Analysis

  • max time kernel
    151s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-06-2024 01:35

General

  • Target

    3210-9-A-2962-12-L/3210-9-A-2962-12-L.exe

  • Size

    646KB

  • MD5

    13c682a062eeb266a8f1b56490a19e4b

  • SHA1

    fc28cd5dd42aef8d52b786ffdbac7d17672b947e

  • SHA256

    290b4f67f8205d1f7d1c6acf42263f9313270093dbad3ea9774be7df41b4cf16

  • SHA512

    fc6ddf0e7111c38dd249162288ef3591ee80500824faa1ac08fa112d449d14ed821580c62d18fa9fca9248a7e8963a945d9abc64b442d90abda3de29da4578bd

  • SSDEEP

    12288:IADWHQwxhctmk1ThJz1oek2a+J9xTFTbCJHsvLxPCULL3byOwVZQL9pU:VDDmQlTlR9zvCJMj9rLrmfaHU

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs regedit.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3332
    • C:\Users\Admin\AppData\Local\Temp\3210-9-A-2962-12-L\3210-9-A-2962-12-L.exe
      "C:\Users\Admin\AppData\Local\Temp\3210-9-A-2962-12-L\3210-9-A-2962-12-L.exe"
      2⤵
      • UAC bypass
      • Windows security bypass
      • Checks computer location settings
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:5088
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3210-9-A-2962-12-L\3210-9-A-2962-12-L.exe" -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4072
      • C:\Windows\System32\calc.exe
        "C:\Windows\System32\calc.exe"
        3⤵
          PID:216
        • C:\Windows\regedit.exe
          "C:\Windows\regedit.exe"
          3⤵
          • Runs regedit.exe
          PID:4252
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          PID:2640
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
          3⤵
            PID:5036
        • C:\Windows\SysWOW64\fontview.exe
          "C:\Windows\SysWOW64\fontview.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          PID:2252
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4060 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:1144

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_piqu4b2s.j2o.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • memory/2252-31-0x0000000000810000-0x000000000084F000-memory.dmp

          Filesize

          252KB

        • memory/2252-34-0x0000000000810000-0x000000000084F000-memory.dmp

          Filesize

          252KB

        • memory/2640-33-0x0000000001470000-0x0000000001490000-memory.dmp

          Filesize

          128KB

        • memory/2640-32-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

        • memory/2640-25-0x00000000014C0000-0x000000000180A000-memory.dmp

          Filesize

          3.3MB

        • memory/2640-30-0x0000000001470000-0x0000000001490000-memory.dmp

          Filesize

          128KB

        • memory/2640-29-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

        • memory/2640-28-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

        • memory/2640-18-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

        • memory/2640-19-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

        • memory/2640-27-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

        • memory/3332-35-0x0000000007EA0000-0x0000000007FBC000-memory.dmp

          Filesize

          1.1MB

        • memory/4072-4-0x0000021D688F0000-0x0000021D68912000-memory.dmp

          Filesize

          136KB

        • memory/4072-23-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmp

          Filesize

          10.8MB

        • memory/4072-20-0x0000021D688A0000-0x0000021D688B0000-memory.dmp

          Filesize

          64KB

        • memory/4072-17-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmp

          Filesize

          10.8MB

        • memory/4072-16-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmp

          Filesize

          10.8MB

        • memory/4072-15-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmp

          Filesize

          10.8MB

        • memory/4072-5-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmp

          Filesize

          10.8MB

        • memory/5088-24-0x00007FFCE8BB3000-0x00007FFCE8BB5000-memory.dmp

          Filesize

          8KB

        • memory/5088-26-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmp

          Filesize

          10.8MB

        • memory/5088-0-0x00007FFCE8BB3000-0x00007FFCE8BB5000-memory.dmp

          Filesize

          8KB

        • memory/5088-3-0x0000017A5CDD0000-0x0000017A5CE6C000-memory.dmp

          Filesize

          624KB

        • memory/5088-2-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmp

          Filesize

          10.8MB

        • memory/5088-1-0x0000017A426A0000-0x0000017A426AE000-memory.dmp

          Filesize

          56KB