8a52bc2c0c8e66a9b1f638763200438b9a611a9d990cc6f95b3d089832e8455b

Analysis

max time kernel
254s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18/03/2024, 16:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EXPUNGEDv3.exe
Size

290KB
MD5

d8226317108044054e82c1e68fda8a47
SHA1

509f7238935d1130dae843b07f2d81aa9b57b1bc
SHA256

8a52bc2c0c8e66a9b1f638763200438b9a611a9d990cc6f95b3d089832e8455b
SHA512

4b5a407f84da5c6c621046df0f26d777ea43f220155aef02ebf0f549d3661cd0cbc8057e8c9e5acf1c28d6057d67c89b77df69a545c321e50695475962fd5881
SSDEEP

3072:ClPur1xNfoPCUf8OYZbB4ya2TKGJA4IPKfjK/S8R:ClwNQYNB4QKGHC

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	EXPUNGEDv3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Collects information from the system 1 TTPs 24 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
4964	WMIC.exe
4776	WMIC.exe
3856	WMIC.exe
4500	WMIC.exe
4464	WMIC.exe
3044	WMIC.exe
1652	WMIC.exe
180	WMIC.exe
4124	WMIC.exe
2372	WMIC.exe
3320	WMIC.exe
2264	WMIC.exe
4720	WMIC.exe
3120	WMIC.exe
4064	WMIC.exe
660	WMIC.exe
4796	WMIC.exe
3852	WMIC.exe
4920	WMIC.exe
428	WMIC.exe
2480	WMIC.exe
4420	WMIC.exe
1084	WMIC.exe
4800	WMIC.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4720	WMIC.exe
Token: SeSecurityPrivilege	4720	WMIC.exe
Token: SeTakeOwnershipPrivilege	4720	WMIC.exe
Token: SeLoadDriverPrivilege	4720	WMIC.exe
Token: SeSystemProfilePrivilege	4720	WMIC.exe
Token: SeSystemtimePrivilege	4720	WMIC.exe
Token: SeProfSingleProcessPrivilege	4720	WMIC.exe
Token: SeIncBasePriorityPrivilege	4720	WMIC.exe
Token: SeCreatePagefilePrivilege	4720	WMIC.exe
Token: SeBackupPrivilege	4720	WMIC.exe
Token: SeRestorePrivilege	4720	WMIC.exe
Token: SeShutdownPrivilege	4720	WMIC.exe
Token: SeDebugPrivilege	4720	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4720	WMIC.exe
Token: SeRemoteShutdownPrivilege	4720	WMIC.exe
Token: SeUndockPrivilege	4720	WMIC.exe
Token: SeManageVolumePrivilege	4720	WMIC.exe
Token: 33	4720	WMIC.exe
Token: 34	4720	WMIC.exe
Token: 35	4720	WMIC.exe
Token: 36	4720	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4720	WMIC.exe
Token: SeSecurityPrivilege	4720	WMIC.exe
Token: SeTakeOwnershipPrivilege	4720	WMIC.exe
Token: SeLoadDriverPrivilege	4720	WMIC.exe
Token: SeSystemProfilePrivilege	4720	WMIC.exe
Token: SeSystemtimePrivilege	4720	WMIC.exe
Token: SeProfSingleProcessPrivilege	4720	WMIC.exe
Token: SeIncBasePriorityPrivilege	4720	WMIC.exe
Token: SeCreatePagefilePrivilege	4720	WMIC.exe
Token: SeBackupPrivilege	4720	WMIC.exe
Token: SeRestorePrivilege	4720	WMIC.exe
Token: SeShutdownPrivilege	4720	WMIC.exe
Token: SeDebugPrivilege	4720	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4720	WMIC.exe
Token: SeRemoteShutdownPrivilege	4720	WMIC.exe
Token: SeUndockPrivilege	4720	WMIC.exe
Token: SeManageVolumePrivilege	4720	WMIC.exe
Token: 33	4720	WMIC.exe
Token: 34	4720	WMIC.exe
Token: 35	4720	WMIC.exe
Token: 36	4720	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2480	WMIC.exe
Token: SeSecurityPrivilege	2480	WMIC.exe
Token: SeTakeOwnershipPrivilege	2480	WMIC.exe
Token: SeLoadDriverPrivilege	2480	WMIC.exe
Token: SeSystemProfilePrivilege	2480	WMIC.exe
Token: SeSystemtimePrivilege	2480	WMIC.exe
Token: SeProfSingleProcessPrivilege	2480	WMIC.exe
Token: SeIncBasePriorityPrivilege	2480	WMIC.exe
Token: SeCreatePagefilePrivilege	2480	WMIC.exe
Token: SeBackupPrivilege	2480	WMIC.exe
Token: SeRestorePrivilege	2480	WMIC.exe
Token: SeShutdownPrivilege	2480	WMIC.exe
Token: SeDebugPrivilege	2480	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2480	WMIC.exe
