Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 02:12
Static task
static1
Behavioral task
behavioral1
Sample
b5e1be77b9170945e5281f262cd2b9ab72043a4295b5606eb43eb8362f8cc34c.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
b5e1be77b9170945e5281f262cd2b9ab72043a4295b5606eb43eb8362f8cc34c.exe
Resource
win10v2004-20240508-en
General
-
Target
b5e1be77b9170945e5281f262cd2b9ab72043a4295b5606eb43eb8362f8cc34c.exe
-
Size
876KB
-
MD5
53d77338b57f7f73ede130799c828c78
-
SHA1
fde1433b3e1d764c4418e028c37fd75be95f7908
-
SHA256
b5e1be77b9170945e5281f262cd2b9ab72043a4295b5606eb43eb8362f8cc34c
-
SHA512
f1c315c410581172dd6c52564f172c45203cde2c5e18f7287065fa4023f444b0399f23a1cb6d0ea1ffa861739ae0cdac6ee46b3500a1639298b5fa80b56970b3
-
SSDEEP
24576:R4lavt0LkLL9IMixoEgeaoyXPwq9MmCS:gkwkn9IMHeaolaPCS
Malware Config
Signatures
-
Processes:
b5e1be77b9170945e5281f262cd2b9ab72043a4295b5606eb43eb8362f8cc34c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" b5e1be77b9170945e5281f262cd2b9ab72043a4295b5606eb43eb8362f8cc34c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b5e1be77b9170945e5281f262cd2b9ab72043a4295b5606eb43eb8362f8cc34c.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 1660 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b5e1be77b9170945e5281f262cd2b9ab72043a4295b5606eb43eb8362f8cc34c.exe2610.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation b5e1be77b9170945e5281f262cd2b9ab72043a4295b5606eb43eb8362f8cc34c.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 2610.exe -
Executes dropped EXE 2 IoCs
Processes:
2610.exeserver.exepid process 904 2610.exe 796 server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\e229ec82a5ec02373072d0375052096f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e229ec82a5ec02373072d0375052096f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Processes:
b5e1be77b9170945e5281f262cd2b9ab72043a4295b5606eb43eb8362f8cc34c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b5e1be77b9170945e5281f262cd2b9ab72043a4295b5606eb43eb8362f8cc34c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 796 server.exe Token: 33 796 server.exe Token: SeIncBasePriorityPrivilege 796 server.exe Token: 33 796 server.exe Token: SeIncBasePriorityPrivilege 796 server.exe Token: 33 796 server.exe Token: SeIncBasePriorityPrivilege 796 server.exe Token: 33 796 server.exe Token: SeIncBasePriorityPrivilege 796 server.exe Token: 33 796 server.exe Token: SeIncBasePriorityPrivilege 796 server.exe Token: 33 796 server.exe Token: SeIncBasePriorityPrivilege 796 server.exe Token: 33 796 server.exe Token: SeIncBasePriorityPrivilege 796 server.exe Token: 33 796 server.exe Token: SeIncBasePriorityPrivilege 796 server.exe Token: 33 796 server.exe Token: SeIncBasePriorityPrivilege 796 server.exe Token: 33 796 server.exe Token: SeIncBasePriorityPrivilege 796 server.exe Token: 33 796 server.exe Token: SeIncBasePriorityPrivilege 796 server.exe Token: 33 796 server.exe Token: SeIncBasePriorityPrivilege 796 server.exe Token: 33 796 server.exe Token: SeIncBasePriorityPrivilege 796 server.exe Token: 33 796 server.exe Token: SeIncBasePriorityPrivilege 796 server.exe Token: 33 796 server.exe Token: SeIncBasePriorityPrivilege 796 server.exe Token: 33 796 server.exe Token: SeIncBasePriorityPrivilege 796 server.exe Token: 33 796 server.exe Token: SeIncBasePriorityPrivilege 796 server.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
b5e1be77b9170945e5281f262cd2b9ab72043a4295b5606eb43eb8362f8cc34c.exe2610.exeserver.exedescription pid process target process PID 3532 wrote to memory of 904 3532 b5e1be77b9170945e5281f262cd2b9ab72043a4295b5606eb43eb8362f8cc34c.exe 2610.exe PID 3532 wrote to memory of 904 3532 b5e1be77b9170945e5281f262cd2b9ab72043a4295b5606eb43eb8362f8cc34c.exe 2610.exe PID 3532 wrote to memory of 904 3532 b5e1be77b9170945e5281f262cd2b9ab72043a4295b5606eb43eb8362f8cc34c.exe 2610.exe PID 904 wrote to memory of 796 904 2610.exe server.exe PID 904 wrote to memory of 796 904 2610.exe server.exe PID 904 wrote to memory of 796 904 2610.exe server.exe PID 796 wrote to memory of 1660 796 server.exe netsh.exe PID 796 wrote to memory of 1660 796 server.exe netsh.exe PID 796 wrote to memory of 1660 796 server.exe netsh.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
b5e1be77b9170945e5281f262cd2b9ab72043a4295b5606eb43eb8362f8cc34c.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System b5e1be77b9170945e5281f262cd2b9ab72043a4295b5606eb43eb8362f8cc34c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" b5e1be77b9170945e5281f262cd2b9ab72043a4295b5606eb43eb8362f8cc34c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b5e1be77b9170945e5281f262cd2b9ab72043a4295b5606eb43eb8362f8cc34c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5e1be77b9170945e5281f262cd2b9ab72043a4295b5606eb43eb8362f8cc34c.exe"C:\Users\Admin\AppData\Local\Temp\b5e1be77b9170945e5281f262cd2b9ab72043a4295b5606eb43eb8362f8cc34c.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3532 -
C:\Users\Admin\AppData\Local\Temp\2610\2610.exe"C:\Users\Admin\AppData\Local\Temp\2610\2610.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE4⤵
- Modifies Windows Firewall
PID:1660
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2610\2610.exeFilesize
23KB
MD54abf570a817c250b77a9b4fce234d4f0
SHA1ab826fabada5c2893043c8ad2daa321032d85727
SHA256665c9c1e0fc46f97e902ac8046d9719661dd4b2e0a685b5e041c9a66c584c1b1
SHA512a507011626379501e3b876249c82be446298b394993a70d66cf03205607233781414170d1042e0faa6efb67971b07c4b9dd41ec30648e6f5e0eec0508a153425
-
memory/796-29-0x0000000073A00000-0x0000000073FB1000-memory.dmpFilesize
5.7MB
-
memory/796-30-0x0000000073A00000-0x0000000073FB1000-memory.dmpFilesize
5.7MB
-
memory/796-31-0x0000000073A00000-0x0000000073FB1000-memory.dmpFilesize
5.7MB
-
memory/904-16-0x0000000073A02000-0x0000000073A03000-memory.dmpFilesize
4KB
-
memory/904-17-0x0000000073A00000-0x0000000073FB1000-memory.dmpFilesize
5.7MB
-
memory/904-18-0x0000000073A00000-0x0000000073FB1000-memory.dmpFilesize
5.7MB
-
memory/904-28-0x0000000073A00000-0x0000000073FB1000-memory.dmpFilesize
5.7MB