Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2024, 18:53
Static task
static1
Behavioral task
behavioral1
Sample
c1599b70e4145735dd29e4ca674619b2.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c1599b70e4145735dd29e4ca674619b2.exe
Resource
win10v2004-20240226-en
General
-
Target
c1599b70e4145735dd29e4ca674619b2.exe
-
Size
228KB
-
MD5
c1599b70e4145735dd29e4ca674619b2
-
SHA1
4ef50fe0e43b28d29e59e00a9a06860c1314a1f1
-
SHA256
b2a3e747888965b0379759c9619f8d283678b32fdd0de6f3503a022b57f78d3d
-
SHA512
a6bf37915f297b3ab163a6c4ed3233cbf347bbf16d42bd25c1bbe32f8be4c5c191f7f9dcd5900eaf3f9c6919d21ff1e4bcc2d2ad86c9e1ee0d52d848eea374b1
-
SSDEEP
3072:1c52nLeK1ZmLIgI4TDsvaw3V8n6T+C8dwcEgzlJY8No1LnOIQkioYxiTT3:G52l1ZOZIYDArzPGEgzlJY8Kn0QTT3
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation c1599b70e4145735dd29e4ca674619b2.exe -
Executes dropped EXE 1 IoCs
pid Process 1732 coxnuuyczh.exe -
Loads dropped DLL 1 IoCs
pid Process 1732 coxnuuyczh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4988 3656 WerFault.exe 84 4548 1732 WerFault.exe 101 -
Kills process with taskkill 1 IoCs
pid Process 4768 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3840 PING.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1732 coxnuuyczh.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4768 taskkill.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1732 coxnuuyczh.exe 1732 coxnuuyczh.exe 1732 coxnuuyczh.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1732 coxnuuyczh.exe 1732 coxnuuyczh.exe 1732 coxnuuyczh.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3656 wrote to memory of 1096 3656 c1599b70e4145735dd29e4ca674619b2.exe 96 PID 3656 wrote to memory of 1096 3656 c1599b70e4145735dd29e4ca674619b2.exe 96 PID 3656 wrote to memory of 1096 3656 c1599b70e4145735dd29e4ca674619b2.exe 96 PID 1096 wrote to memory of 4768 1096 cmd.exe 98 PID 1096 wrote to memory of 4768 1096 cmd.exe 98 PID 1096 wrote to memory of 4768 1096 cmd.exe 98 PID 1096 wrote to memory of 3840 1096 cmd.exe 100 PID 1096 wrote to memory of 3840 1096 cmd.exe 100 PID 1096 wrote to memory of 3840 1096 cmd.exe 100 PID 1096 wrote to memory of 1732 1096 cmd.exe 101 PID 1096 wrote to memory of 1732 1096 cmd.exe 101 PID 1096 wrote to memory of 1732 1096 cmd.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1599b70e4145735dd29e4ca674619b2.exe"C:\Users\Admin\AppData\Local\Temp\c1599b70e4145735dd29e4ca674619b2.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 4922⤵
- Program crash
PID:4988
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 3656 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\c1599b70e4145735dd29e4ca674619b2.exe" & start C:\Users\Admin\AppData\Local\COXNUU~1.EXE -f2⤵
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /pid 36563⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4768
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.13⤵
- Runs ping.exe
PID:3840
-
-
C:\Users\Admin\AppData\Local\coxnuuyczh.exeC:\Users\Admin\AppData\Local\COXNUU~1.EXE -f3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1732 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 5044⤵
- Program crash
PID:4548
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3656 -ip 36561⤵PID:2568
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1732 -ip 17321⤵PID:4752
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
228KB
MD5c1599b70e4145735dd29e4ca674619b2
SHA14ef50fe0e43b28d29e59e00a9a06860c1314a1f1
SHA256b2a3e747888965b0379759c9619f8d283678b32fdd0de6f3503a022b57f78d3d
SHA512a6bf37915f297b3ab163a6c4ed3233cbf347bbf16d42bd25c1bbe32f8be4c5c191f7f9dcd5900eaf3f9c6919d21ff1e4bcc2d2ad86c9e1ee0d52d848eea374b1