submit
memory/2784-39-0x0000000074E80000-0x0000000075630000-memory.dmp

Filesize
7.7MB

Download
memory/2784-44-0x0000000074E80000-0x0000000075630000-memory.dmp

Filesize
7.7MB

Download
memory/2784-52-0x00000000057A0000-0x00000000057B0000-memory.dmp

Filesize
64KB

Download
memory/2784-42-0x0000000000590000-0x0000000000BD0000-memory.dmp

Filesize
6.2MB

Download
memory/2784-49-0x00000000057A0000-0x00000000057B0000-memory.dmp

Filesize
64KB

Download
memory/4356-43-0x00007FF619650000-0x00007FF619A8C000-memory.dmp

Filesize
4.2MB

Download
memory/4356-36-0x00007FF619650000-0x00007FF619A8C000-memory.dmp

Filesize
4.2MB

Download
memory/4768-45-0x0000000074E80000-0x0000000075630000-memory.dmp

Filesize
7.7MB

Download
memory/4768-46-0x0000000005730000-0x00000000057CC000-memory.dmp

Filesize
624KB

Download
memory/4768-47-0x00000000057D0000-0x0000000005862000-memory.dmp

Filesize
584KB

Download
memory/4768-48-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download
memory/4768-40-0x0000000074E80000-0x0000000075630000-memory.dmp

Filesize
7.7MB

Download
memory/4768-50-0x0000000007360000-0x0000000007904000-memory.dmp

Filesize
5.6MB

Download
memory/4768-51-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download
memory/4768-41-0x0000000000950000-0x00000000009D2000-memory.dmp

Filesize
520KB

Download