Resubmissions
13-09-2021 07:48
210913-jm5fmadca3 10Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14-04-2024 14:41
Static task
static1
Behavioral task
behavioral1
Sample
1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe
Resource
win10v2004-20240226-en
General
-
Target
1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe
-
Size
1.2MB
-
MD5
38df59cb1b647416d7a2dd6a10a7d87f
-
SHA1
a9c130b1a876b2bf44cf65261731309b5de58bc1
-
SHA256
1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472
-
SHA512
db86988b3e20b28329187ef0e773de5cd5fe2c89d677cea5773893124d8d7186036f4c36b02b43e60220e508597d8388a87842b93341b9d39edfbaf86deb2cda
-
SSDEEP
12288:u+rq0yKJ7KZeBA4DVzlzEyn2QFqTjCAjkTnV/QH7OTzId2nfpN3fXh:FW0yreAkpzP/QCAjkTmbOwYRZx
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe -
Executes dropped EXE 1 IoCs
pid Process 4796 GetX64BTIT.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 22 api.ipify.org 21 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3012 wrote to memory of 3996 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 90 PID 3012 wrote to memory of 3996 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 90 PID 3012 wrote to memory of 4796 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 91 PID 3012 wrote to memory of 4796 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 91 PID 3012 wrote to memory of 320 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 77 PID 3012 wrote to memory of 2944 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 78 PID 3012 wrote to memory of 2560 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 79 PID 3012 wrote to memory of 4604 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 80 PID 3012 wrote to memory of 3864 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 81 PID 3012 wrote to memory of 768 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 83 PID 3012 wrote to memory of 3172 3012 1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe 84 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100 PID 320 wrote to memory of 2896 320 msedge.exe 100
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2b0,0x7ffe57e72e98,0x7ffe57e72ea4,0x7ffe57e72eb02⤵PID:2944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2280 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:22⤵PID:2560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2328 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:32⤵PID:4604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2472 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:82⤵PID:3864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5232 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:12⤵PID:768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5540 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:12⤵PID:3172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3872 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:82⤵PID:2896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2328 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:32⤵PID:2260
-
-
C:\Users\Admin\AppData\Local\Temp\1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe"C:\Users\Admin\AppData\Local\Temp\1897bc959e07da3429106dff038d6b63a6343e793f91dceadff499e8d29bf472.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\windows\hh.exe"C:\windows\hh.exe"2⤵PID:3996
-
-
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"2⤵
- Executes dropped EXE
PID:4796
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
9KB
MD56791b63f9fc3efb9fb73ff7ee055e3e3
SHA13697f31adb2211872e3ee67ebfb7c0824cff63c3
SHA2564d176c163f4e28f8d0bbe9365690823a1445981e518b79e356a568cc8935ab42
SHA512a06b9c79f7f0353beb214ee4c5f41523b6c1f8c762aa4998d8f894fc665e40b9c37f460be710db5f8ebefbbcaf047f84078f15ac8d6ecd658880a51517147e13
-
Filesize
3KB
MD5b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
Filesize
28B
MD5996e40af24af704b60fa4401ce6112e9
SHA1878e9417e20666eeacd87f70731111b035b6dcc3
SHA256a084ac6f47239ac0cb5260af14b5eed73f23b28400f9e72447bdc45056aba8a2
SHA5129bf592e49a291b772a03342e4f3fbf2e6e46d0cd2edbec0c815c75352e8055c5c6fb4873ffd2605e810f1d567a5c339da0be67d26febc3c964f0aa9a0177699c