Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 01:35
Static task
static1
Behavioral task
behavioral1
Sample
3210-9-A-2962-12-L/3210-9-A-2962-12-L.exe
Resource
win7-20240221-en
General
-
Target
3210-9-A-2962-12-L/3210-9-A-2962-12-L.exe
-
Size
646KB
-
MD5
13c682a062eeb266a8f1b56490a19e4b
-
SHA1
fc28cd5dd42aef8d52b786ffdbac7d17672b947e
-
SHA256
290b4f67f8205d1f7d1c6acf42263f9313270093dbad3ea9774be7df41b4cf16
-
SHA512
fc6ddf0e7111c38dd249162288ef3591ee80500824faa1ac08fa112d449d14ed821580c62d18fa9fca9248a7e8963a945d9abc64b442d90abda3de29da4578bd
-
SSDEEP
12288:IADWHQwxhctmk1ThJz1oek2a+J9xTFTbCJHsvLxPCULL3byOwVZQL9pU:VDDmQlTlR9zvCJMj9rLrmfaHU
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3210-9-A-2962-12-L.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths 3210-9-A-2962-12-L.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\3210-9-A-2962-12-L\3210-9-A-2962-12-L.exe = "0" 3210-9-A-2962-12-L.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4072 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 3210-9-A-2962-12-L.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths 3210-9-A-2962-12-L.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions 3210-9-A-2962-12-L.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\3210-9-A-2962-12-L\3210-9-A-2962-12-L.exe = "0" 3210-9-A-2962-12-L.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3210-9-A-2962-12-L.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3210-9-A-2962-12-L.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 5088 set thread context of 2640 5088 3210-9-A-2962-12-L.exe 97 PID 2640 set thread context of 3332 2640 aspnet_wp.exe 57 PID 2640 set thread context of 2252 2640 aspnet_wp.exe 111 PID 2252 set thread context of 3332 2252 fontview.exe 57 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs regedit.exe 1 IoCs
pid Process 4252 regedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4072 powershell.exe 4072 powershell.exe 2640 aspnet_wp.exe 2640 aspnet_wp.exe 2640 aspnet_wp.exe 2640 aspnet_wp.exe 2640 aspnet_wp.exe 2640 aspnet_wp.exe 2640 aspnet_wp.exe 2640 aspnet_wp.exe 2640 aspnet_wp.exe 2640 aspnet_wp.exe 2640 aspnet_wp.exe 2640 aspnet_wp.exe 2640 aspnet_wp.exe 2640 aspnet_wp.exe 2640 aspnet_wp.exe 2640 aspnet_wp.exe 2640 aspnet_wp.exe 2640 aspnet_wp.exe 2640 aspnet_wp.exe 2640 aspnet_wp.exe 2640 aspnet_wp.exe 2640 aspnet_wp.exe 2640 aspnet_wp.exe 2640 aspnet_wp.exe 2252 fontview.exe 2252 fontview.exe 2252 fontview.exe 2252 fontview.exe 2252 fontview.exe 2252 fontview.exe 2252 fontview.exe 2252 fontview.exe 2252 fontview.exe 2252 fontview.exe 2252 fontview.exe 2252 fontview.exe 2252 fontview.exe 2252 fontview.exe 2252 fontview.exe 2252 fontview.exe 2252 fontview.exe 2252 fontview.exe 2252 fontview.exe 2252 fontview.exe 2252 fontview.exe 2252 fontview.exe 2252 fontview.exe 2252 fontview.exe 2252 fontview.exe 2252 fontview.exe 2252 fontview.exe 2252 fontview.exe 2252 fontview.exe 2252 fontview.exe 2252 fontview.exe 2252 fontview.exe 2252 fontview.exe 2252 fontview.exe 2252 fontview.exe 2252 fontview.exe 2252 fontview.exe 2252 fontview.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2640 aspnet_wp.exe 3332 Explorer.EXE 3332 Explorer.EXE 2252 fontview.exe 2252 fontview.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5088 3210-9-A-2962-12-L.exe Token: SeDebugPrivilege 4072 powershell.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 5088 wrote to memory of 4072 5088 3210-9-A-2962-12-L.exe 93 PID 5088 wrote to memory of 4072 5088 3210-9-A-2962-12-L.exe 93 PID 5088 wrote to memory of 216 5088 3210-9-A-2962-12-L.exe 95 PID 5088 wrote to memory of 216 5088 3210-9-A-2962-12-L.exe 95 PID 5088 wrote to memory of 216 5088 3210-9-A-2962-12-L.exe 95 PID 5088 wrote to memory of 216 5088 3210-9-A-2962-12-L.exe 95 PID 5088 wrote to memory of 4252 5088 3210-9-A-2962-12-L.exe 96 PID 5088 wrote to memory of 4252 5088 3210-9-A-2962-12-L.exe 96 PID 5088 wrote to memory of 4252 5088 3210-9-A-2962-12-L.exe 96 PID 5088 wrote to memory of 4252 5088 3210-9-A-2962-12-L.exe 96 PID 5088 wrote to memory of 2640 5088 3210-9-A-2962-12-L.exe 97 PID 5088 wrote to memory of 2640 5088 3210-9-A-2962-12-L.exe 97 PID 5088 wrote to memory of 2640 5088 3210-9-A-2962-12-L.exe 97 PID 5088 wrote to memory of 2640 5088 3210-9-A-2962-12-L.exe 97 PID 5088 wrote to memory of 2640 5088 3210-9-A-2962-12-L.exe 97 PID 5088 wrote to memory of 2640 5088 3210-9-A-2962-12-L.exe 97 PID 5088 wrote to memory of 5036 5088 3210-9-A-2962-12-L.exe 98 PID 5088 wrote to memory of 5036 5088 3210-9-A-2962-12-L.exe 98 PID 5088 wrote to memory of 5036 5088 3210-9-A-2962-12-L.exe 98 PID 3332 wrote to memory of 2252 3332 Explorer.EXE 111 PID 3332 wrote to memory of 2252 3332 Explorer.EXE 111 PID 3332 wrote to memory of 2252 3332 Explorer.EXE 111 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3210-9-A-2962-12-L.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Users\Admin\AppData\Local\Temp\3210-9-A-2962-12-L\3210-9-A-2962-12-L.exe"C:\Users\Admin\AppData\Local\Temp\3210-9-A-2962-12-L\3210-9-A-2962-12-L.exe"2⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5088 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3210-9-A-2962-12-L\3210-9-A-2962-12-L.exe" -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4072
-
-
C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe"3⤵PID:216
-
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe"3⤵
- Runs regedit.exe
PID:4252
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2640
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"3⤵PID:5036
-
-
-
C:\Windows\SysWOW64\fontview.exe"C:\Windows\SysWOW64\fontview.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4060 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:81⤵PID:1144
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82