88e5ade2ec431b3a7398b1f81dfc4ed6119a9e95657c29a9d6646fb396f3761b

Resubmissions

29-06-2024 22:21

240629-19544s1epm 7

29-06-2024 22:13

240629-145amaxfjc 7

Analysis

max time kernel
150s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mev_bot.exe
Size

164.6MB
MD5

93b7c6724e1fac653f1e184052b65bc3
SHA1

ca8d7854d55d8a2d921f636c4cb23cde9a3cef8c
SHA256

1c75ccba25ea5641f46cff6a4cfe7bc98ae37378a967aece88a778050c4059bb
SHA512

5514d7c94059f88bdf7e092aa89116d01eb48f8b5acd050d569ee0d2328f334a9e6193206be41f3d541f87437d7264217a9260d260a5e02d22dc44c12ddde40c
SSDEEP

1572864:2Y4kA9UxkJnpZ4yOkfXfFrkaLxi1iY501leioZ4etfn7Niqld7vZ7S8u2fZuV+5L:npyXqzRTLr

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	mev_bot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	mev_bot.exe

Loads dropped DLL 4 IoCs

pid	Process
1652	mev_bot.exe
1652	mev_bot.exe
1652	mev_bot.exe
1652	mev_bot.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	mev_bot.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	mev_bot.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5084	mev_bot.exe
5084	mev_bot.exe
5084	mev_bot.exe
5084	mev_bot.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4488	mev_bot.exe
Token: SeCreatePagefilePrivilege	4488	mev_bot.exe
Token: SeShutdownPrivilege	4488	mev_bot.exe
Token: SeCreatePagefilePrivilege	4488	mev_bot.exe
Token: SeShutdownPrivilege	4488	mev_bot.exe
Token: SeCreatePagefilePrivilege	4488	mev_bot.exe
Token: SeShutdownPrivilege	4488	mev_bot.exe
Token: SeCreatePagefilePrivilege	4488	mev_bot.exe
Token: SeShutdownPrivilege	4488	mev_bot.exe
Token: SeCreatePagefilePrivilege	4488	mev_bot.exe
Token: SeShutdownPrivilege	4488	mev_bot.exe
Token: SeCreatePagefilePrivilege	4488	mev_bot.exe
Token: SeShutdownPrivilege	4488	mev_bot.exe
Token: SeCreatePagefilePrivilege	4488	mev_bot.exe
Token: SeShutdownPrivilege	4488	mev_bot.exe
Token: SeCreatePagefilePrivilege	4488	mev_bot.exe
Token: SeShutdownPrivilege	4488	mev_bot.exe
Token: SeCreatePagefilePrivilege	4488	mev_bot.exe
Token: SeShutdownPrivilege	4488	mev_bot.exe
Token: SeCreatePagefilePrivilege	4488	mev_bot.exe
Token: SeShutdownPrivilege	4488	mev_bot.exe
Token: SeCreatePagefilePrivilege	4488	mev_bot.exe
Token: SeShutdownPrivilege	4488	mev_bot.exe
Token: SeCreatePagefilePrivilege	4488	mev_bot.exe
Token: SeShutdownPrivilege	4488	mev_bot.exe
Token: SeCreatePagefilePrivilege	4488	mev_bot.exe
Token: SeShutdownPrivilege	4488	mev_bot.exe
Token: SeCreatePagefilePrivilege	4488	mev_bot.exe
Token: SeShutdownPrivilege	4488	mev_bot.exe
Token: SeCreatePagefilePrivilege	4488	mev_bot.exe
Token: SeShutdownPrivilege	4488	mev_bot.exe
Token: SeCreatePagefilePrivilege	4488	mev_bot.exe
Token: SeShutdownPrivilege	4488	mev_bot.exe
Token: SeCreatePagefilePrivilege	4488	mev_bot.exe
Token: SeShutdownPrivilege	4488	mev_bot.exe
Token: SeCreatePagefilePrivilege	4488	mev_bot.exe
Token: SeShutdownPrivilege	4488	mev_bot.exe
Token: SeCreatePagefilePrivilege	4488	mev_bot.exe
Token: SeShutdownPrivilege	4488	mev_bot.exe
Token: SeCreatePagefilePrivilege	4488	mev_bot.exe
Token: SeShutdownPrivilege	4488	mev_bot.exe
Token: SeCreatePagefilePrivilege	4488	mev_bot.exe
Token: SeShutdownPrivilege	4488	mev_bot.exe
Token: SeCreatePagefilePrivilege	4488	mev_bot.exe
Token: SeShutdownPrivilege	4488	mev_bot.exe
Token: SeCreatePagefilePrivilege	4488	mev_bot.exe
Token: SeShutdownPrivilege	4488	mev_bot.exe
Token: SeCreatePagefilePrivilege	4488	mev_bot.exe
Token: SeShutdownPrivilege	4488	mev_bot.exe
Token: SeCreatePagefilePrivilege	4488	mev_bot.exe
Token: SeShutdownPrivilege	4488	mev_bot.exe
Token: SeCreatePagefilePrivilege	4488	mev_bot.exe
Token: SeShutdownPrivilege	4488	mev_bot.exe
Token: SeCreatePagefilePrivilege	4488	mev_bot.exe
Token: SeShutdownPrivilege	4488	mev_bot.exe
Token: SeCreatePagefilePrivilege	4488	mev_bot.exe
Token: SeShutdownPrivilege	4488	mev_bot.exe
