Analysis
-
max time kernel
1000s -
max time network
1179s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
29/05/2024, 07:53
Static task
static1
Behavioral task
behavioral1
Sample
StartExperience.exe
Resource
win10v2004-20240426-en
General
-
Target
StartExperience.exe
-
Size
6KB
-
MD5
a4db2849237e06aa13e52bb81c299da0
-
SHA1
34f97967925a65e72a9eb1e116a20a4c28067df5
-
SHA256
2f680a4a16a2b355a60c6f9c593998f18a97beac1c7cd91aa8c9372549697d14
-
SHA512
3c9e92d1a6c341d47bc7e438142c8cdea462d24b578d7a551d41921edd2b9393be271810fa2b8c9a655e7bc7a90bf54bc6d6ed945a2f3c887da36c674cfcc91d
-
SSDEEP
96:NxzGJ22hC+DJagEA73R+o0maETu/YDaDozfnCcP+BzNt:NxzGs+DJ2A7BP0zIu/hDozfNPc
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation StartExperience.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3772 StartExperience.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3772 StartExperience.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3772 wrote to memory of 2456 3772 StartExperience.exe 82 PID 3772 wrote to memory of 2456 3772 StartExperience.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\StartExperience.exe"C:\Users\Admin\AppData\Local\Temp\StartExperience.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Users\Admin\AppData\Local\Temp\StartExperience.exe"C:\Users\Admin\AppData\Local\Temp\StartExperience.exe" 6890474b-d9a9-4566-a93c-16959572c5202⤵PID:2456
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
425B
MD5fff5cbccb6b31b40f834b8f4778a779a
SHA1899ed0377e89f1ed434cfeecc5bc0163ebdf0454
SHA256b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76
SHA5121a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9