9a6b448d85b5e3617cd16047c347d3f84a320157473402fd8bb1c79ef15c7180

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/05/2024, 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a6b448d85b5e3617cd16047c347d3f84a320157473402fd8bb1c79ef15c7180.exe
Size

3.3MB
MD5

9f622e68472f4463dc0515d52fa08ef2
SHA1

ca67e591511784bf68d635d472ebe9d5acf59aec
SHA256

9a6b448d85b5e3617cd16047c347d3f84a320157473402fd8bb1c79ef15c7180
SHA512

6b0d89de794c1bc9ea95cc32ef051202dc35f534e700433fff3008b61d1dbe56874283426029fa3c3b480e77be45afab01294a4b724e564d785c31f17189d667
SSDEEP

49152:t3BKBUvdWJTy4oia5w32OvfZcvkuRdLHkJEANmsvHHu354gxV0HyYsYd:woi+w32+QDENms2JXPEyP2

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\Geo\Nation	9a6b448d85b5e3617cd16047c347d3f84a320157473402fd8bb1c79ef15c7180.exe

Executes dropped EXE 2 IoCs

pid	Process
468	Process not Found
2372	alg.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	9a6b448d85b5e3617cd16047c347d3f84a320157473402fd8bb1c79ef15c7180.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1656	9a6b448d85b5e3617cd16047c347d3f84a320157473402fd8bb1c79ef15c7180.exe
Token: SeShutdownPrivilege	1656	9a6b448d85b5e3617cd16047c347d3f84a320157473402fd8bb1c79ef15c7180.exe

C:\Users\Admin\AppData\Local\Temp\9a6b448d85b5e3617cd16047c347d3f84a320157473402fd8bb1c79ef15c7180.exe
"C:\Users\Admin\AppData\Local\Temp\9a6b448d85b5e3617cd16047c347d3f84a320157473402fd8bb1c79ef15c7180.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\System32\alg.exe

Filesize
1.2MB

MD5
4419655d9b3ef1ae6aa221d85ca51d32

SHA1
36574513afe11329521c8d4871c87e5f96f362fb

SHA256
63d14192399193ee5c3f994dc1b521b552fe66ddf11d35b58ac78a9ad096eef4

SHA512
e72c9075990e875866c6c3a0771f5ae0690c65e7543175a009fa203e8417a6a54a8ac6cb461778104704c48c05f825d6420bd1b2c4b255711aa7b6255d4c0bc7

Download Submit
memory/1656-0-0x0000000030000000-0x0000000030358000-memory.dmp

Filesize
3.3MB

Download
memory/1656-1-0x0000000000470000-0x00000000004D7000-memory.dmp

Filesize
412KB

Download
memory/1656-6-0x0000000000470000-0x00000000004D7000-memory.dmp

Filesize
412KB

Download
memory/1656-12-0x0000000030000000-0x0000000030358000-memory.dmp

Filesize
3.3MB

Download
memory/2372-15-0x0000000100000000-0x000000010012F000-memory.dmp

Filesize
1.2MB

Download
memory/2372-16-0x0000000100000000-0x000000010012F000-memory.dmp

Filesize
1.2MB

Download