Token: SeRemoteShutdownPrivilege	2480	WMIC.exe
Token: SeUndockPrivilege	2480	WMIC.exe
Token: SeManageVolumePrivilege	2480	WMIC.exe
Token: 33	2480	WMIC.exe
Token: 34	2480	WMIC.exe
Token: 35	2480	WMIC.exe
Token: 36	2480	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2480	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 4972	1800	EXPUNGEDv3.exe	90
PID 1800 wrote to memory of 4972	1800	EXPUNGEDv3.exe	90
PID 4972 wrote to memory of 3424	4972	cmd.exe	92
PID 4972 wrote to memory of 3424	4972	cmd.exe	92
PID 3424 wrote to memory of 4720	3424	cmd.exe	93
PID 3424 wrote to memory of 4720	3424	cmd.exe	93
PID 4972 wrote to memory of 2944	4972	cmd.exe	99
PID 4972 wrote to memory of 2944	4972	cmd.exe	99
PID 2944 wrote to memory of 2480	2944	cmd.exe	100
PID 2944 wrote to memory of 2480	2944	cmd.exe	100
PID 4972 wrote to memory of 4904	4972	cmd.exe	102
PID 4972 wrote to memory of 4904	4972	cmd.exe	102
PID 4904 wrote to memory of 3120	4904	cmd.exe	103
PID 4904 wrote to memory of 3120	4904	cmd.exe	103
PID 4972 wrote to memory of 4480	4972	cmd.exe	106
PID 4972 wrote to memory of 4480	4972	cmd.exe	106
PID 4480 wrote to memory of 4420	4480	cmd.exe	107
PID 4480 wrote to memory of 4420	4480	cmd.exe	107
PID 4972 wrote to memory of 3512	4972	cmd.exe	109
PID 4972 wrote to memory of 3512	4972	cmd.exe	109
PID 3512 wrote to memory of 3044	3512	cmd.exe	110
PID 3512 wrote to memory of 3044	3512	cmd.exe	110
PID 4972 wrote to memory of 5024	4972	cmd.exe	112
PID 4972 wrote to memory of 5024	4972	cmd.exe	112
PID 5024 wrote to memory of 1084	5024	cmd.exe	113
PID 5024 wrote to memory of 1084	5024	cmd.exe	113
PID 4972 wrote to memory of 4332	4972	cmd.exe	114
PID 4972 wrote to memory of 4332	4972	cmd.exe	114
PID 4332 wrote to memory of 1652	4332	cmd.exe	115
PID 4332 wrote to memory of 1652	4332	cmd.exe	115
PID 4972 wrote to memory of 316	4972	cmd.exe	116
PID 4972 wrote to memory of 316	4972	cmd.exe	116
PID 316 wrote to memory of 180	316	cmd.exe	117
PID 316 wrote to memory of 180	316	cmd.exe	117
PID 4972 wrote to memory of 4044	4972	cmd.exe	118
PID 4972 wrote to memory of 4044	4972	cmd.exe	118
PID 4044 wrote to memory of 4800	4044	cmd.exe	119
PID 4044 wrote to memory of 4800	4044	cmd.exe	119
PID 4972 wrote to memory of 4720	4972	cmd.exe	120
PID 4972 wrote to memory of 4720	4972	cmd.exe	120
PID 4720 wrote to memory of 4064	4720	cmd.exe	121
PID 4720 wrote to memory of 4064	4720	cmd.exe	121
PID 4972 wrote to memory of 3564	4972	cmd.exe	122
PID 4972 wrote to memory of 3564	4972	cmd.exe	122
PID 3564 wrote to memory of 4964	3564	cmd.exe	123
PID 3564 wrote to memory of 4964	3564	cmd.exe	123
PID 4972 wrote to memory of 1660	4972	cmd.exe	124
PID 4972 wrote to memory of 1660	4972	cmd.exe	124
PID 1660 wrote to memory of 4124	1660	cmd.exe	125
PID 1660 wrote to memory of 4124	1660	cmd.exe	125
PID 4972 wrote to memory of 1496	4972	cmd.exe	126
PID 4972 wrote to memory of 1496	4972	cmd.exe	126
PID 1496 wrote to memory of 4796	1496	cmd.exe	127
PID 1496 wrote to memory of 4796	1496	cmd.exe	127
PID 4972 wrote to memory of 508	4972	cmd.exe	128
PID 4972 wrote to memory of 508	4972	cmd.exe	128
PID 508 wrote to memory of 3856	508	cmd.exe	129
PID 508 wrote to memory of 3856	508	cmd.exe	129
PID 4972 wrote to memory of 1440	4972	cmd.exe	130
PID 4972 wrote to memory of 1440	4972	cmd.exe	130
PID 1440 wrote to memory of 660	1440	cmd.exe	131
PID 1440 wrote to memory of 660	1440	cmd.exe	131
PID 4972 wrote to memory of 2876	4972	cmd.exe	133
PID 4972 wrote to memory of 2876	4972	cmd.exe	133

