Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
27-05-2024 19:52
General
-
Target
2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
-
Size
3.2MB
-
MD5
6c16807e4417e60366cde4515d148ab3
-
SHA1
b8212729ae453b48531c5331cfdaea3aa213cf85
-
SHA256
2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb
-
SHA512
eb448d72c2d7d74cae67cac46ebc0262e50113b40164d0c9837e4e0d481c23038f85a414dd92561fdbe5958ecdbaa86e8cdd921cc1cc2571eb96f9dd76cc2efe
-
SSDEEP
49152:6oHBs26nkjh/a3LlwLkl6cV0ymGIj5y60K9F8AA/qDTvyNUjqwZjAN+68OxcIzQW:9B6Wh/9L3clIVy6RwA29NGoN+3OWIzQ
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to get system information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 26 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe"C:\Users\Admin\AppData\Local\Temp\2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" (Get-CimInstance -ClassName Win32_ComputerSystem).TotalPhysicalMemory2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-WmiObject Win32_BIOS | Select-Object -ExpandProperty SMBIOSBIOSVersion2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-WmiObject Win32_PhysicalMemory | Select-Object -ExpandProperty Speed2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-WmiObject Win32_VideoController | Select-Object -ExpandProperty Name2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\System32\calc.exe"2⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5123cd8a916c430f236f9ae908a55cc6d
SHA131cbd1fbc8bfe8bed2d0bf569f64ba9681682654
SHA2567aa5033e789da9d48b185be91ba0763769f9a846d782e02934484d0610b43667
SHA51224e036c4ddcaefa2069f7bfbc6ef71144595e2db6bef104118347bdcc4061cf321ab0a18e944338cc273d151c76666774cc2c50dbe5c2bf4b9ce8f3119e61da7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5c40d866268e816346464d77fa8b1bc04
SHA110dd50af2e5a1ee62e704e708f48189d26443763
SHA256231cb39b0f6a7a1b23d0135ef1738a66aaea3ba984d37a07135d58761d280fa2
SHA512e7ff2f658af3c63e476dda20fcdd599fb31a62d85e20e8545a81c53be33b8519f606ab210039352a93bbe4250bc0a56f73845edb3124887c8ebf07112636f5ed
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
17KB
MD56c5bb475f7f6ddacecae7b5175cecf12
SHA1b48212546d616afb28f2e37d9792fd43c6edefbf
SHA256cfe792c95e3d96a847c511f18a3530dbb93899a36f787e2f65012d3d17976fb9
SHA512e944c34479b033da1c28f6fecab753fee4f016c0516e5d351641d420e5c8570ecc663d0aba3aa8458d2a3fafcc25f8c585b8f804d5e8705fdee9bebfc9e01053
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD52441a98df8dcd55df531a6f8391602a3
SHA1553a4c994f3094f52480b0f9cc48a8ea6e5a061a
SHA256176ee926dbf2910794567428afd5c9d08328d3fb5d4804ee837a016c4667ad42
SHA5128dc8fbbf86d2746e19949add9dd3ea83ab28cfa32e9f19403905ef587588f3f8acd53cec4ffe958b6d93e297ecfb99c436b09a6219aad0b142c3d5e7d0575f3e
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g5jbnspp.jrl.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/1200-39-0x0000000007C60000-0x00000000082DA000-memory.dmpFilesize
6.5MB
-
memory/1200-41-0x0000000007680000-0x000000000768A000-memory.dmpFilesize
40KB
-
