Overview
overview
10Static
static
3061ed335bc...9b.exe
windows7-x64
3061ed335bc...9b.exe
windows10-2004-x64
10067e5c3ecf...b6.exe
windows10-2004-x64
101ec8ce9ace...96.exe
windows10-2004-x64
10349cf4c964...66.exe
windows10-2004-x64
104250b0250d...ee.exe
windows10-2004-x64
1056dbfb10e0...5d.exe
windows10-2004-x64
105951daaf24...9a.exe
windows10-2004-x64
1059c1607382...01.exe
windows10-2004-x64
1074cf5b47d1...8d.exe
windows10-2004-x64
10795a49ee81...4a.exe
windows10-2004-x64
108b549a8688...5b.exe
windows10-2004-x64
1091da85daf6...d8.exe
windows10-2004-x64
10a8dffd83e4...8a.exe
windows10-2004-x64
7ab124875ee...6a.exe
windows10-2004-x64
10ccc5c313f4...94.exe
windows10-2004-x64
10cce5498639...83.exe
windows10-2004-x64
10ce9f75c073...16.exe
windows10-2004-x64
10dda511575f...2f.exe
windows10-2004-x64
10eb81f341bc...da.exe
windows10-2004-x64
10f943251c5b...1b.exe
windows10-2004-x64
10Analysis
-
max time kernel
125s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 17:27
Static task
static1
Behavioral task
behavioral1
Sample
061ed335bcb896e77ccede19faa208e6e0bb34be9b0a811676474ad16869699b.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral2
Sample
061ed335bcb896e77ccede19faa208e6e0bb34be9b0a811676474ad16869699b.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
067e5c3ecff330d7c89e0a5c37fec8e0f642f8b31f9a396325cc5782eaa456b6.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
1ec8ce9ace042665b07a0abc5b206634b1417b5f2a4a00b4554147d518832396.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
349cf4c964ecebee87078b30505525ffc97ba82548f3193c0d6347693c8ad666.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral6
Sample
4250b0250d540350db8a017ad70a9992b46d70a0d5ab9438c3c0597af56f27ee.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
56dbfb10e07e622006233e2ca432e9b289e276470e18ab3efe037a1c17c40d5d.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
5951daaf249b9db6c83832a3b7a244dffb52f45eb746f6edb9a2315fe8e4349a.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
59c1607382fbf89bf1ce30ceb0a4e1724a81c2e855e91e5f12e07c396e822a01.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
74cf5b47d1d63bb3f8b3b593ca7e2fe868afb92a8d82b4631bae9e2d0eb2398d.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
795a49ee81e6eb25d2140b564c0aa63d165592e4d3b7bb4c29423c619b51334a.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
8b549a868852eb291819180cd971dd7b163003efa16b8efacf685d2d5f879a5b.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
91da85daf6df1f2a381493425471c65c1caf622791472ee7e1e7d551d4d611d8.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
ab124875eee3aa9c0b98e5ed0dbab9856acaf99e011d97b92abd4d2cf0f5aa6a.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
ccc5c313f416465ffc57b4343c6e512d0568f618620aaa7b258b5d5721aaf394.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
cce5498639767f010fc7b6b7a5e2ae7c721720e093acf7ad8ec6bd81e63ab983.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
ce9f75c073171b1315c869b550348e6d8c48a986b262a068b33f0833b7a24716.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
dda511575fe2d4e8cc7e7dfbf500a529cbd2a5acc24299b8217d603401322c2f.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
eb81f341bc6cd2678bd7559862571f5294b6980de5199672afa03b21de0a4dda.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
f943251c5b3ff162faabeb09676429800f82298b7971cbfb3dee652de07b391b.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
General
-
Target
a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe
-
Size
3.5MB
-
MD5
