4e5a74d0131244f48e724e15596f31d4dfe515bb9671516c78564d7fcb67b9ee

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

820cd988df97ea0c180943b066cc8cd4.exe
Size

524KB
MD5

820cd988df97ea0c180943b066cc8cd4
SHA1

04fae8cf45b193382ffe5891e86ab7ad3d4be46c
SHA256

4e5a74d0131244f48e724e15596f31d4dfe515bb9671516c78564d7fcb67b9ee
SHA512

c492cd463c841c519b0dcd4d392270afd33adace9cc4d334d01c8989157bcd8f2140f83ed1698abf00bf897c9ae1c844c9695f9448116bad669e528742b9f329
SSDEEP

12288:kXNo92q8Fxta+MHzEqAL8BxrPKIkQXGU9zlnNW7:4Ni8Fx8+MHWLQPKIkQXGYBnNW7

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	820cd988df97ea0c180943b066cc8cd4.exe

Executes dropped EXE 3 IoCs

pid	Process
3472	կիյտյ.exe
3676	կիյտյ.exe
4264	կիյտյ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	4264	կիյտյ.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4660	820cd988df97ea0c180943b066cc8cd4.exe
3472	կիյտյ.exe
3676	կիյտյ.exe
4264	կիյտյ.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4660 wrote to memory of 3472	4660	820cd988df97ea0c180943b066cc8cd4.exe	81
PID 4660 wrote to memory of 3472	4660	820cd988df97ea0c180943b066cc8cd4.exe	81
PID 4660 wrote to memory of 3472	4660	820cd988df97ea0c180943b066cc8cd4.exe	81
PID 3472 wrote to memory of 3676	3472	կիյտյ.exe	82
PID 3472 wrote to memory of 3676	3472	կիյտյ.exe	82
PID 3472 wrote to memory of 3676	3472	կիյտյ.exe	82
PID 3676 wrote to memory of 1252	3676	կիյտյ.exe	83
PID 3676 wrote to memory of 1252	3676	կիյտյ.exe	83
PID 3676 wrote to memory of 1252	3676	կիյտյ.exe	83
PID 3676 wrote to memory of 1252	3676	կիյտյ.exe	83
PID 4264 wrote to memory of 3388	4264	կիյտյ.exe	96
PID 4264 wrote to memory of 3388	4264	կիյտյ.exe	96
PID 4264 wrote to memory of 3388	4264	կիյտյ.exe	96
PID 4264 wrote to memory of 3388	4264	կիյտյ.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\820cd988df97ea0c180943b066cc8cd4.exe
"C:\Users\Admin\AppData\Local\Temp\820cd988df97ea0c180943b066cc8cd4.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4660
- C:\ProgramData\կիյտյ.exe
  "C:\ProgramData\կիյտյ.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3472
- - C:\Users\Admin\AppData\Roaming\speedlink\կիյտյ.exe
    C:\Users\Admin\AppData\Roaming\speedlink\կիյտյ.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3676
  - - C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      PID:1252

C:\Users\Admin\AppData\Roaming\speedlink\կիյտյ.exe
C:\Users\Admin\AppData\Roaming\speedlink\կիյտյ.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:3388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\կիյտյ.exe

Filesize
524KB

MD5
820cd988df97ea0c180943b066cc8cd4

SHA1
04fae8cf45b193382ffe5891e86ab7ad3d4be46c

SHA256
4e5a74d0131244f48e724e15596f31d4dfe515bb9671516c78564d7fcb67b9ee

SHA512
c492cd463c841c519b0dcd4d392270afd33adace9cc4d334d01c8989157bcd8f2140f83ed1698abf00bf897c9ae1c844c9695f9448116bad669e528742b9f329

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-711569230-3659488422-571408806-1000\0f5007522459c86e95ffcc62f32308f1_5fd6b8d9-48b3-42c0-adc7-08f9fe7c965e

Filesize
1KB

MD5
e675a944590df523f5ed83ab05604248

SHA1
8887e41de8967a18577e2c03ea57bd81bf0efacc

SHA256
f7aa5ef3d91c650acdfcec642d544f6a44d3089c7cd193eda7bb4ea55611b2df

SHA512
875d2289cabf6f52a0e939e4553be9787b20f445508f98013b0bacafdb85caad49fd4198ed376e7f8e4544e6f192cb46ec211456a985f5829026f675d68f0908

Download Submit
memory/1252-27-0x000001BC865A0000-0x000001BC865BD000-memory.dmp

Filesize
116KB

Download
memory/1252-28-0x000001BC865A0000-0x000001BC865BD000-memory.dmp

Filesize
116KB

Download
memory/3388-37-0x000002AD8FC60000-0x000002AD8FC7D000-memory.dmp

Filesize
116KB

Download
memory/3472-11-0x00000000020A0000-0x00000000020A2000-memory.dmp

Filesize
8KB

Download
memory/3472-15-0x00000000020C0000-0x00000000020ED000-memory.dmp

Filesize
180KB

Download
memory/3472-29-0x00000000020C0000-0x00000000020ED000-memory.dmp

Filesize
180KB

Download
memory/3676-24-0x0000000002730000-0x000000000275D000-memory.dmp

Filesize
180KB

Download
memory/3676-26-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/3676-25-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/3676-30-0x0000000002730000-0x000000000275D000-memory.dmp

Filesize
180KB

Download