memory/1200-8-0x0000000005C50000-0x0000000005CB6000-memory.dmpFilesize
408KB
-
memory/1200-7-0x0000000005BE0000-0x0000000005C46000-memory.dmpFilesize
408KB
-
memory/1200-4-0x0000000005500000-0x0000000005B28000-memory.dmpFilesize
6.2MB
-
memory/1200-14-0x0000000074CD0000-0x0000000075480000-memory.dmpFilesize
7.7MB
-
memory/1200-19-0x0000000005DC0000-0x0000000006114000-memory.dmpFilesize
3.3MB
-
memory/1200-20-0x0000000074CD0000-0x0000000075480000-memory.dmpFilesize
7.7MB
-
memory/1200-21-0x00000000062F0000-0x000000000630E000-memory.dmpFilesize
120KB
-
memory/1200-22-0x00000000064A0000-0x00000000064EC000-memory.dmpFilesize
304KB
-
memory/1200-23-0x0000000007270000-0x00000000072A2000-memory.dmpFilesize
200KB
-
memory/1200-36-0x0000000074CD0000-0x0000000075480000-memory.dmpFilesize
7.7MB
-
memory/1200-35-0x00000000072E0000-0x0000000007383000-memory.dmpFilesize
652KB
-
memory/1200-34-0x00000000072B0000-0x00000000072CE000-memory.dmpFilesize
120KB
-
memory/1200-24-0x0000000070AD0000-0x0000000070B1C000-memory.dmpFilesize
304KB
-
memory/1200-37-0x0000000074CD0000-0x0000000075480000-memory.dmpFilesize
7.7MB
-
memory/1200-38-0x0000000074CD0000-0x0000000075480000-memory.dmpFilesize
7.7MB
-
memory/1200-3-0x0000000004D50000-0x0000000004D86000-memory.dmpFilesize
216KB
-
memory/1200-40-0x0000000007610000-0x000000000762A000-memory.dmpFilesize
104KB
-
memory/1200-6-0x0000000005310000-0x0000000005332000-memory.dmpFilesize
136KB
-
memory/1200-42-0x0000000007800000-0x000000000782A000-memory.dmpFilesize
168KB
-
memory/1200-43-0x0000000007830000-0x0000000007854000-memory.dmpFilesize
144KB
-
memory/1200-44-0x0000000070C50000-0x0000000070FA4000-memory.dmpFilesize
3.3MB
-
memory/1200-46-0x0000000074CD0000-0x0000000075480000-memory.dmpFilesize
7.7MB
-
memory/1200-48-0x0000000074CD0000-0x0000000075480000-memory.dmpFilesize
7.7MB
-
memory/1200-5-0x0000000074CD0000-0x0000000075480000-memory.dmpFilesize
7.7MB
-
memory/1628-49-0x0000000074CD0000-0x0000000075480000-memory.dmpFilesize
7.7MB
-
memory/1628-94-0x0000000074CD0000-0x0000000075480000-memory.dmpFilesize
7.7MB
-
memory/1628-1-0x0000000000EB0000-0x00000000011E2000-memory.dmpFilesize
3.2MB
-
memory/1628-2-0x0000000006070000-0x0000000006614000-memory.dmpFilesize
5.6MB
-
memory/1628-0-0x0000000074CDE000-0x0000000074CDF000-memory.dmpFilesize
4KB
-
memory/2972-70-0x00000000056E0000-0x0000000005A34000-memory.dmpFilesize
3.3MB
-
memory/4828-65-0x0000000006BD0000-0x0000000006C1C000-memory.dmpFilesize
304KB
-
memory/4828-66-0x0000000007BB0000-0x0000000007C46000-memory.dmpFilesize
600KB
-
memory/4828-67-0x0000000006EF0000-0x0000000006F12000-memory.dmpFilesize
136KB
-
memory/4828-69-0x0000000074CD0000-0x0000000075480000-memory.dmpFilesize
7.7MB
-
memory/4828-63-0x0000000074CD0000-0x0000000075480000-memory.dmpFilesize
7.7MB
-
memory/4828-62-0x0000000074CD0000-0x0000000075480000-memory.dmpFilesize
7.7MB
-
memory/4828-61-0x0000000006410000-0x0000000006764000-memory.dmpFilesize
3.3MB
-
memory/4828-51-0x0000000074CD0000-0x0000000075480000-memory.dmpFilesize
7.7MB