2e74d6fa9f7ad6604f4474d3a88df538
-
SHA1
94ddd1699392c49aea7f9a610ed5487ea5d30a07
-
SHA256
a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a
-
SHA512
38725af1c782e2378327ed536ff71e50b429b0fa1eca4299ddaee229ff16d9a18cebfcb44db81d799dfa19278e9f8d961598c1a94c15001be8c8c9daba2667f5
-
SSDEEP
98304:yHWz45HmcCm7AKb1UcPwX7fVhIdG9k3kKoN:yHWzG1IBnwu
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation setup.exe -
Executes dropped EXE 1 IoCs
pid Process 2760 setup.exe -
Loads dropped DLL 2 IoCs
pid Process 2532 MsiExec.exe 2532 MsiExec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4792 WMIC.exe Token: SeSecurityPrivilege 4792 WMIC.exe Token: SeTakeOwnershipPrivilege 4792 WMIC.exe Token: SeLoadDriverPrivilege 4792 WMIC.exe Token: SeSystemProfilePrivilege 4792 WMIC.exe Token: SeSystemtimePrivilege 4792 WMIC.exe Token: SeProfSingleProcessPrivilege 4792 WMIC.exe Token: SeIncBasePriorityPrivilege 4792 WMIC.exe Token: SeCreatePagefilePrivilege 4792 WMIC.exe Token: SeBackupPrivilege 4792 WMIC.exe Token: SeRestorePrivilege 4792 WMIC.exe Token: SeShutdownPrivilege 4792 WMIC.exe Token: SeDebugPrivilege 4792 WMIC.exe Token: SeSystemEnvironmentPrivilege 4792 WMIC.exe Token: SeRemoteShutdownPrivilege 4792 WMIC.exe Token: SeUndockPrivilege 4792 WMIC.exe Token: SeManageVolumePrivilege 4792 WMIC.exe Token: 33 4792 WMIC.exe Token: 34 4792 WMIC.exe Token: 35 4792 WMIC.exe Token: 36 4792 WMIC.exe Token: SeIncreaseQuotaPrivilege 4792 WMIC.exe Token: SeSecurityPrivilege 4792 WMIC.exe Token: SeTakeOwnershipPrivilege 4792 WMIC.exe Token: SeLoadDriverPrivilege 4792 WMIC.exe Token: SeSystemProfilePrivilege 4792 WMIC.exe Token: SeSystemtimePrivilege 4792 WMIC.exe Token: SeProfSingleProcessPrivilege 4792 WMIC.exe Token: SeIncBasePriorityPrivilege 4792 WMIC.exe Token: SeCreatePagefilePrivilege 4792 WMIC.exe Token: SeBackupPrivilege 4792 WMIC.exe Token: SeRestorePrivilege 4792 WMIC.exe Token: SeShutdownPrivilege 4792 WMIC.exe Token: SeDebugPrivilege 4792 WMIC.exe Token: SeSystemEnvironmentPrivilege 4792 WMIC.exe Token: SeRemoteShutdownPrivilege 4792 WMIC.exe Token: SeUndockPrivilege 4792 WMIC.exe Token: SeManageVolumePrivilege 4792 WMIC.exe Token: 33 4792 WMIC.exe Token: 34 4792 WMIC.exe Token: 35 4792 WMIC.exe Token: 36 4792 WMIC.exe Token: SeSecurityPrivilege 4608 msiexec.exe Token: SeShutdownPrivilege 3048 msiexec.exe Token: SeIncreaseQuotaPrivilege 3048 msiexec.exe Token: SeCreateTokenPrivilege 3048 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3048 msiexec.exe Token: SeLockMemoryPrivilege 3048 msiexec.exe Token: SeIncreaseQuotaPrivilege 3048 msiexec.exe Token: SeMachineAccountPrivilege 3048 msiexec.exe Token: SeTcbPrivilege 3048 msiexec.exe Token: SeSecurityPrivilege 3048 msiexec.exe Token: SeTakeOwnershipPrivilege 3048 msiexec.exe Token: SeLoadDriverPrivilege 3048 msiexec.exe Token: SeSystemProfilePrivilege 3048 msiexec.exe Token: SeSystemtimePrivilege 3048 msiexec.exe Token: SeProfSingleProcessPrivilege 3048 msiexec.exe Token: SeIncBasePriorityPrivilege 3048 msiexec.exe Token: SeCreatePagefilePrivilege 3048 msiexec.exe Token: SeCreatePermanentPrivilege 3048 msiexec.exe Token: SeBackupPrivilege 3048 msiexec.exe Token: SeRestorePrivilege 3048 msiexec.exe Token: SeShutdownPrivilege 3048 msiexec.exe Token: SeDebugPrivilege 3048 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3048 msiexec.