Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-08-2024 23:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8462556c700bc757868598e6ac13aaa7825ca162033d3a03bdad2c2a190f5a71.exe
Resource
win7-20240704-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
8462556c700bc757868598e6ac13aaa7825ca162033d3a03bdad2c2a190f5a71.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
8462556c700bc757868598e6ac13aaa7825ca162033d3a03bdad2c2a190f5a71.exe
-
Size
11KB
-
MD5
26ce1cebefda7f0b266cce96d65266af
-
SHA1
111cec09050a02d6be9a8ac1287403079ea10978
-
SHA256
8462556c700bc757868598e6ac13aaa7825ca162033d3a03bdad2c2a190f5a71
-
SHA512
c4b0249c29b8a9b37babae683c5118374119b51b1170507355fd27e9ff48f39dc724d71f5a56af8253ce1df1dfe2c95103847c9f7958c38d5a3e1b178e1c5fd9
-
SSDEEP
192:Zg6eHLE5KxkDpnqKjIdtaCRYvRtCk1rE1Ty68A3CuYYpZ7E:G6eHIAx0pqNgHvRtoyhASuYYpZ7E
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation 8462556c700bc757868598e6ac13aaa7825ca162033d3a03bdad2c2a190f5a71.exe -
Executes dropped EXE 1 IoCs
pid Process 1088 xplorer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xplorer = "C:\\Windows\\xplorer\\xplorer.exe" reg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\xplorer\xplorer.exe 8462556c700bc757868598e6ac13aaa7825ca162033d3a03bdad2c2a190f5a71.exe File opened for modification C:\Windows\xplorer\xplorer.exe 8462556c700bc757868598e6ac13aaa7825ca162033d3a03bdad2c2a190f5a71.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8462556c700bc757868598e6ac13aaa7825ca162033d3a03bdad2c2a190f5a71.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe Token: SeDebugPrivilege 1088 xplorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3116 8462556c700bc757868598e6ac13aaa7825ca162033d3a03bdad2c2a190f5a71.exe 1088 xplorer.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3116 wrote to memory of 388 3116 8462556c700bc757868598e6ac13aaa7825ca162033d3a03bdad2c2a190f5a71.exe 84 PID 3116 wrote to memory of 388 3116 8462556c700bc757868598e6ac13aaa7825ca162033d3a03bdad2c2a190f5a71.exe 84 PID 3116 wrote to memory of 388 3116 8462556c700bc757868598e6ac13aaa7825ca162033d3a03bdad2c2a190f5a71.exe 84 PID 388 wrote to memory of 2236 388 cmd.exe 87 PID 388 wrote to memory of 2236 388 cmd.exe 87 PID 388 wrote to memory of 2236 388 cmd.exe 87 PID 3116 wrote to memory of 1088 3116 8462556c700bc757868598e6ac13aaa7825ca162033d3a03bdad2c2a190f5a71.exe 88 PID 3116 wrote to memory of 1088 3116 8462556c700bc757868598e6ac13aaa7825ca162033d3a03bdad2c2a190f5a71.exe 88 PID 3116 wrote to memory of 1088 3116 8462556c700bc757868598e6ac13aaa7825ca162033d3a03bdad2c2a190f5a71.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\8462556c700bc757868598e6ac13aaa7825ca162033d3a03bdad2c2a190f5a71.exe"C:\Users\Admin\AppData\Local\Temp\8462556c700bc757868598e6ac13aaa7825ca162033d3a03bdad2c2a190f5a71.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OSYEF.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "xplorer" /t REG_SZ /d "C:\Windows\xplorer\xplorer.exe" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2236
-
-
-
C:\Windows\xplorer\xplorer.exe"C:\Windows\xplorer\xplorer.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1088
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124B
MD54e6e99d38b1264af2b53a68c7cd6d648
SHA155ffe17732d1d9c539d702a1311ef9674fe7b3cf
SHA256168d9cdf4849fde3b4817db207e60934b6c877be439289f3fb3a4eb9e4326ff0
SHA512bde21abed1bfc3dbdd6afc83614aa27c3f33dfbb434e139523ac57ecd84875b0e96a241f5828eda0b055f787ec7f95850b0f4ab0ee752ac36484b2bfd78a859d
-
Filesize
11KB
MD5f0f2624f0e38e34c783f57a5ca2a6c7b
SHA182b8b780ddbab0a40ac8379cbf89a5a5d53eff69
SHA25659bac6f5a3c45206624e48bef16190671fdebd0aaeb03b5788aa7a19cbe5a6f4
SHA51211661ec33014bc23d5d4bef67cfb45e7601d2f6b6cdf630d0417c2a5f084bad5f36e0db079c142aa2f993d5785bc67a72b52a334acced06e06fd5fc17e299634