Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 01:14
Static task
static1
Behavioral task
behavioral1
Sample
019a3cbf6e010648c95022f85d62f860.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
019a3cbf6e010648c95022f85d62f860.exe
Resource
win10v2004-20240426-en
General
-
Target
019a3cbf6e010648c95022f85d62f860.exe
-
Size
88KB
-
MD5
019a3cbf6e010648c95022f85d62f860
-
SHA1
ad9b5306c6a4414eaf8deba1844f44385f851007
-
SHA256
197cad7906f9104440c231c2ada1d29ee21bcd355b20ce743a241e55e229df9f
-
SHA512
2c494e93ef603d0a0dea2e79ae8fe862b0f48d6297f54f992a45df93c2d92807e535bc7c1b1d03d431bd81a8c84ce88ef29428cb67f1e890f26571bba72f7a61
-
SSDEEP
1536:ahUDofByDJWbMGcEFLPEPKOJUsy1+VMA:aIofBHbKMP0PvMA
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation 019a3cbf6e010648c95022f85d62f860.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 2356 explorer.exe 3448 explorer.exe 3596 explorer.exe 2076 explorer.exe -
resource yara_rule behavioral2/memory/2312-2-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2312-18-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2312-20-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2312-62-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3448-93-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Video Driver = "C:\\Users\\Admin\\AppData\\Roaming\\config\\explorer.exe" reg.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3184 set thread context of 2312 3184 019a3cbf6e010648c95022f85d62f860.exe 81 PID 2356 set thread context of 3448 2356 explorer.exe 89 PID 2356 set thread context of 3596 2356 explorer.exe 90 PID 3596 set thread context of 2076 3596 explorer.exe 91 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe Token: SeDebugPrivilege 3448 explorer.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3184 019a3cbf6e010648c95022f85d62f860.exe 2312 019a3cbf6e010648c95022f85d62f860.exe 2356 explorer.exe 3448 explorer.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 3184 wrote to memory of 2312 3184 019a3cbf6e010648c95022f85d62f860.exe 81 PID 3184 wrote to memory of 2312 3184 019a3cbf6e010648c95022f85d62f860.exe 81 PID 3184 wrote to memory of 2312 3184 019a3cbf6e010648c95022f85d62f860.exe 81 PID 3184 wrote to memory of 2312 3184 019a3cbf6e010648c95022f85d62f860.exe 81 PID 3184 wrote to memory of 2312 3184 019a3cbf6e010648c95022f85d62f860.exe 81 PID 3184 wrote to memory of 2312 3184 019a3cbf6e010648c95022f85d62f860.exe 81 PID 3184 wrote to memory of 2312 3184 019a3cbf6e010648c95022f85d62f860.exe 81 PID 3184 wrote to memory of 2312 3184 019a3cbf6e010648c95022f85d62f860.exe 81 PID 2312 wrote to memory of 3376 2312 019a3cbf6e010648c95022f85d62f860.exe 82 PID 2312 wrote to memory of 3376 2312 019a3cbf6e010648c95022f85d62f860.exe 82 PID 2312 wrote to memory of 3376 2312 019a3cbf6e010648c95022f85d62f860.exe 82 PID 3376 wrote to memory of 4116 3376 cmd.exe 85 PID 3376 wrote to memory of 4116 3376 cmd.exe 85 PID 3376 wrote to memory of 4116 3376 cmd.exe 85 PID 2312 wrote to memory of 2356 2312 019a3cbf6e010648c95022f85d62f860.exe 86 PID 2312 wrote to memory of 2356 2312 019a3cbf6e010648c95022f85d62f860.exe 86 PID 2312 wrote to memory of 2356 2312 019a3cbf6e010648c95022f85d62f860.exe 86 PID 2356 wrote to memory of 3448 2356 explorer.exe 89 PID 2356 wrote to memory of 3448 2356 explorer.exe 89 PID 2356 wrote to memory of 3448 2356 explorer.exe 89 PID 2356 wrote to memory of 3448 2356 explorer.exe 89 PID 2356 wrote to memory of 3448 2356 explorer.exe 89 PID 2356 wrote to memory of 3448 2356 explorer.exe 89 PID 2356 wrote to memory of 3448 2356 explorer.exe 89 PID 2356 wrote to memory of 3448 2356 explorer.exe 89 PID 2356 wrote to memory of 3596 2356 explorer.exe 90 PID 2356 wrote to memory of 3596 2356 explorer.exe 90 PID 2356 wrote to memory of 3596 2356 explorer.exe 90 PID 2356 wrote to memory of 3596 2356 explorer.exe 90 PID 2356 wrote to memory of 3596 2356 explorer.exe 90 PID 2356 wrote to memory of 3596 2356 explorer.exe 90 PID 2356 wrote to memory of 3596 2356 explorer.exe 90 PID 3596 wrote to memory of 2076 3596 explorer.exe 91 PID 3596 wrote to memory of 2076 3596 explorer.exe 91 PID 3596 wrote to memory of 2076 3596 explorer.exe 91 PID 3596 wrote to memory of 2076 3596 explorer.exe 91 PID 3596 wrote to memory of 2076 3596 explorer.exe 91 PID 3596 wrote to memory of 2076 3596 explorer.exe 91 PID 3596 wrote to memory of 2076 3596 explorer.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe"C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe"C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HIFNA.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Video Driver" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\config\explorer.exe" /f4⤵
- Adds Run key to start application
PID:4116
-
-
-
C:\Users\Admin\AppData\Roaming\config\explorer.exe"C:\Users\Admin\AppData\Roaming\config\explorer.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Users\Admin\AppData\Roaming\config\explorer.exe"C:\Users\Admin\AppData\Roaming\config\explorer.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3448
-
-
C:\Users\Admin\AppData\Roaming\config\explorer.exe"C:\Users\Admin\AppData\Roaming\config\explorer.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Users\Admin\AppData\Roaming\config\explorer.exe"C:\Users\Admin\AppData\Roaming\config\explorer.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
PID:2076
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
294B
MD50337b4e28ecebee0d2c844b23d9f30b9
SHA153e8d04322e9a3f1d1c68c5c7bc8c42630b0a92a
SHA256b332c6f545192caa994514748e283fa16298c5e3d46ac41955615cd39898fb57
SHA5120e6453740e050cfb8bbf74e3a9f53a2b85d2f069cbf9bfe670ea2c336da0a9875574f53bb00e99f2f2b0b73c10cc79998727124ef2219448e06dcf2a73040002
-
Filesize
149B
MD5fc1798b7c7938454220fda837a76f354
SHA1b232912930b2bc24ff18bf7ecd58f872bbe01ea0
SHA2567f0a5917b5aca9c5beb153aad0ef95bf0aeafb83768da5b086c3f029ba42d7c8
SHA512d1abdd45a8e5d33893b9d19424174a07feed145d2e6b4be318ab5fde503f850579a4a101a010f30e16ecde2c7123f45357a8341214655321ee0f0097ca911331
-
Filesize
88KB
MD5654d81db575755684c6f8b895f8faff6
SHA1d475d21f7a6b604fff6417fb7dcc45afe7414020
SHA25625a8a2195549dba33ae3f694a806743c1023ee49a418774b68fce5b9948b5c6d
SHA51246185213fa9f08e6e53d1cd23f485442b3d4b9533bc76225554e0c76a0fb04c0e87b5f3d9fcb6e97234f233e6db307e351f7de728ca00cce41ea55b2c60cccf2