c7b130f5b5a0c5d2fa4d202143d40393eccd2bcf563c7496a51ee267dd50bc16

Analysis

max time kernel
149s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
19-06-2024 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

835e27dcd567204d905fb88c8a7d9e086349f8fd626721e5364041c15a332f73.exe
Size

855KB
MD5

93e1256e37cac4fa162ea90eeb7c72b1
SHA1

e0118027062bef44053998f74162d4e125cc2d61
SHA256

835e27dcd567204d905fb88c8a7d9e086349f8fd626721e5364041c15a332f73
SHA512

a34143ad4aa2d09ee08d458c3a22cd9b005dcb20724ea34a00e7ac5ec46d3840cf191a5bb05fad52a50833029bb941c0852b7863475c1e9b92dcc605dccb75ce
SSDEEP

12288:755MHyv+3UDgck8JvirnUdnUwNwtK+CVINPX9yKBg7vjKP:15MHGhS8J3B/moit9yKe/K

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

835e27dcd567204d905fb88c8a7d9e086349f8fd626721e5364041c15a332f73.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	835e27dcd567204d905fb88c8a7d9e086349f8fd626721e5364041c15a332f73.exe

Drops startup file 3 IoCs

Processes:

cmd.exe835e27dcd567204d905fb88c8a7d9e086349f8fd626721e5364041c15a332f73.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nfjtur874uu\nc8f8ruu.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nfjtur874uu\nc8f8ruu.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nc8f8ruu.lnk	835e27dcd567204d905fb88c8a7d9e086349f8fd626721e5364041c15a332f73.exe

Executes dropped EXE 1 IoCs

Processes:

nc8f8ruu.exe

pid process

1544 nc8f8ruu.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

2448 PING.EXE
1836 PING.EXE

pid	process
1544	nc8f8ruu.exe

pid	process
2448	PING.EXE
1836	PING.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

835e27dcd567204d905fb88c8a7d9e086349f8fd626721e5364041c15a332f73.exenheyryryy4u.exenc8f8ruu.exe

pid	process
4468	835e27dcd567204d905fb88c8a7d9e086349f8fd626721e5364041c15a332f73.exe
3916	nheyryryy4u.exe
3916	nheyryryy4u.exe
3916	nheyryryy4u.exe
3916	nheyryryy4u.exe
3916	nheyryryy4u.exe
3916	nheyryryy4u.exe
3916	nheyryryy4u.exe
3916	nheyryryy4u.exe
3916	nheyryryy4u.exe
3916	nheyryryy4u.exe
3916	nheyryryy4u.exe
3916	nheyryryy4u.exe
3916	nheyryryy4u.exe
3916	nheyryryy4u.exe
3916	nheyryryy4u.exe
3916	nheyryryy4u.exe
3916	nheyryryy4u.exe
3916	nheyryryy4u.exe
3916	nheyryryy4u.exe
1544	nc8f8ruu.exe
1544	nc8f8ruu.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

835e27dcd567204d905fb88c8a7d9e086349f8fd626721e5364041c15a332f73.exe

pid process

4468 835e27dcd567204d905fb88c8a7d9e086349f8fd626721e5364041c15a332f73.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

835e27dcd567204d905fb88c8a7d9e086349f8fd626721e5364041c15a332f73.exenheyryryy4u.exenc8f8ruu.exe

description	pid	process
Token: SeDebugPrivilege	4468	835e27dcd567204d905fb88c8a7d9e086349f8fd626721e5364041c15a332f73.exe
Token: SeDebugPrivilege	3916	nheyryryy4u.exe
Token: SeDebugPrivilege	1544	nc8f8ruu.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

835e27dcd567204d905fb88c8a7d9e086349f8fd626721e5364041c15a332f73.exenheyryryy4u.execmd.exenc8f8ruu.exe

