Resubmissions
06/08/2024, 09:48
240806-ls68hswcqr 7Analysis
-
max time kernel
119s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/08/2024, 09:48
Static task
static1
Behavioral task
behavioral1
Sample
8f507d0fd5aca01dc96893901cf35a00N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
8f507d0fd5aca01dc96893901cf35a00N.exe
Resource
win10v2004-20240802-en
General
-
Target
8f507d0fd5aca01dc96893901cf35a00N.exe
-
Size
11KB
-
MD5
8f507d0fd5aca01dc96893901cf35a00
-
SHA1
4a97ffae3d9cc27bfe5c6a180dba3232ea2932de
-
SHA256
1167e1bc02116d970fc0507496cc176325278bdd4c61a673d1da3349870c0adc
-
SHA512
869f408926dc910a688f4cab5d9b624d409c5ce23cbab21dad60c7cfc4786320c7404efada427e24216ea3769cd09feff7dde9bc4ac95ecd4a1162ee0e89ef60
-
SSDEEP
192:Zg6eHLE5KxkDpnqKjIdtaCRYvRtCk1rE1Ty68A3CuYYpZ7E:G6eHIAx0pqNgHvRtoyhASuYYpZ7E
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation 8f507d0fd5aca01dc96893901cf35a00N.exe -
Executes dropped EXE 1 IoCs
pid Process 708 xplorer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xplorer = "C:\\Windows\\xplorer\\xplorer.exe" reg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\xplorer\xplorer.exe 8f507d0fd5aca01dc96893901cf35a00N.exe File created C:\Windows\xplorer\xplorer.exe 8f507d0fd5aca01dc96893901cf35a00N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8f507d0fd5aca01dc96893901cf35a00N.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe Token: SeDebugPrivilege 708 xplorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1892 8f507d0fd5aca01dc96893901cf35a00N.exe 708 xplorer.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1892 wrote to memory of 552 1892 8f507d0fd5aca01dc96893901cf35a00N.exe 86 PID 1892 wrote to memory of 552 1892 8f507d0fd5aca01dc96893901cf35a00N.exe 86 PID 1892 wrote to memory of 552 1892 8f507d0fd5aca01dc96893901cf35a00N.exe 86 PID 552 wrote to memory of 1080 552 cmd.exe 89 PID 552 wrote to memory of 1080 552 cmd.exe 89 PID 552 wrote to memory of 1080 552 cmd.exe 89 PID 1892 wrote to memory of 708 1892 8f507d0fd5aca01dc96893901cf35a00N.exe 90 PID 1892 wrote to memory of 708 1892 8f507d0fd5aca01dc96893901cf35a00N.exe 90 PID 1892 wrote to memory of 708 1892 8f507d0fd5aca01dc96893901cf35a00N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f507d0fd5aca01dc96893901cf35a00N.exe"C:\Users\Admin\AppData\Local\Temp\8f507d0fd5aca01dc96893901cf35a00N.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HGTAJ.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "xplorer" /t REG_SZ /d "C:\Windows\xplorer\xplorer.exe" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1080
-
-
-
C:\Windows\xplorer\xplorer.exe"C:\Windows\xplorer\xplorer.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:708
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124B
MD54e6e99d38b1264af2b53a68c7cd6d648
SHA155ffe17732d1d9c539d702a1311ef9674fe7b3cf
SHA256168d9cdf4849fde3b4817db207e60934b6c877be439289f3fb3a4eb9e4326ff0
SHA512bde21abed1bfc3dbdd6afc83614aa27c3f33dfbb434e139523ac57ecd84875b0e96a241f5828eda0b055f787ec7f95850b0f4ab0ee752ac36484b2bfd78a859d
-
Filesize
11KB
MD59fda11cfa1d9b9588f6c149c73b6ea4d
SHA19d38f69ba381f19fc21e9b9f054af3ee89c035af
SHA2567bf97bf2c473c60623c6ac7bc99dd5ba3a5d661132a998085ac5d6f8ecf02f1f
SHA5128ef622b39918a406d04c319804e5186faf79277ee1a00efff95d0bfdd185bbf8141165d8688c49ac2278a7355ef2b2153eab6cd897cafd1717cb42c31600bbae