Token: SeCreatePagefilePrivilege	4488	mev_bot.exe
Token: SeShutdownPrivilege	4488	mev_bot.exe
Token: SeCreatePagefilePrivilege	4488	mev_bot.exe
Token: SeShutdownPrivilege	4488	mev_bot.exe
Token: SeCreatePagefilePrivilege	4488	mev_bot.exe
Token: SeShutdownPrivilege	4488	mev_bot.exe
Token: SeCreatePagefilePrivilege	4488	mev_bot.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4488 wrote to memory of 892	4488	mev_bot.exe	84
PID 4488 wrote to memory of 892	4488	mev_bot.exe	84
PID 4488 wrote to memory of 892	4488	mev_bot.exe	84
PID 4488 wrote to memory of 892	4488	mev_bot.exe	84
PID 4488 wrote to memory of 892	4488	mev_bot.exe	84
PID 4488 wrote to memory of 892	4488	mev_bot.exe	84
PID 4488 wrote to memory of 892	4488	mev_bot.exe	84
PID 4488 wrote to memory of 892	4488	mev_bot.exe	84
PID 4488 wrote to memory of 892	4488	mev_bot.exe	84
PID 4488 wrote to memory of 892	4488	mev_bot.exe	84
PID 4488 wrote to memory of 892	4488	mev_bot.exe	84
PID 4488 wrote to memory of 892	4488	mev_bot.exe	84
PID 4488 wrote to memory of 892	4488	mev_bot.exe	84
PID 4488 wrote to memory of 892	4488	mev_bot.exe	84
PID 4488 wrote to memory of 892	4488	mev_bot.exe	84
PID 4488 wrote to memory of 892	4488	mev_bot.exe	84
PID 4488 wrote to memory of 892	4488	mev_bot.exe	84
PID 4488 wrote to memory of 892	4488	mev_bot.exe	84
PID 4488 wrote to memory of 892	4488	mev_bot.exe	84
PID 4488 wrote to memory of 892	4488	mev_bot.exe	84
PID 4488 wrote to memory of 892	4488	mev_bot.exe	84
PID 4488 wrote to memory of 892	4488	mev_bot.exe	84
PID 4488 wrote to memory of 892	4488	mev_bot.exe	84
PID 4488 wrote to memory of 892	4488	mev_bot.exe	84
PID 4488 wrote to memory of 892	4488	mev_bot.exe	84
PID 4488 wrote to memory of 892	4488	mev_bot.exe	84
PID 4488 wrote to memory of 892	4488	mev_bot.exe	84
PID 4488 wrote to memory of 892	4488	mev_bot.exe	84
PID 4488 wrote to memory of 892	4488	mev_bot.exe	84
PID 4488 wrote to memory of 892	4488	mev_bot.exe	84
PID 4488 wrote to memory of 940	4488	mev_bot.exe	85
PID 4488 wrote to memory of 940	4488	mev_bot.exe	85
PID 4488 wrote to memory of 1652	4488	mev_bot.exe	86
PID 4488 wrote to memory of 1652	4488	mev_bot.exe	86
PID 4488 wrote to memory of 5084	4488	mev_bot.exe	92
PID 4488 wrote to memory of 5084	4488	mev_bot.exe	92

C:\Users\Admin\AppData\Local\Temp\mev_bot.exe
"C:\Users\Admin\AppData\Local\Temp\mev_bot.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4488
- C:\Users\Admin\AppData\Local\Temp\mev_bot.exe
  "C:\Users\Admin\AppData\Local\Temp\mev_bot.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\mev_bot" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1696 --field-trial-handle=1700,i,16127364143628330416,5429422161293122666,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:892
- C:\Users\Admin\AppData\Local\Temp\mev_bot.exe
  "C:\Users\Admin\AppData\Local\Temp\mev_bot.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\mev_bot" --mojo-platform-channel-handle=2132 --field-trial-handle=1700,i,16127364143628330416,5429422161293122666,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:940
- C:\Users\Admin\AppData\Local\Temp\mev_bot.exe
  "C:\Users\Admin\AppData\Local\Temp\mev_bot.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\mev_bot" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2376 --field-trial-handle=1700,i,16127364143628330416,5429422161293122666,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  PID:1652
- C:\Users\Admin\AppData\Local\Temp\mev_bot.exe
  "C:\Users\Admin\AppData\Local\Temp\mev_bot.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\mev_bot" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2252 --field-trial-handle=1700,i,16127364143628330416,5429422161293122666,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4d84ca6d-ec2c-474a-b20c-fb948c168625.tmp.node