description	pid	process	target process
PID 4468 wrote to memory of 3916	4468	835e27dcd567204d905fb88c8a7d9e086349f8fd626721e5364041c15a332f73.exe	nheyryryy4u.exe
PID 4468 wrote to memory of 3916	4468	835e27dcd567204d905fb88c8a7d9e086349f8fd626721e5364041c15a332f73.exe	nheyryryy4u.exe
PID 4468 wrote to memory of 3916	4468	835e27dcd567204d905fb88c8a7d9e086349f8fd626721e5364041c15a332f73.exe	nheyryryy4u.exe
PID 3916 wrote to memory of 3760	3916	nheyryryy4u.exe	cmd.exe
PID 3916 wrote to memory of 3760	3916	nheyryryy4u.exe	cmd.exe
PID 3916 wrote to memory of 3760	3916	nheyryryy4u.exe	cmd.exe
PID 3760 wrote to memory of 2448	3760	cmd.exe	PING.EXE
PID 3760 wrote to memory of 2448	3760	cmd.exe	PING.EXE
PID 3760 wrote to memory of 2448	3760	cmd.exe	PING.EXE
PID 3760 wrote to memory of 1836	3760	cmd.exe	PING.EXE
PID 3760 wrote to memory of 1836	3760	cmd.exe	PING.EXE
PID 3760 wrote to memory of 1836	3760	cmd.exe	PING.EXE
PID 3760 wrote to memory of 1544	3760	cmd.exe	nc8f8ruu.exe
PID 3760 wrote to memory of 1544	3760	cmd.exe	nc8f8ruu.exe
PID 3760 wrote to memory of 1544	3760	cmd.exe	nc8f8ruu.exe
PID 1544 wrote to memory of 3156	1544	nc8f8ruu.exe	AddInProcess32.exe
PID 1544 wrote to memory of 3156	1544	nc8f8ruu.exe	AddInProcess32.exe
PID 1544 wrote to memory of 3156	1544	nc8f8ruu.exe	AddInProcess32.exe
PID 1544 wrote to memory of 3156	1544	nc8f8ruu.exe	AddInProcess32.exe
PID 1544 wrote to memory of 3156	1544	nc8f8ruu.exe	AddInProcess32.exe
PID 1544 wrote to memory of 3156	1544	nc8f8ruu.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\835e27dcd567204d905fb88c8a7d9e086349f8fd626721e5364041c15a332f73.exe
"C:\Users\Admin\AppData\Local\Temp\835e27dcd567204d905fb88c8a7d9e086349f8fd626721e5364041c15a332f73.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4468

C:\Users\Admin\AppData\Local\Temp\nheyryryy4u.exe
"C:\Users\Admin\AppData\Local\Temp\nheyryryy4u.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3916

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 39 > nul && copy "C:\Users\Admin\AppData\Local\Temp\nheyryryy4u.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nfjtur874uu\nc8f8ruu.exe" && ping 127.0.0.1 -n 39 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nfjtur874uu\nc8f8ruu.exe"
3⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:3760

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 39
4⤵
- Runs ping.exe
PID:2448

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 39
4⤵
- Runs ping.exe
PID:1836

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nfjtur874uu\nc8f8ruu.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nfjtur874uu\nc8f8ruu.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
5⤵
PID:3156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nfjtur874uu\nc8f8ruu.exe
Filesize
855KB

MD5
93e1256e37cac4fa162ea90eeb7c72b1

SHA1
e0118027062bef44053998f74162d4e125cc2d61

SHA256
835e27dcd567204d905fb88c8a7d9e086349f8fd626721e5364041c15a332f73

SHA512
a34143ad4aa2d09ee08d458c3a22cd9b005dcb20724ea34a00e7ac5ec46d3840cf191a5bb05fad52a50833029bb941c0852b7863475c1e9b92dcc605dccb75ce

Download Submit
memory/1544-25-0x0000000007100000-0x0000000007106000-memory.dmp

Filesize
24KB

Download
memory/1544-24-0x0000000007090000-0x00000000070AA000-memory.dmp

Filesize
104KB

Download
memory/1544-23-0x0000000000430000-0x000000000050C000-memory.dmp

Filesize
880KB

Download
memory/3916-12-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download
memory/3916-17-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download
memory/3916-15-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download
memory/3916-14-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download
memory/3916-13-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download
memory/4468-4-0x0000000004D60000-0x0000000004DF2000-memory.dmp

Filesize
584KB

Download
memory/4468-11-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download
memory/4468-9-0x0000000007030000-0x000000000755C000-memory.dmp

Filesize
5.2MB

Download
memory/4468-7-0x0000000005900000-0x000000000590A000-memory.dmp

Filesize
40KB

Download
memory/4468-6-0x0000000005080000-0x00000000050C4000-memory.dmp

Filesize
272KB

Download
memory/4468-5-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download
memory/4468-0-0x000000007470E000-0x000000007470F000-memory.dmp

Filesize
4KB

Download
memory/4468-3-0x0000000005310000-0x00000000058B4000-memory.dmp

Filesize
5.6MB

Download
memory/4468-2-0x0000000004CC0000-0x0000000004D5C000-memory.dmp

Filesize
624KB

Download
memory/4468-1-0x0000000000A80000-0x0000000000B5C000-memory.dmp

Filesize
880KB

Download