Analysis
-
max time kernel
119s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21-08-2024 13:52
Static task
static1
Behavioral task
behavioral1
Sample
8ab84636acd4409404c7d2da1ddb0a50N.exe
Resource
win7-20240704-en
General
-
Target
8ab84636acd4409404c7d2da1ddb0a50N.exe
-
Size
88KB
-
MD5
8ab84636acd4409404c7d2da1ddb0a50
-
SHA1
ec6e40da89afb0c7ac31d57740af0b59382c812b
-
SHA256
ce30de4b8ae839f956adb07c24635cd872c5ed6d8b895940a22bbde00ea68a93
-
SHA512
c7d10e7b60c177e194509b2fce34dd9c572a76a60ba9c7d9d5f6bb5fd500ad0793a40d72d52d1bce15e70a7065c5cdf3a7d94bfb0380603a79e567485c7478a2
-
SSDEEP
1536:t5piVnDXkTbhCtaB6GVA/bVQPxfgiqfoOonoKg+yOH5y/yEi:6D0ctAVA/bmxIMnoKjyR/Ni
Malware Config
Signatures
-
Detects Andromeda payload. 2 IoCs
resource yara_rule behavioral2/memory/936-62-0x00000000005F0000-0x00000000005F5000-memory.dmp family_andromeda behavioral2/memory/936-66-0x00000000005F0000-0x00000000005F5000-memory.dmp family_andromeda -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\49253 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\msnwyomu.scr" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation 8ab84636acd4409404c7d2da1ddb0a50N.exe -
Executes dropped EXE 3 IoCs
pid Process 544 winlogonr.exe 4528 winlogonr.exe 4636 winlogonr.exe -
resource yara_rule behavioral2/memory/1872-7-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1872-9-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1872-11-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1872-37-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1872-55-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4528-67-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\winlogonr\\winlogonr.exe" reg.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum winlogonr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 winlogonr.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4976 set thread context of 1872 4976 8ab84636acd4409404c7d2da1ddb0a50N.exe 94 PID 544 set thread context of 4528 544 winlogonr.exe 101 PID 544 set thread context of 4636 544 winlogonr.exe 102 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\PROGRA~3\LOCALS~1\Temp\msnwyomu.scr svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8ab84636acd4409404c7d2da1ddb0a50N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogonr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogonr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogonr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8ab84636acd4409404c7d2da1ddb0a50N.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4636 winlogonr.exe 4636 winlogonr.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 4636 winlogonr.exe 4636 winlogonr.exe -
Suspicious use of AdjustPrivilegeToken 56 IoCs
description pid Process Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe Token: SeDebugPrivilege 4528 winlogonr.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4976 8ab84636acd4409404c7d2da1ddb0a50N.exe 1872 8ab84636acd4409404c7d2da1ddb0a50N.exe 544 winlogonr.exe 4528 winlogonr.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 4976 wrote to memory of 1872 4976 8ab84636acd4409404c7d2da1ddb0a50N.exe 94 PID 4976 wrote to memory of 1872 4976 8ab84636acd4409404c7d2da1ddb0a50N.exe 94 PID 4976 wrote to memory of 1872 4976 8ab84636acd4409404c7d2da1ddb0a50N.exe 94 PID 4976 wrote to memory of 1872 4976 8ab84636acd4409404c7d2da1ddb0a50N.exe 94 PID 4976 wrote to memory of 1872 4976 8ab84636acd4409404c7d2da1ddb0a50N.exe 94 PID 4976 wrote to memory of 1872 4976 8ab84636acd4409404c7d2da1ddb0a50N.exe 94 PID 4976 wrote to memory of 1872 4976 8ab84636acd4409404c7d2da1ddb0a50N.exe 94 PID 4976 wrote to memory of 1872 4976 8ab84636acd4409404c7d2da1ddb0a50N.exe 94 PID 1872 wrote to memory of 1948 1872 8ab84636acd4409404c7d2da1ddb0a50N.exe 95 PID 1872 wrote to memory of 1948 1872 8ab84636acd4409404c7d2da1ddb0a50N.exe 95 PID 1872 wrote to memory of 1948 1872 8ab84636acd4409404c7d2da1ddb0a50N.exe 95 PID 1948 wrote to memory of 1592 1948 cmd.exe 98 PID 1948 wrote to memory of 1592 1948 cmd.exe 98 PID 1948 wrote to memory of 1592 1948 cmd.exe 98 PID 1872 wrote to memory of 544 1872 8ab84636acd4409404c7d2da1ddb0a50N.exe 99 PID 1872 wrote to memory of 544 1872 8ab84636acd4409404c7d2da1ddb0a50N.exe 99 PID 1872 wrote to memory of 544 1872 8ab84636acd4409404c7d2da1ddb0a50N.exe 99 PID 544 wrote to memory of 4528 544 winlogonr.exe 101 PID 544 wrote to memory of 4528 544 winlogonr.exe 101 PID 544 wrote to memory of 4528 544 winlogonr.exe 101 PID 544 wrote to memory of 4528 544 winlogonr.exe 101 PID 544 wrote to memory of 4528 544 winlogonr.exe 101 PID 544 wrote to memory of 4528 544 winlogonr.exe 101 PID 544 wrote to memory of 4528 544 winlogonr.exe 101 PID 544 wrote to memory of 4528 544 winlogonr.exe 101 PID 544 wrote to memory of 4636 544 winlogonr.exe 102 PID 544 wrote to memory of 4636 544 winlogonr.exe 102 PID 544 wrote to memory of 4636 544 winlogonr.exe 102 PID 544 wrote to memory of 4636 544 winlogonr.exe 102 PID 544 wrote to memory of 4636 544 winlogonr.exe 102 PID 544 wrote to memory of 4636 544 winlogonr.exe 102 PID 4636 wrote to memory of 936 4636 winlogonr.exe 103 PID 4636 wrote to memory of 936 4636 winlogonr.exe 103 PID 4636 wrote to memory of 936 4636 winlogonr.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ab84636acd4409404c7d2da1ddb0a50N.exe"C:\Users\Admin\AppData\Local\Temp\8ab84636acd4409404c7d2da1ddb0a50N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Users\Admin\AppData\Local\Temp\8ab84636acd4409404c7d2da1ddb0a50N.exe"C:\Users\Admin\AppData\Local\Temp\8ab84636acd4409404c7d2da1ddb0a50N.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OMQLS.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "winlogon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1592
-
-
-
C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe"C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe"C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4528
-
-
C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe"C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe"4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe5⤵
- Adds policy Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:936
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
149B
MD56831b89d0b8dc3e07588d733e75c122b
SHA18c70088c3224bbaf535ed19ec0f6bd5231c543be
SHA2569fe102f2c6dff35f03787b85f725d12347cf491c897730a7f2e818f65177ffc2
SHA512699fb44a25032ee4ad0ace1f941c826b333baddb65049c22e80b272909e85f4c8a00fef73fe2d97fa8998a0b6969b13461237bfc1e8f9bf711849d17d0cda6da
-
Filesize
88KB
MD5a99bca80258231bd9c611872d4ff1804
SHA19394c3def32712eb14b2b5aa29aaeda942ff255e
SHA2569be799886f418841003c83f4a34db9aa5717ed9e4f1c551bb20ac843b47d5eee
SHA5125a5c5b0ce8199f4835efedca2d3a6f9db940747229a65e0041b33e64f6629d4e6b208df216d61b2c600742b2dd888e45b1a173f149a0721a58c377407fbd399f