Analysis
-
max time kernel
141s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 13:41
Static task
static1
Behavioral task
behavioral1
Sample
3791b65b31a3b12f458e042509119c60c2b3abd4f40f4da81f7404b6fb7db268.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3791b65b31a3b12f458e042509119c60c2b3abd4f40f4da81f7404b6fb7db268.exe
Resource
win10v2004-20240226-en
General
-
Target
3791b65b31a3b12f458e042509119c60c2b3abd4f40f4da81f7404b6fb7db268.exe
-
Size
735KB
-
MD5
7733da960ee126b39752a737301c0f86
-
SHA1
414d654545da349c21e58f0ae28021fe48a6f02b
-
SHA256
3791b65b31a3b12f458e042509119c60c2b3abd4f40f4da81f7404b6fb7db268
-
SHA512
9b9f4c0e926e76950a781713667cd4dfa34002a3340b99877730e7db67ea2a0dc7245518a1a943c388abc5dcd489737a1a88873c12deb028f788c8a3cd94d9d6
-
SSDEEP
12288:NcrNS33L10QdrXjKDnuFeDnnHgnS61NNyz3Pbpv08kMZYS:wNA3R5drXGDuFmASO7y10gZYS
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3791b65b31a3b12f458e042509119c60c2b3abd4f40f4da81f7404b6fb7db268.exeinjnxgi.sfx.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 3791b65b31a3b12f458e042509119c60c2b3abd4f40f4da81f7404b6fb7db268.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation injnxgi.sfx.exe -
Executes dropped EXE 3 IoCs
Processes:
injnxgi.sfx.exeinjnxgi.exeinjnxgi.exepid Process 2108 injnxgi.sfx.exe 4768 injnxgi.exe 4236 injnxgi.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
injnxgi.exedescription pid Process procid_target PID 4768 set thread context of 4236 4768 injnxgi.exe 98 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 3224 4236 WerFault.exe 98 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
injnxgi.exedescription pid Process Token: SeDebugPrivilege 4768 injnxgi.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
injnxgi.exepid Process 4236 injnxgi.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
3791b65b31a3b12f458e042509119c60c2b3abd4f40f4da81f7404b6fb7db268.execmd.exeinjnxgi.sfx.exeinjnxgi.exedescription pid Process procid_target PID 5064 wrote to memory of 4356 5064 3791b65b31a3b12f458e042509119c60c2b3abd4f40f4da81f7404b6fb7db268.exe 91 PID 5064 wrote to memory of 4356 5064 3791b65b31a3b12f458e042509119c60c2b3abd4f40f4da81f7404b6fb7db268.exe 91 PID 5064 wrote to memory of 4356 5064 3791b65b31a3b12f458e042509119c60c2b3abd4f40f4da81f7404b6fb7db268.exe 91 PID 4356 wrote to memory of 2108 4356 cmd.exe 94 PID 4356 wrote to memory of 2108 4356 cmd.exe 94 PID 4356 wrote to memory of 2108 4356 cmd.exe 94 PID 2108 wrote to memory of 4768 2108 injnxgi.sfx.exe 95 PID 2108 wrote to memory of 4768 2108 injnxgi.sfx.exe 95 PID 2108 wrote to memory of 4768 2108 injnxgi.sfx.exe 95 PID 4768 wrote to memory of 4236 4768 injnxgi.exe 98 PID 4768 wrote to memory of 4236 4768 injnxgi.exe 98 PID 4768 wrote to memory of 4236 4768 injnxgi.exe 98 PID 4768 wrote to memory of 4236 4768 injnxgi.exe 98 PID 4768 wrote to memory of 4236 4768 injnxgi.exe 98 PID 4768 wrote to memory of 4236 4768 injnxgi.exe 98 PID 4768 wrote to memory of 4236 4768 injnxgi.exe 98 PID 4768 wrote to memory of 4236 4768 injnxgi.exe 98 PID 4768 wrote to memory of 4236 4768 injnxgi.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\3791b65b31a3b12f458e042509119c60c2b3abd4f40f4da81f7404b6fb7db268.exe"C:\Users\Admin\AppData\Local\Temp\3791b65b31a3b12f458e042509119c60c2b3abd4f40f4da81f7404b6fb7db268.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\injnxgi.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Users\Admin\AppData\Local\Temp\injnxgi.sfx.exeinjnxgi.sfx.exe -pdfdyehngfsztyuiofxvflfadgthnfreoploafugyRhvqxsdfHbgnmeT -dC:\Users\Admin\AppData\Local\Temp3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\injnxgi.exe"C:\Users\Admin\AppData\Local\Temp\injnxgi.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Users\Admin\AppData\Local\Temp\injnxgi.exeC:\Users\Admin\AppData\Local\Temp\injnxgi.exe5⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:4236 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 126⤵
- Program crash
PID:3224
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4236 -ip 42361⤵PID:5004
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4292 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:81⤵PID:4896
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD5ae0c1d6531043ff7d0784cbf0a586c46
SHA1e058c48cf2a96f72f7bebf7fd38e955b7426e65a
SHA2563ffb8dc6d8c1cfc5c8e79693c05dcfbaaf4c20cb86a89789b2a214eff4abd71a
SHA512745809145d376ad48ef41ade7498aeec28ff993d0ffdd8656e97bfdeb936ddcfaf9365895b4a1f5ebaafaed008f3ff9c7492679cb5992eac2915867ae2ae5728
-
Filesize
355KB
MD536c72fff0e1aeda3d5a51cc47e565c28
SHA18718ab8e86afb7790f7a2c7fdf6397ef94ab6547
SHA256439e9e3acdde7ef95ae0d7ce8bb9d5677ce5e69b2b3cd9e78b641fe1ab26fe5a
SHA51231fc53188d58ef9ff2c0f838107527a4c2703b2708bca968314b2f39bfd815bbb21a8da51987b764d910416325f6ec3c715fbaa9c19f194e4d75e9cf0091bc25
-
Filesize
581KB
MD5eba62d389d0ec93b24c68eff9567900a
SHA1ff276bdebe63d2b6d40098f28cc7aed0d1212f38
SHA256ae71d905bf604b8ca75f2c0786a5d2306b594ca33131b61ca11abacc2588308a
SHA5129f718ecc6974189f0d7d707fd75e2fdc1d35c35b7b464f195fd90cd141f55edc007eb53d919daad73a6fca0000f4e04d7ba09b5c4bb9e60da5ee04caf8f5cc43