Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-08-2024 02:21
Static task
static1
Behavioral task
behavioral1
Sample
98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe
Resource
win7-20240729-en
General
-
Target
98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe
-
Size
88KB
-
MD5
852c0d00b8742475efd18efd62d20a78
-
SHA1
843fb8261f66bc4217e7d2e07afbe4e069e1e7fd
-
SHA256
98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6
-
SHA512
b4a62e31061e3b94387f8a217027c2d2bc65efe19ad272889638056ed55619a7a350c7af9f559d6c265f4408b2e46623d1e89ed4c4a19ada00b8684a32dca6f4
-
SSDEEP
1536:t5piVnDXkTbhCtaB6GVA/bVQPxfgiqfoOonoKg+yOH5y/yEm:6D0ctAVA/bmxIMnoKjyR/Nm
Malware Config
Signatures
-
Detects Andromeda payload. 2 IoCs
resource yara_rule behavioral2/memory/2168-62-0x0000000000DF0000-0x0000000000DF5000-memory.dmp family_andromeda behavioral2/memory/2168-66-0x0000000000DF0000-0x0000000000DF5000-memory.dmp family_andromeda -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\28070 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\mszfiibba.pif" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe -
Executes dropped EXE 3 IoCs
pid Process 3124 winlogonr.exe 2756 winlogonr.exe 752 winlogonr.exe -
resource yara_rule behavioral2/memory/4588-8-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4588-10-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4588-12-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4588-38-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4588-54-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2756-68-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\winlogonr\\winlogonr.exe" reg.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum winlogonr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 winlogonr.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4024 set thread context of 4588 4024 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 94 PID 3124 set thread context of 2756 3124 winlogonr.exe 101 PID 3124 set thread context of 752 3124 winlogonr.exe 102 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\PROGRA~3\LOCALS~1\Temp\mszfiibba.pif svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogonr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogonr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogonr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 752 winlogonr.exe 752 winlogonr.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 752 winlogonr.exe 752 winlogonr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe Token: SeDebugPrivilege 2756 winlogonr.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4024 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 4588 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 3124 winlogonr.exe 2756 winlogonr.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 4024 wrote to memory of 4588 4024 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 94 PID 4024 wrote to memory of 4588 4024 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 94 PID 4024 wrote to memory of 4588 4024 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 94 PID 4024 wrote to memory of 4588 4024 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 94 PID 4024 wrote to memory of 4588 4024 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 94 PID 4024 wrote to memory of 4588 4024 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 94 PID 4024 wrote to memory of 4588 4024 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 94 PID 4024 wrote to memory of 4588 4024 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 94 PID 4588 wrote to memory of 4272 4588 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 95 PID 4588 wrote to memory of 4272 4588 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 95 PID 4588 wrote to memory of 4272 4588 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 95 PID 4272 wrote to memory of 3436 4272 cmd.exe 98 PID 4272 wrote to memory of 3436 4272 cmd.exe 98 PID 4272 wrote to memory of 3436 4272 cmd.exe 98 PID 4588 wrote to memory of 3124 4588 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 99 PID 4588 wrote to memory of 3124 4588 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 99 PID 4588 wrote to memory of 3124 4588 98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe 99 PID 3124 wrote to memory of 2756 3124 winlogonr.exe 101 PID 3124 wrote to memory of 2756 3124 winlogonr.exe 101 PID 3124 wrote to memory of 2756 3124 winlogonr.exe 101 PID 3124 wrote to memory of 2756 3124 winlogonr.exe 101 PID 3124 wrote to memory of 2756 3124 winlogonr.exe 101 PID 3124 wrote to memory of 2756 3124 winlogonr.exe 101 PID 3124 wrote to memory of 2756 3124 winlogonr.exe 101 PID 3124 wrote to memory of 2756 3124 winlogonr.exe 101 PID 3124 wrote to memory of 752 3124 winlogonr.exe 102 PID 3124 wrote to memory of 752 3124 winlogonr.exe 102 PID 3124 wrote to memory of 752 3124 winlogonr.exe 102 PID 3124 wrote to memory of 752 3124 winlogonr.exe 102 PID 3124 wrote to memory of 752 3124 winlogonr.exe 102 PID 3124 wrote to memory of 752 3124 winlogonr.exe 102 PID 752 wrote to memory of 2168 752 winlogonr.exe 103 PID 752 wrote to memory of 2168 752 winlogonr.exe 103 PID 752 wrote to memory of 2168 752 winlogonr.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe"C:\Users\Admin\AppData\Local\Temp\98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Users\Admin\AppData\Local\Temp\98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe"C:\Users\Admin\AppData\Local\Temp\98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BFAIU.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "winlogon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3436
-
-
-
C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe"C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe"C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2756
-
-
C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe"C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe"4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe5⤵
- Adds policy Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2168
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
149B
MD56831b89d0b8dc3e07588d733e75c122b
SHA18c70088c3224bbaf535ed19ec0f6bd5231c543be
SHA2569fe102f2c6dff35f03787b85f725d12347cf491c897730a7f2e818f65177ffc2
SHA512699fb44a25032ee4ad0ace1f941c826b333baddb65049c22e80b272909e85f4c8a00fef73fe2d97fa8998a0b6969b13461237bfc1e8f9bf711849d17d0cda6da
-
Filesize
88KB
MD56879bee6b43775b22fc3743cc4577f6a
SHA19e72815218994ee528beecbaf97dacd9c9ee825c
SHA256ad3d88f86aa3b83fff3e7ed67eddc1d47e363630ab473da948d2ac0187bee302
SHA5126b57d084d19322ddcb550ecf52ff83d4a42453c97ab1269f994eea2717d0a5f05d5762a4eed4c6a89de9aeb8bdf43651cf95eb5111dba13d62b69a1a2df17b91