Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
27-05-2024 19:52
General
-
Target
2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
-
Size
3.2MB
-
MD5
6c16807e4417e60366cde4515d148ab3
-
SHA1
b8212729ae453b48531c5331cfdaea3aa213cf85
-
SHA256
2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb
-
SHA512
eb448d72c2d7d74cae67cac46ebc0262e50113b40164d0c9837e4e0d481c23038f85a414dd92561fdbe5958ecdbaa86e8cdd921cc1cc2571eb96f9dd76cc2efe
-
SSDEEP
49152:6oHBs26nkjh/a3LlwLkl6cV0ymGIj5y60K9F8AA/qDTvyNUjqwZjAN+68OxcIzQW:9B6Wh/9L3clIVy6RwA29NGoN+3OWIzQ
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to get system information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 26 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe"C:\Users\Admin\AppData\Local\Temp\2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" (Get-CimInstance -ClassName Win32_ComputerSystem).TotalPhysicalMemory2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-WmiObject Win32_BIOS | Select-Object -ExpandProperty SMBIOSBIOSVersion2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-WmiObject Win32_PhysicalMemory | Select-Object -ExpandProperty Speed2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-WmiObject Win32_VideoController | Select-Object -ExpandProperty Name2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\System32\calc.exe"2⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5123cd8a916c430f236f9ae908a55cc6d
SHA131cbd1fbc8bfe8bed2d0bf569f64ba9681682654
SHA2567aa5033e789da9d48b185be91ba0763769f9a846d782e02934484d0610b43667
SHA51224e036c4ddcaefa2069f7bfbc6ef71144595e2db6bef104118347bdcc4061cf321ab0a18e944338cc273d151c76666774cc2c50dbe5c2bf4b9ce8f3119e61da7
-
Filesize
18KB
MD5c40d866268e816346464d77fa8b1bc04
SHA110dd50af2e5a1ee62e704e708f48189d26443763
SHA256231cb39b0f6a7a1b23d0135ef1738a66aaea3ba984d37a07135d58761d280fa2
SHA512e7ff2f658af3c63e476dda20fcdd599fb31a62d85e20e8545a81c53be33b8519f606ab210039352a93bbe4250bc0a56f73845edb3124887c8ebf07112636f5ed
-
Filesize
17KB
MD56c5bb475f7f6ddacecae7b5175cecf12
SHA1b48212546d616afb28f2e37d9792fd43c6edefbf
SHA256cfe792c95e3d96a847c511f18a3530dbb93899a36f787e2f65012d3d17976fb9
SHA512e944c34479b033da1c28f6fecab753fee4f016c0516e5d351641d420e5c8570ecc663d0aba3aa8458d2a3fafcc25f8c585b8f804d5e8705fdee9bebfc9e01053
-
Filesize
16KB
MD52441a98df8dcd55df531a6f8391602a3
SHA1553a4c994f3094f52480b0f9cc48a8ea6e5a061a
SHA256176ee926dbf2910794567428afd5c9d08328d3fb5d4804ee837a016c4667ad42
SHA5128dc8fbbf86d2746e19949add9dd3ea83ab28cfa32e9f19403905ef587588f3f8acd53cec4ffe958b6d93e297ecfb99c436b09a6219aad0b142c3d5e7d0575f3e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6.5MB
-
Filesize
40KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
6.2MB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
7.7MB
-
Filesize
652KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
216KB
-
Filesize
104KB
-
Filesize
136KB
-
Filesize
168KB
-
Filesize
144KB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
3.2MB
-
Filesize
5.6MB
-
Filesize
4KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
600KB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
7.7MB