Resubmissions
13-09-2021 07:48
210913-jm5fmadca3 10Analysis
-
max time kernel
302s -
max time network
270s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14-04-2024 14:41
Static task
static1
Behavioral task
behavioral1
Sample
1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe
Resource
win10v2004-20240226-en
General
-
Target
1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe
-
Size
1.2MB
-
MD5
38df59cb1b647416d7a2dd6a10a7d87f
-
SHA1
a9c130b1a876b2bf44cf65261731309b5de58bc1
-
SHA256
1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472
-
SHA512
db86988b3e20b28329187ef0e773de5cd5fe2c89d677cea5773893124d8d7186036f4c36b02b43e60220e508597d8388a87842b93341b9d39edfbaf86deb2cda
-
SSDEEP
12288:u+rq0yKJ7KZeBA4DVzlzEyn2QFqTjCAjkTnV/QH7OTzId2nfpN3fXh:FW0yreAkpzP/QCAjkTmbOwYRZx
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe -
Executes dropped EXE 1 IoCs
pid Process 3416 GetX64BTIT.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 19 api.ipify.org 20 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3256 wrote to memory of 444 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 92 PID 3256 wrote to memory of 444 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 92 PID 3256 wrote to memory of 3416 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 93 PID 3256 wrote to memory of 3416 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 93 PID 3256 wrote to memory of 3856 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 78 PID 3256 wrote to memory of 4920 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 79 PID 3256 wrote to memory of 3124 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 80 PID 3256 wrote to memory of 1576 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 81 PID 3256 wrote to memory of 4988 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 82 PID 3256 wrote to memory of 3612 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 84 PID 3256 wrote to memory of 4156 3256 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 85 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102 PID 3856 wrote to memory of 4064 3856 msedge.exe 102
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2b0,0x7ffce2632e98,0x7ffce2632ea4,0x7ffce2632eb02⤵PID:4920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2324 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:22⤵PID:3124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2936 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:32⤵PID:1576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3384 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:82⤵PID:4988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5248 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:12⤵PID:3612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5304 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:12⤵PID:4156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4044 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:82⤵PID:4064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5796 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:32⤵PID:2812
-
-
C:\Users\Admin\AppData\Local\Temp\1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe"C:\Users\Admin\AppData\Local\Temp\1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\windows\hh.exe"C:\windows\hh.exe"2⤵PID:444
-
-
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"2⤵
- Executes dropped EXE
PID:3416
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
9KB
MD514529b1fd66fc72a164eb9f63cb1e116
SHA1907d172944e8c505dc6c7e723d6937906081d172
SHA256ee0e0077ad7edabc271f299d869f8859860095bdd70b1a0ad914aa4d67cd27f2
SHA512d503cb4f04acff551b92cc7898cea69a8af431f371bf393ea6b06bfc70f7bc8d455fa1439b5466de7b4e736900fc143874dc7b88fa6d778fd6cfd89b40ff2bff
-
Filesize
36KB
MD51300d30e5bc32eab5a9c7a83d18bf290
SHA1aa6095c91a64523413d406555c5eb4c5bfca3fd9
SHA256937decfb4dcefbbd2c1f471c9cd29a5ba27a4f650aca53310a57a92b103517c1
SHA5120209afdcba2cb8575ac0d70d06f7c39ee42e7e8bd23ae8d28a6935b35364e69253a2912d93824e47da375da6756010a79cc4c8bf8e0068821692a6ae713a8646
-
Filesize
3KB
MD5b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
Filesize
28B
MD56729a2a5ecc88029e11f653047626c57
SHA138da4386de4f30f3d25c410ecdc0f143e64fdfae
SHA25638e09f4e918d6e7e76bf642838ca6c6d5162a0367503960178b727a49f04bd5a
SHA512b6588440c19e35bb0c448cade763a984f016a2974e22418b0c3198a00ade74aca90ca10c12dba740d3b385f205098167322e8022f0d8b55c4ad52af042c634c2