Overview

overview

10

Static

static

3

c2782a39f9...58.exe

windows7-x64

10

c2782a39f9...58.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-03-2024 04:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c2782a39f926d39bc8956287b18b6458.exe

  • Size

    1.2MB

  • MD5

    c2782a39f926d39bc8956287b18b6458

  • SHA1

    9a2d787b0e1f0b185d42ba23758288c59dd8bcf8

  • SHA256

    453bd25a3bbf0f41ff91e7abe0261ce7c57d87889b37d0a0b938498f4ec5c1da

  • SHA512

    dd4094bb548b972bef4c47d891f58c3fe4a2dbb7d6180437545b9b95ba8cc45fa8ddb56c2a97b0bfb364201f850790b7652d484f53961559d46c964bc12cbc9b

  • SSDEEP

    12288:VAORj9ujWEfhwtk4S/+JrbiKys3qOJZBSd//KrqFoDLYFPsViq5htc1KUH/Enj2w:JV9GvLJ/gISX57bE4DRCWhU4vKqb

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 10 IoCs
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c2782a39f926d39bc8956287b18b6458.exe
    "C:\Users\Admin\AppData\Local\Temp\c2782a39f926d39bc8956287b18b6458.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4228
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\java.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5060
      • C:\Windows\SysWOW64\wscript.exe
        wscript.exe "C:\Users\Admin\AppData\Local\Temp\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\java2.bat
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:3664
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\java2.bat" "
          4⤵
          • Drops startup file
          PID:1844
    • C:\Windows\Temp\nice.exe
      C:\Windows\Temp\nice.exe
      2⤵
        PID:4672
      • C:\Windows\Temp\nice.exe
        C:\Windows\Temp\nice.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3396
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4188
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            4⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:2864
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Temp\nice.exe" /t REG_SZ /d "C:\Windows\Temp\nice.exe:*:Enabled:Windows Messanger" /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4604
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Temp\nice.exe" /t REG_SZ /d "C:\Windows\Temp\nice.exe:*:Enabled:Windows Messanger" /f
            4⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:3740
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4024
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            4⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:4444
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\nice.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\nice.exe:*:Enabled:Windows Messanger" /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3632
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\nice.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\nice.exe:*:Enabled:Windows Messanger" /f
            4⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:780
      • C:\Windows\Temp\nice.exe
        C:\Windows\Temp\nice.exe
        2⤵
          PID:4504
        • C:\Windows\Temp\nice.exe
          C:\Windows\Temp\nice.exe
          2⤵
            PID:1972

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\invs.vbs
          Filesize

          78B

          MD5

          c578d9653b22800c3eb6b6a51219bbb8

          SHA1

          a97aa251901bbe179a48dbc7a0c1872e163b1f2d

          SHA256

          20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

          SHA512

          3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\java.bat
          Filesize

          47B

          MD5

          81bf5400486e5da45ba0c6c1399d843f

          SHA1

          d70a7c4d3f3057a3ef5b8b1c764b40b3d3b4d59d

          SHA256

          d1a915a5e0286b1648a6e094f52813e2b5766dce3acf6342b297f7ca113545f1

          SHA512

          ebeee9eb5249ee1b278bf6c1fbcd91e4c073a241203f218dfa2edfa708a37679c6e6a78751de55b4640a024b32ce4389bd5d931401309163950cd15b4a91c140

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\java2.bat
          Filesize

          143B

          MD5

          aa67be701508be9c09223652e3e37900

          SHA1

          c571173a4c207881ccf32fed662934599ff028d7

          SHA256

          45bb305525ae1e8e59ddb2e90545e5498472f4169b206937ad025a6905b928de

          SHA512

          59fbda0d0ec068f4b94fe76339a7683340552d8041a661ace7eb66e94a3b6095fe2dd396afa4af804c303673dc54cae3d46b8305a5ee5d584b756a0737684a6d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\rundll32-.txt
          Filesize

          1.2MB

          MD5

          c2782a39f926d39bc8956287b18b6458

          SHA1

          9a2d787b0e1f0b185d42ba23758288c59dd8bcf8

          SHA256

          453bd25a3bbf0f41ff91e7abe0261ce7c57d87889b37d0a0b938498f4ec5c1da

          SHA512

          dd4094bb548b972bef4c47d891f58c3fe4a2dbb7d6180437545b9b95ba8cc45fa8ddb56c2a97b0bfb364201f850790b7652d484f53961559d46c964bc12cbc9b

          Download Submit

        • C:\Windows\Temp\nice.exe
          Filesize

          1.1MB

          MD5

          d881de17aa8f2e2c08cbb7b265f928f9

          SHA1

          08936aebc87decf0af6e8eada191062b5e65ac2a

          SHA256

          b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

          SHA512

          5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

          Download Submit

        • memory/3396-49-0x0000000000400000-0x0000000000470000-memory.dmp

          Filesize

          448KB

          Download

        • memory/3396-46-0x0000000000400000-0x0000000000470000-memory.dmp

          Filesize

          448KB

          Download

        • memory/3396-23-0x0000000000400000-0x0000000000470000-memory.dmp

          Filesize

          448KB

          Download

        • memory/3396-59-0x0000000000400000-0x0000000000470000-memory.dmp

          Filesize

          448KB

          Download

        • memory/3396-58-0x0000000000400000-0x0000000000470000-memory.dmp

          Filesize

          448KB

          Download

        • memory/3396-57-0x0000000000400000-0x0000000000470000-memory.dmp

          Filesize

          448KB

          Download

        • memory/3396-37-0x0000000000400000-0x0000000000470000-memory.dmp

          Filesize

          448KB

          Download

        • memory/3396-55-0x0000000000400000-0x0000000000470000-memory.dmp

          Filesize

          448KB

          Download

        • memory/3396-54-0x0000000000400000-0x0000000000470000-memory.dmp

          Filesize

          448KB

          Download

        • memory/3396-53-0x0000000000400000-0x0000000000470000-memory.dmp

          Filesize

          448KB

          Download

        • memory/3396-44-0x0000000000400000-0x0000000000470000-memory.dmp

          Filesize

          448KB

          Download

        • memory/3396-17-0x0000000000400000-0x0000000000470000-memory.dmp

          Filesize

          448KB

          Download

        • memory/3396-47-0x0000000000400000-0x0000000000470000-memory.dmp

          Filesize

          448KB

          Download

        • memory/3396-50-0x0000000000400000-0x0000000000470000-memory.dmp

          Filesize

          448KB

          Download

        • memory/4228-0-0x0000000075260000-0x0000000075811000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/4228-42-0x0000000075260000-0x0000000075811000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/4228-39-0x0000000001440000-0x0000000001450000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4228-38-0x0000000075260000-0x0000000075811000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/4228-1-0x0000000075260000-0x0000000075811000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/4228-2-0x0000000001440000-0x0000000001450000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4228-3-0x0000000001440000-0x0000000001450000-memory.dmp

          Filesize

          64KB

          Download