Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 13:59
Behavioral task
behavioral1
Sample
48bc9497ff9b6e89c49c58196375fea257d99fbff312a449ad9cd0d25e16a311.exe
Resource
win7-20240419-en
General
-
Target
48bc9497ff9b6e89c49c58196375fea257d99fbff312a449ad9cd0d25e16a311.exe
-
Size
31KB
-
MD5
fe6f894736afcbaaa70712986819dd63
-
SHA1
420b0ef62191359231cf5e07c24fa2774e8ae121
-
SHA256
48bc9497ff9b6e89c49c58196375fea257d99fbff312a449ad9cd0d25e16a311
-
SHA512
9e8ee88d0f27d6c220a296935158735d1a540c0510332d0a294709cde1c2b2161e9109232350e6933d1096b42af4a24d842a59545e92c6d43448e863c3c53f6a
-
SSDEEP
768:JrMXBwpJbb2zxxO5gaqn5isfvy4QmIDUu0tikqj:+kKJisLQVkGj
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3944 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
48bc9497ff9b6e89c49c58196375fea257d99fbff312a449ad9cd0d25e16a311.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 48bc9497ff9b6e89c49c58196375fea257d99fbff312a449ad9cd0d25e16a311.exe -
Executes dropped EXE 1 IoCs
Processes:
WindowsServices.exepid process 220 WindowsServices.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
WindowsServices.exedescription pid process Token: SeDebugPrivilege 220 WindowsServices.exe Token: 33 220 WindowsServices.exe Token: SeIncBasePriorityPrivilege 220 WindowsServices.exe Token: 33 220 WindowsServices.exe Token: SeIncBasePriorityPrivilege 220 WindowsServices.exe Token: 33 220 WindowsServices.exe Token: SeIncBasePriorityPrivilege 220 WindowsServices.exe Token: 33 220 WindowsServices.exe Token: SeIncBasePriorityPrivilege 220 WindowsServices.exe Token: 33 220 WindowsServices.exe Token: SeIncBasePriorityPrivilege 220 WindowsServices.exe Token: 33 220 WindowsServices.exe Token: SeIncBasePriorityPrivilege 220 WindowsServices.exe Token: 33 220 WindowsServices.exe Token: SeIncBasePriorityPrivilege 220 WindowsServices.exe Token: 33 220 WindowsServices.exe Token: SeIncBasePriorityPrivilege 220 WindowsServices.exe Token: 33 220 WindowsServices.exe Token: SeIncBasePriorityPrivilege 220 WindowsServices.exe Token: 33 220 WindowsServices.exe Token: SeIncBasePriorityPrivilege 220 WindowsServices.exe Token: 33 220 WindowsServices.exe Token: SeIncBasePriorityPrivilege 220 WindowsServices.exe Token: 33 220 WindowsServices.exe Token: SeIncBasePriorityPrivilege 220 WindowsServices.exe Token: 33 220 WindowsServices.exe Token: SeIncBasePriorityPrivilege 220 WindowsServices.exe Token: 33 220 WindowsServices.exe Token: SeIncBasePriorityPrivilege 220 WindowsServices.exe Token: 33 220 WindowsServices.exe Token: SeIncBasePriorityPrivilege 220 WindowsServices.exe Token: 33 220 WindowsServices.exe Token: SeIncBasePriorityPrivilege 220 WindowsServices.exe Token: 33 220 WindowsServices.exe Token: SeIncBasePriorityPrivilege 220 WindowsServices.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
48bc9497ff9b6e89c49c58196375fea257d99fbff312a449ad9cd0d25e16a311.exeWindowsServices.exedescription pid process target process PID 3688 wrote to memory of 220 3688 48bc9497ff9b6e89c49c58196375fea257d99fbff312a449ad9cd0d25e16a311.exe WindowsServices.exe PID 3688 wrote to memory of 220 3688 48bc9497ff9b6e89c49c58196375fea257d99fbff312a449ad9cd0d25e16a311.exe WindowsServices.exe PID 3688 wrote to memory of 220 3688 48bc9497ff9b6e89c49c58196375fea257d99fbff312a449ad9cd0d25e16a311.exe WindowsServices.exe PID 220 wrote to memory of 3944 220 WindowsServices.exe netsh.exe PID 220 wrote to memory of 3944 220 WindowsServices.exe netsh.exe PID 220 wrote to memory of 3944 220 WindowsServices.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\48bc9497ff9b6e89c49c58196375fea257d99fbff312a449ad9cd0d25e16a311.exe"C:\Users\Admin\AppData\Local\Temp\48bc9497ff9b6e89c49c58196375fea257d99fbff312a449ad9cd0d25e16a311.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WindowsServices.exe"C:\Users\Admin\AppData\Roaming\WindowsServices.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\WindowsServices.exe" "WindowsServices.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3240,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=4588 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\WindowsServices.exeFilesize
31KB
MD5fe6f894736afcbaaa70712986819dd63
SHA1420b0ef62191359231cf5e07c24fa2774e8ae121
SHA25648bc9497ff9b6e89c49c58196375fea257d99fbff312a449ad9cd0d25e16a311
SHA5129e8ee88d0f27d6c220a296935158735d1a540c0510332d0a294709cde1c2b2161e9109232350e6933d1096b42af4a24d842a59545e92c6d43448e863c3c53f6a
-
memory/220-13-0x0000000074B20000-0x00000000750D1000-memory.dmpFilesize
5.7MB
-
memory/220-14-0x0000000074B20000-0x00000000750D1000-memory.dmpFilesize
5.7MB
-
memory/220-15-0x0000000074B20000-0x00000000750D1000-memory.dmpFilesize
5.7MB
-
memory/3688-0-0x0000000074B22000-0x0000000074B23000-memory.dmpFilesize
4KB
-
memory/3688-1-0x0000000074B20000-0x00000000750D1000-memory.dmpFilesize
5.7MB
-
memory/3688-2-0x0000000074B20000-0x00000000750D1000-memory.dmpFilesize
5.7MB
-
memory/3688-12-0x0000000074B20000-0x00000000750D1000-memory.dmpFilesize
5.7MB