Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 01:38
Static task
static1
Behavioral task
behavioral1
Sample
53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe
Resource
win10v2004-20240226-en
General
-
Target
53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe
-
Size
166KB
-
MD5
ed1f4802fc687f24827dc818def3862c
-
SHA1
e4a066d81dd582f7dee2d523feac1612f1809649
-
SHA256
53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d
-
SHA512
4720a25d5bb6de9b8cc8cf2ef2b11fb52e3ad9fabd25ebcec92ce055671dcbb0dd2882c95580449e6c4374a3d927a1d7c949d75db76772d02ce5465aad97a40d
-
SSDEEP
768:bQ0KFwpdwTXm/Rer+pg4pXDOTixnaLB0Kt4r:bQBGwTXmMrIDpXDO0nO0Kt4r
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 4080 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exedescription pid process Token: SeDebugPrivilege 1424 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.execmd.exedescription pid process target process PID 1424 wrote to memory of 2304 1424 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe cmd.exe PID 1424 wrote to memory of 2304 1424 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe cmd.exe PID 1424 wrote to memory of 2304 1424 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe cmd.exe PID 2304 wrote to memory of 4080 2304 cmd.exe ipconfig.exe PID 2304 wrote to memory of 4080 2304 cmd.exe ipconfig.exe PID 2304 wrote to memory of 4080 2304 cmd.exe ipconfig.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe"C:\Users\Admin\AppData\Local\Temp\53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /release2⤵
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /release3⤵
- Gathers network information
PID:4080
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4416 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:81⤵PID:2972