C:\Users\Admin\AppData\Local\Temp\EXPUNGEDv3.exe
"C:\Users\Admin\AppData\Local\Temp\EXPUNGEDv3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic logicaldisk get caption
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3424
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption
      4⤵
      Collects information from the system
      Suspicious use of AdjustPrivilegeToken
      PID:4720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic logicaldisk get caption
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption
      4⤵
      Collects information from the system
      Suspicious use of AdjustPrivilegeToken
      PID:2480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic logicaldisk get caption
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4904
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption
      4⤵
      Collects information from the system
      PID:3120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic logicaldisk get caption
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4480
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption
      4⤵
      Collects information from the system
      PID:4420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic logicaldisk get caption
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3512
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption
      4⤵
      Collects information from the system
      PID:3044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic logicaldisk get caption
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5024
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption
      4⤵
      Collects information from the system
      PID:1084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic logicaldisk get caption
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4332
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption
      4⤵
      Collects information from the system
      PID:1652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic logicaldisk get caption
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:316
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption
      4⤵
      Collects information from the system
      PID:180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic logicaldisk get caption
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4044
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption
      4⤵
      Collects information from the system
      PID:4800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic logicaldisk get caption
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4720
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption
      4⤵
      Collects information from the system
      PID:4064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic logicaldisk get caption
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3564
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption
      4⤵
      Collects information from the system
      PID:4964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic logicaldisk get caption
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption
      4⤵
      Collects information from the system
      PID:4124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic logicaldisk get caption
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption
      4⤵
      Collects information from the system
      PID:4796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic logicaldisk get caption
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:508
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption
      4⤵
      Collects information from the system
      PID:3856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic logicaldisk get caption
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption
      4⤵
      Collects information from the system
      PID:660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic logicaldisk get caption
    3⤵
    PID:2876
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption
      4⤵
      Collects information from the system
      PID:2372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic logicaldisk get caption
    3⤵
    PID:4468
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption
      4⤵
      Collects information from the system
      PID:3320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic logicaldisk get caption
    3⤵
    PID:4212
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption
      4⤵
      Collects information from the system
      PID:2264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic logicaldisk get caption
    3⤵
    PID:2640
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption
      4⤵
      Collects information from the system
      PID:4776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic logicaldisk get caption
    3⤵
    PID:444
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption
      4⤵
      Collects information from the system
      PID:3852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic logicaldisk get caption
    3⤵
    PID:4576
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption
      4⤵
      Collects information from the system
      PID:4500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic logicaldisk get caption
    3⤵
    PID:4724
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption
      4⤵
      Collects information from the system
      PID:4464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic logicaldisk get caption
    3⤵
    PID:2992
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption
      4⤵
      Collects information from the system
      PID:4920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic logicaldisk get caption
    3⤵
    PID:4860
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption
      4⤵
      Collects information from the system
      PID:428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cmd.bat

Filesize
6KB

MD5
530533e09f1eeea858a42131da84d4d7

SHA1
9b6671bb702138d840d5c93d8b52a95f44464d28

SHA256
7f41133f4fd205cf5173505694869d628c44a0a961f37ad2180c2a40d3e5ddb9

SHA512
f01b5beaf046d7fde0e9c86f203583d51e2ff19e0670c6b7bc3a729ca07ec5902bed8f46b1064bd785b2db3ffa116dce7304d35eb740eb2bb66a1ec3abe3d7b9

Download Submit
memory/1800-0-0x0000000000670000-0x00000000006BE000-memory.dmp

Filesize
312KB

Download
memory/1800-4-0x00007FFAF8100000-0x00007FFAF8BC1000-memory.dmp

Filesize
10.8MB

Download
memory/1800-6-0x00007FFAF8100000-0x00007FFAF8BC1000-memory.dmp

Filesize
10.8MB

Download