Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 16:47
Behavioral task
behavioral1
Sample
6f3d6bf9ee09bd4cd6af117cca33965c33b99a7380d8de14450b7d4a3cd499b8.exe
Resource
win7-20240221-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
6f3d6bf9ee09bd4cd6af117cca33965c33b99a7380d8de14450b7d4a3cd499b8.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
6f3d6bf9ee09bd4cd6af117cca33965c33b99a7380d8de14450b7d4a3cd499b8.exe
-
Size
37KB
-
MD5
871722db5b9b702357b675e48e491193
-
SHA1
ec5cf5b57414fa8253a842bb06fc6822b85e399d
-
SHA256
6f3d6bf9ee09bd4cd6af117cca33965c33b99a7380d8de14450b7d4a3cd499b8
-
SHA512
9757a9bfc13b23a30590dfc145f837c22fffad56f1c47ca7354ddded78c8afc2418b0a5ce0f0add6aaf59354355577141a1b05115b8faf5d978445570a58b478
-
SSDEEP
384:GstKUiDtblmJEpRGyEf7JfJuQCY6iXQrAF+rMRTyN/0L+EcoinblneHQM3epzXIf:5tiHpR9Ef7JsQCFiArM+rMRa8NuCFt
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4848 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation 6f3d6bf9ee09bd4cd6af117cca33965c33b99a7380d8de14450b7d4a3cd499b8.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\886e4e6cf55be20a7d674097273f111d.exe ESET Service.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\886e4e6cf55be20a7d674097273f111d.exe ESET Service.exe -
Executes dropped EXE 1 IoCs
pid Process 4284 ESET Service.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\886e4e6cf55be20a7d674097273f111d = "\"C:\\Users\\Admin\\AppData\\Roaming\\ESET Service.exe\" .." ESET Service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\886e4e6cf55be20a7d674097273f111d = "\"C:\\Users\\Admin\\AppData\\Roaming\\ESET Service.exe\" .." ESET Service.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 1 5.tcp.eu.ngrok.io 61 5.tcp.eu.ngrok.io 96 5.tcp.eu.ngrok.io -
Drops autorun.inf file 1 TTPs 5 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\autorun.inf ESET Service.exe File created C:\autorun.inf ESET Service.exe File opened for modification C:\autorun.inf ESET Service.exe File created D:\autorun.inf ESET Service.exe File created F:\autorun.inf ESET Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 2024 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe 4284 ESET Service.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4284 ESET Service.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeDebugPrivilege 4284 ESET Service.exe Token: SeDebugPrivilege 2024 taskkill.exe Token: 33 4284 ESET Service.exe Token: SeIncBasePriorityPrivilege 4284 ESET Service.exe Token: 33 4284 ESET Service.exe Token: SeIncBasePriorityPrivilege 4284 ESET Service.exe Token: 33 4284 ESET Service.exe Token: SeIncBasePriorityPrivilege 4284 ESET Service.exe Token: 33 4284 ESET Service.exe Token: SeIncBasePriorityPrivilege 4284 ESET Service.exe Token: 33 4284 ESET Service.exe Token: SeIncBasePriorityPrivilege 4284 ESET Service.exe Token: 33 4284 ESET Service.exe Token: SeIncBasePriorityPrivilege 4284 ESET Service.exe Token: 33 4284 ESET Service.exe Token: SeIncBasePriorityPrivilege 4284 ESET Service.exe Token: 33 4284 ESET Service.exe Token: SeIncBasePriorityPrivilege 4284 ESET Service.exe Token: 33 4284 ESET Service.exe Token: SeIncBasePriorityPrivilege 4284 ESET Service.exe Token: 33 4284 ESET Service.exe Token: SeIncBasePriorityPrivilege 4284 ESET Service.exe Token: 33 4284 ESET Service.exe Token: SeIncBasePriorityPrivilege 4284 ESET Service.exe Token: 33 4284 ESET Service.exe Token: SeIncBasePriorityPrivilege 4284 ESET Service.exe Token: 33 4284 ESET Service.exe Token: SeIncBasePriorityPrivilege 4284 ESET Service.exe Token: 33 4284 ESET Service.exe Token: SeIncBasePriorityPrivilege 4284 ESET Service.exe Token: 33 4284 ESET Service.exe Token: SeIncBasePriorityPrivilege 4284 ESET Service.exe Token: 33 4284 ESET Service.exe Token: SeIncBasePriorityPrivilege 4284 ESET Service.exe Token: 33 4284 ESET Service.exe Token: SeIncBasePriorityPrivilege 4284 ESET Service.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3624 wrote to memory of 4284 3624 6f3d6bf9ee09bd4cd6af117cca33965c33b99a7380d8de14450b7d4a3cd499b8.exe 86 PID 3624 wrote to memory of 4284 3624 6f3d6bf9ee09bd4cd6af117cca33965c33b99a7380d8de14450b7d4a3cd499b8.exe 86 PID 3624 wrote to memory of 4284 3624 6f3d6bf9ee09bd4cd6af117cca33965c33b99a7380d8de14450b7d4a3cd499b8.exe 86 PID 4284 wrote to memory of 4848 4284 ESET Service.exe 87 PID 4284 wrote to memory of 4848 4284 ESET Service.exe 87 PID 4284 wrote to memory of 4848 4284 ESET Service.exe 87 PID 4284 wrote to memory of 2024 4284 ESET Service.exe 89 PID 4284 wrote to memory of 2024 4284 ESET Service.exe 89 PID 4284 wrote to memory of 2024 4284 ESET Service.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f3d6bf9ee09bd4cd6af117cca33965c33b99a7380d8de14450b7d4a3cd499b8.exe"C:\Users\Admin\AppData\Local\Temp\6f3d6bf9ee09bd4cd6af117cca33965c33b99a7380d8de14450b7d4a3cd499b8.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Users\Admin\AppData\Roaming\ESET Service.exe"C:\Users\Admin\AppData\Roaming\ESET Service.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\ESET Service.exe" "ESET Service.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:4848
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM taskmgr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5871722db5b9b702357b675e48e491193
SHA1ec5cf5b57414fa8253a842bb06fc6822b85e399d
SHA2566f3d6bf9ee09bd4cd6af117cca33965c33b99a7380d8de14450b7d4a3cd499b8
SHA5129757a9bfc13b23a30590dfc145f837c22fffad56f1c47ca7354ddded78c8afc2418b0a5ce0f0add6aaf59354355577141a1b05115b8faf5d978445570a58b478