Filesize
275KB

MD5
63a7fb96a3d09b74a0cc73aff7c48f5b

SHA1
5385ae620cc0edf178e270d924d01dea591cafdf

SHA256
f00d85eb45b70e6b4456d4916793162dcacac87a49678ea3dc376912bc7392bb

SHA512
d5af761a4e158defb2d9a804ca1f8ea8cc2b99b8e2d7329dfe09f9f1596f265155d93f39dc2feef5d3d0b60615b2707d787266d603d135dfd3d3a964eea998cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ae4b287-e9ad-4cde-884b-8b9630a39e1f.tmp.node

Filesize
147KB

MD5
5cb6b3762df753d84e4ffd4afe1a7e1c

SHA1
ae2b1c4652aec7315607fc413a4c258f11b69544

SHA256
48b7275f47cd44a05d349eb4fdb6cfc451ccbf609a4a56fa34452bcf231c1208

SHA512
5723c10ea9c26524f7866b9c749d9887b10c1514bf0cc893ba2a6e9c5d9690015cbcbe024653956af3fb842de3290b4c6c4beb051b67480bdae543d8fd3981cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\81c285c5-a84c-47bf-b9cf-2bcf533fc0a0.tmp.node

Filesize
148KB

MD5
4dc971c52b14a3843564fb0ce8a6a0c1

SHA1
5b19af49368e4f067cbc73af7b2b54bf2dc8efee

SHA256
27ec96008c48052d5f493683297c26b9136f1d6a9e73c3722e243bc959d7cc93

SHA512
52510b4c20146e635656814e7088464399cd4ca2d64ca67ee2b116ab4631918e092d90462fc450d610154b3284579cb8b7d0ca7bbc3a6eae6b0a348ccffd04dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7c2e887-8b95-437b-8956-e145628d89de.tmp.node

Filesize
187KB

MD5
1bdfa25647f9eef3f5bdaa031367116f

SHA1
f03a35891737b80899b052060709e3b877cc0a85

SHA256
c6fae5dfe840301ad481ecde333b693d374f17351a2fb206ec46e7257aea16dd

SHA512
3f4284d95db9c1d9205355fc5f5f0ecdbddaedbb1e7c8a4f9c003225da442330f7924da1be143af7720d8b71cc5e94177f548202170c0425a727625e24c76c00

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\mev_bot\Network\Network Persistent State

Filesize
300B

MD5
2444e9fa0bc90eda3c1637c3d6bba8d3

SHA1
830033c8595ce39be766f1951f07bb00ffaebaff

SHA256
997725dd7bb274001e9fbbba3398e76594673ad96c25bb4ee5ef4cbdf6410c9f

SHA512
7ad9d209926580df05064a31807f8bd3d59e2fb004e5ce03446f38338d926657efe82c120a581be5816c1adea48918deb54bff473f165c508dbc66839e1b2812

Download Submit
C:\Users\Admin\AppData\Roaming\mev_bot\Network\Network Persistent State~RFe589a47.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
memory/5084-89-0x000001E463460000-0x000001E463461000-memory.dmp

Filesize
4KB

Download
memory/5084-87-0x000001E463460000-0x000001E463461000-memory.dmp

Filesize
4KB

Download
memory/5084-88-0x000001E463460000-0x000001E463461000-memory.dmp

Filesize
4KB

Download
memory/5084-97-0x000001E463460000-0x000001E463461000-memory.dmp

Filesize
4KB

Download
memory/5084-99-0x000001E463460000-0x000001E463461000-memory.dmp

Filesize
4KB

Download
memory/5084-98-0x000001E463460000-0x000001E463461000-memory.dmp

Filesize
4KB

Download
memory/5084-96-0x000001E463460000-0x000001E463461000-memory.dmp

Filesize
4KB

Download
memory/5084-95-0x000001E463460000-0x000001E463461000-memory.dmp

Filesize
4KB

Download
memory/5084-94-0x000001E463460000-0x000001E463461000-memory.dmp

Filesize
4KB

Download
memory/5084-93-0x000001E463460000-0x000001E463461000-memory.dmp

Filesize
4KB

Download