Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 05:38
Static task
static1
Behavioral task
behavioral1
Sample
fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe
Resource
win10v2004-20240508-en
General
-
Target
fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe
-
Size
40KB
-
MD5
0fcd032837b2c2bad9df78bb8f1b11b9
-
SHA1
4e6b7b19cdc2cd65e98c4016de63ebc3f865a5db
-
SHA256
fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c
-
SHA512
ed26a02ed5995f9b9e83063b36056ae89d47f0c4f991821e2d8899f294b391e5bf401be8830025f652eb43719fb1f5fdf78aeacba090a57692c9e3dce3a1214f
-
SSDEEP
768:eLPXwagzrIoXWOFBsTBkbHrHXd4fCJcEHwzOx0vc:ej8I4sTB4bqh1vc
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Admin.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe -
Executes dropped EXE 1 IoCs
pid Process 4948 Admin.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe" fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe" Admin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 4948 Admin.exe 4948 Admin.exe 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 4948 Admin.exe 4948 Admin.exe 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 4948 Admin.exe 4948 Admin.exe 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 4948 Admin.exe 4948 Admin.exe 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 4948 Admin.exe 4948 Admin.exe 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 4948 Admin.exe 4948 Admin.exe 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 4948 Admin.exe 4948 Admin.exe 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 4948 Admin.exe 4948 Admin.exe 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 4948 Admin.exe 4948 Admin.exe 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 4948 Admin.exe 4948 Admin.exe 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 4948 Admin.exe 4948 Admin.exe 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 4948 Admin.exe 4948 Admin.exe 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 4948 Admin.exe 4948 Admin.exe 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 4948 Admin.exe 4948 Admin.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 4948 Admin.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2680 wrote to memory of 4948 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 90 PID 2680 wrote to memory of 4948 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 90 PID 2680 wrote to memory of 4948 2680 fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe"C:\Users\Admin\AppData\Local\Temp\fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\Admin.exe"C:\Users\Admin\Admin.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4948
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD5d2eb18ac0ac5cce86c03f086b838fc29
SHA1fac03cb2a0baf07fadb374cb66997c1256cd977c
SHA256c7f9e86f8e370d16719d607b53e74cffb0c98f3a77af2b5e2346a0deac359041
SHA5127423704851934dd509516f0118351599f67692983464b2dcb6a42dfa918f5821ecc74884e7ceb34b8e0c9c14fa5568dbad7b1b720d8f86ff7a9530ac4d2ac9ef