Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2024 23:58
Static task
static1
Behavioral task
behavioral1
Sample
fe746895cb0ea59e16b71c9507a9d0fb5173a93b4da63e6a12f58fc45417fa1e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fe746895cb0ea59e16b71c9507a9d0fb5173a93b4da63e6a12f58fc45417fa1e.exe
Resource
win10v2004-20240319-en
General
-
Target
fe746895cb0ea59e16b71c9507a9d0fb5173a93b4da63e6a12f58fc45417fa1e.exe
-
Size
197KB
-
MD5
909ef8750f6e448a033cdd899f08e4e8
-
SHA1
280397956ad0b2b8deb0f4fa4417ff004b12b97d
-
SHA256
fe746895cb0ea59e16b71c9507a9d0fb5173a93b4da63e6a12f58fc45417fa1e
-
SHA512
184aaa79bea2c6ad976baace8512c899661ec0c2b37b6ba99e62ca9d9ba08ba39a56fcf234f321cb84b70e95efcd59c59ac26a4c2b1c549ba079aa17afa41499
-
SSDEEP
6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCOI:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXXx
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation fe746895cb0ea59e16b71c9507a9d0fb5173a93b4da63e6a12f58fc45417fa1e.exe -
Executes dropped EXE 1 IoCs
pid Process 5060 zewhost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Debug\zewhost.exe fe746895cb0ea59e16b71c9507a9d0fb5173a93b4da63e6a12f58fc45417fa1e.exe File opened for modification C:\Windows\Debug\zewhost.exe fe746895cb0ea59e16b71c9507a9d0fb5173a93b4da63e6a12f58fc45417fa1e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 zewhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz zewhost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3824 fe746895cb0ea59e16b71c9507a9d0fb5173a93b4da63e6a12f58fc45417fa1e.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3824 wrote to memory of 3472 3824 fe746895cb0ea59e16b71c9507a9d0fb5173a93b4da63e6a12f58fc45417fa1e.exe 97 PID 3824 wrote to memory of 3472 3824 fe746895cb0ea59e16b71c9507a9d0fb5173a93b4da63e6a12f58fc45417fa1e.exe 97 PID 3824 wrote to memory of 3472 3824 fe746895cb0ea59e16b71c9507a9d0fb5173a93b4da63e6a12f58fc45417fa1e.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe746895cb0ea59e16b71c9507a9d0fb5173a93b4da63e6a12f58fc45417fa1e.exe"C:\Users\Admin\AppData\Local\Temp\fe746895cb0ea59e16b71c9507a9d0fb5173a93b4da63e6a12f58fc45417fa1e.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\FE7468~1.EXE > nul2⤵PID:3472
-
-
C:\Windows\Debug\zewhost.exeC:\Windows\Debug\zewhost.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:5060
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4472 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:81⤵PID:4840
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197KB
MD5fc2bde0c882885aa39b898264bf8be52
SHA14e97f3d9f8cc698d481937a3fb39980ca0d72a76
SHA256e3bde11d908b3e00095f2a6d8ffc22ff8218b3c629899e2208e4bad7f5fbb700
SHA5123fb627ed9c2ac3a51e9528566aebcdb3b37c420b149451ec2a2013de525d516ff467c9a009f58eeeab40d4baa0742b98d4a91dcd7fae6680cdc44595b633f7dc