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4464 wrote to memory of 1192 4464 a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe 94 PID 4464 wrote to memory of 1192 4464 a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe 94 PID 4464 wrote to memory of 1192 4464 a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe 94 PID 1192 wrote to memory of 4712 1192 cmd.exe 96 PID 1192 wrote to memory of 4712 1192 cmd.exe 96 PID 1192 wrote to memory of 4712 1192 cmd.exe 96 PID 4712 wrote to memory of 2664 4712 cmd.exe 97 PID 4712 wrote to memory of 2664 4712 cmd.exe 97 PID 4712 wrote to memory of 2664 4712 cmd.exe 97 PID 1192 wrote to memory of 4792 1192 cmd.exe 98 PID 1192 wrote to memory of 4792 1192 cmd.exe 98 PID 1192 wrote to memory of 4792 1192 cmd.exe 98 PID 1192 wrote to memory of 2760 1192 cmd.exe 102 PID 1192 wrote to memory of 2760 1192 cmd.exe 102 PID 1192 wrote to memory of 2760 1192 cmd.exe 102 PID 2760 wrote to memory of 3048 2760 setup.exe 103 PID 2760 wrote to memory of 3048 2760 setup.exe 103 PID 2760 wrote to memory of 3048 2760 setup.exe 103 PID 4608 wrote to memory of 2532 4608 msiexec.exe 104 PID 4608 wrote to memory of 2532 4608 msiexec.exe 104 PID 4608 wrote to memory of 2532 4608 msiexec.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe"C:\Users\Admin\AppData\Local\Temp\a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.cmd2⤵
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" /v Release 2>nul3⤵
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" /v Release4⤵PID:2664
-
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic product where name="FiatLink" call uninstall3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4792
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exeSetup.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FiatLinkSetup.msi"4⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3048
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4180,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=4268 /prefetch:81⤵PID:3880
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 46B418000E8A18F433BA95B1F9B20BFB C2⤵
- Loads dropped DLL
PID:2532
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
556B
MD51f4c5332b3e3f7668c6c0fbd730ef6f7
SHA1f68d224c39e3d472a4cadfbad6f9f3a57ae6f643
SHA2562f31c813c6d6c132fdfc1c09cf995944170db0a382f799d9dc32c249407e966c
SHA512df673b727e5853716de4803d2ce98054a46dfdbcfbb7a7523e8fc34aa4c7fbd3354ea5990e6abf511606bf917c3e50e3bb5489a0f10572dd9aa1e9dea23818ea
-
Filesize
3.7MB
MD57c456cc375ef300f4232063f5d82fc0f
SHA13cdb11f579a225b7820250ea3f29ac39b2cecd87
SHA256d968e60998886a88deed7e9286d4efb90107bc4a068d341cc8b8a2b958720f56
SHA51213d95cae7ccfcd0d15f383b93f761b059628478f4d851148fc8a78fdadc04bf7f9b9f7cd7240b27acfbc3db5106eb20934093287ba8f22ed13ed07222904c019
-
Filesize
598B
MD583a8232021f3f7690a57948dd1fd3f53
SHA1785cab55143c51cf13714c7c3827e0324a767b62
SHA2565bc380a39e687d214b52d425634db1490a44c4e56ae4be1658275a5282db00f0
SHA512b9347fb089d2f81f61b40c830a578f47614e48da573ba318b020cc89dcfb65fd50a5dcfdba6e8bf6b5eb914ab441fd461db6ebadfa043b008e92018dee3383a1
-
Filesize
510KB
MD5a71a3c02f397b830524176f5e7545723
SHA1d15dfb49314fd2de949b223837b14e9156355122
SHA2565a8925e95d243ffaeda81be2210fea56fa4e9626484cfadf59da95b485a17ddf
SHA512a3ba63d54c6afc715bb1e28c90d678ca4f3db6ff8e6a572d984f9c9efaa0fd83a512226aba06a0bf1bdab9780cf922c212b7a9be2e134cec0d395916978b0bb2
-
Filesize
296KB
MD5b05f77f77b0f12c6774adf5b1d039b44
SHA1cbf3aa9477641cc0fc39fbecf0c3b6ff7dbb8487
SHA256344efb1f63e5ca99558a5b45e8462188447fef13252213761b61a2825919e410
SHA512f93470597cb77156188de0f5675ae1e4d9b09f3b2ff744ad43b96fb2418e2452624a128c656fd5b26b435ac5dc8efaaaab52ad5dc9dc03017f67d1438da04305