Analysis
-
max time kernel
108s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06-04-2024 12:50
Behavioral task
behavioral1
Sample
6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe
Resource
win10v2004-20240226-en
General
-
Target
6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe
-
Size
145KB
-
MD5
c00352e2857075c8f757ea9be769b652
-
SHA1
2a100aa5902ba6f9f35187117182afabf220071b
-
SHA256
6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c
-
SHA512
94d7e90ebd6b1d37daa43617a345c463d59096903a55621ff3eb490179411cb7bb58f75bb396a5d2b8720701833dc623ddfb259ad35c0716703a8e4bc66018ad
-
SSDEEP
3072:m6glyuxE4GsUPnliByocWepbN3/1rtqd:m6gDBGpvEByocWeFN3/F8
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4D21.tmpdescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation 4D21.tmp -
Deletes itself 1 IoCs
Processes:
4D21.tmppid Process 3172 4D21.tmp -
Executes dropped EXE 1 IoCs
Processes:
4D21.tmppid Process 3172 4D21.tmp -
Drops desktop.ini file(s) 2 IoCs
Processes:
6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-1904519900-954640453-4250331663-1000\desktop.ini 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1904519900-954640453-4250331663-1000\desktop.ini 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe4D21.tmppid Process 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe 3172 4D21.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exepid Process 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
4D21.tmppid Process 3172 4D21.tmp 3172 4D21.tmp 3172 4D21.tmp 3172 4D21.tmp 3172 4D21.tmp 3172 4D21.tmp 3172 4D21.tmp 3172 4D21.tmp 3172 4D21.tmp 3172 4D21.tmp 3172 4D21.tmp 3172 4D21.tmp 3172 4D21.tmp 3172 4D21.tmp 3172 4D21.tmp 3172 4D21.tmp 3172 4D21.tmp 3172 4D21.tmp 3172 4D21.tmp 3172 4D21.tmp 3172 4D21.tmp 3172 4D21.tmp 3172 4D21.tmp 3172 4D21.tmp 3172 4D21.tmp 3172 4D21.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeBackupPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeDebugPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: 36 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeImpersonatePrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeIncBasePriorityPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeIncreaseQuotaPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: 33 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeManageVolumePrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeProfSingleProcessPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeRestorePrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeSecurityPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeSystemProfilePrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeTakeOwnershipPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeShutdownPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeDebugPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeBackupPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeBackupPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeSecurityPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeSecurityPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeBackupPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeBackupPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeSecurityPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeSecurityPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeBackupPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeBackupPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeSecurityPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeSecurityPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeBackupPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeBackupPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeSecurityPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeSecurityPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeBackupPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeBackupPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeSecurityPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeSecurityPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeBackupPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeBackupPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeSecurityPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeSecurityPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeBackupPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeBackupPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeSecurityPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeSecurityPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeBackupPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeBackupPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeSecurityPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeSecurityPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeBackupPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeBackupPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeSecurityPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeSecurityPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeBackupPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeBackupPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeSecurityPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeSecurityPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeBackupPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeBackupPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeSecurityPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeSecurityPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeBackupPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeBackupPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeSecurityPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe Token: SeSecurityPrivilege 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe4D21.tmpdescription pid Process procid_target PID 3272 wrote to memory of 3172 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe 105 PID 3272 wrote to memory of 3172 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe 105 PID 3272 wrote to memory of 3172 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe 105 PID 3272 wrote to memory of 3172 3272 6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe 105 PID 3172 wrote to memory of 1496 3172 4D21.tmp 106 PID 3172 wrote to memory of 1496 3172 4D21.tmp 106 PID 3172 wrote to memory of 1496 3172 4D21.tmp 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe"C:\Users\Admin\AppData\Local\Temp\6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\ProgramData\4D21.tmp"C:\ProgramData\4D21.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\4D21.tmp >> NUL3⤵PID:1496
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1380 --field-trial-handle=2496,i,15897292497548307209,13920214570023230813,262144 --variations-seed-version /prefetch:81⤵PID:3840
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5b463da9a48d64dfd98bf30128296af66
SHA1564dde659e1a217bc618b6613a84abe9c2064c2f
SHA256927b002ca0692cf6d4a382022c1a55e999de758fd1123600034f8e69d8b15cb4
SHA51282be637c039f1c21d272d9af1750d6a94a6ea633ff4f8d6288d09ed563f826e58733cef52111afc7df391187db972b99656cf6e19e3d644e8d0fe2f03352d4c4
-
Filesize
354B
MD582477511bd66d813474e640b636bba76
SHA1045c9f40e45f02e9154166a012e5a021ae5e3ca8
SHA256bc381eb017ab84d17eb6f3ae994305ef1edd3898d5ec140b2dd5ba478c81e428
SHA51212d62cece6f54188720ea3381b4695129e06aed7c7ff9f0170f349b47bfdb8eff93fa3d682bb2e995310586088cd5a27e28b14a2f85bedd9568d3451ab9966c4
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize145KB
MD50f4bd8209a4c53b0fb3dfb62e3dcd4b1
SHA11995a4d95facd2497de3014b1e32fee72265b1a2
SHA2569cb7f1d1177727ad95b18127cd5b11b3eee215e2d7756bf6c7e381f3172d3484
SHA512a8846000f1cc68afb2dd9d7ba14ba5123c42f097aa4531fbfef13f83855ad86e91174e3510137d7cf49fc95c613bfd0f8d0547c11eaf57282774aa9bbd000121
-
Filesize
129B
MD531c32fa2d32a705d85f4d00b6ba81099
SHA1b4c5d92ac8fd4005e2c6421a36eb2d1da5d8a635
SHA256b7116a8a1be94f686dbbe585bccd7c1c5ef6a71d511e9b33cc19c3c459c9b25c
SHA512527ea372977068eac21dff7ea28405859060bba807696c9aad4064b8addd3213d6eb7ab0ab94f0471691406be0032652ba609cd8cf91c7d9ce0256feceedf0fb