Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21-08-2024 21:05
Static task
static1
Behavioral task
behavioral1
Sample
54df5e1d18f36a2d11eb1687d15a80d0N.exe
Resource
win7-20240704-en
General
-
Target
54df5e1d18f36a2d11eb1687d15a80d0N.exe
-
Size
88KB
-
MD5
54df5e1d18f36a2d11eb1687d15a80d0
-
SHA1
be4c702e9f5b23a02e037bcc6725ea8dae540b71
-
SHA256
2d4f592791dcc72fa4b58c7106a705e7649387f326b6d69db774361a99fae8c2
-
SHA512
5e8712dcf2c4324c6d76d4dc0bf3f8ad3c26dec4c16595b4201585766eb17a2789cbc90cb60416aceac101f252676996f1bd55e77238babd3c32a265740d2a87
-
SSDEEP
1536:t5piVnDXkTbhCtaB6GVA/bVQPxfgiqfoOonoKg+yOH5y/yE3:6D0ctAVA/bmxIMnoKjyR/N3
Malware Config
Signatures
-
Detects Andromeda payload. 2 IoCs
resource yara_rule behavioral2/memory/1648-62-0x0000000000280000-0x0000000000285000-memory.dmp family_andromeda behavioral2/memory/1648-66-0x0000000000280000-0x0000000000285000-memory.dmp family_andromeda -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\10070 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\mskotbvk.scr" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation 54df5e1d18f36a2d11eb1687d15a80d0N.exe -
Executes dropped EXE 3 IoCs
pid Process 5116 winlogonr.exe 3448 winlogonr.exe 220 winlogonr.exe -
resource yara_rule behavioral2/memory/4508-8-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4508-10-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4508-12-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4508-38-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4508-54-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3448-68-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\winlogonr\\winlogonr.exe" reg.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum winlogonr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 winlogonr.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3664 set thread context of 4508 3664 54df5e1d18f36a2d11eb1687d15a80d0N.exe 102 PID 5116 set thread context of 3448 5116 winlogonr.exe 111 PID 5116 set thread context of 220 5116 winlogonr.exe 112 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\PROGRA~3\LOCALS~1\Temp\mskotbvk.scr svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 54df5e1d18f36a2d11eb1687d15a80d0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 54df5e1d18f36a2d11eb1687d15a80d0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogonr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogonr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogonr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 220 winlogonr.exe 220 winlogonr.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 220 winlogonr.exe 220 winlogonr.exe -
Suspicious use of AdjustPrivilegeToken 56 IoCs
description pid Process Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe Token: SeDebugPrivilege 3448 winlogonr.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3664 54df5e1d18f36a2d11eb1687d15a80d0N.exe 4508 54df5e1d18f36a2d11eb1687d15a80d0N.exe 5116 winlogonr.exe 3448 winlogonr.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 3664 wrote to memory of 4508 3664 54df5e1d18f36a2d11eb1687d15a80d0N.exe 102 PID 3664 wrote to memory of 4508 3664 54df5e1d18f36a2d11eb1687d15a80d0N.exe 102 PID 3664 wrote to memory of 4508 3664 54df5e1d18f36a2d11eb1687d15a80d0N.exe 102 PID 3664 wrote to memory of 4508 3664 54df5e1d18f36a2d11eb1687d15a80d0N.exe 102 PID 3664 wrote to memory of 4508 3664 54df5e1d18f36a2d11eb1687d15a80d0N.exe 102 PID 3664 wrote to memory of 4508 3664 54df5e1d18f36a2d11eb1687d15a80d0N.exe 102 PID 3664 wrote to memory of 4508 3664 54df5e1d18f36a2d11eb1687d15a80d0N.exe 102 PID 3664 wrote to memory of 4508 3664 54df5e1d18f36a2d11eb1687d15a80d0N.exe 102 PID 4508 wrote to memory of 5028 4508 54df5e1d18f36a2d11eb1687d15a80d0N.exe 103 PID 4508 wrote to memory of 5028 4508 54df5e1d18f36a2d11eb1687d15a80d0N.exe 103 PID 4508 wrote to memory of 5028 4508 54df5e1d18f36a2d11eb1687d15a80d0N.exe 103 PID 5028 wrote to memory of 4460 5028 cmd.exe 106 PID 5028 wrote to memory of 4460 5028 cmd.exe 106 PID 5028 wrote to memory of 4460 5028 cmd.exe 106 PID 4508 wrote to memory of 5116 4508 54df5e1d18f36a2d11eb1687d15a80d0N.exe 107 PID 4508 wrote to memory of 5116 4508 54df5e1d18f36a2d11eb1687d15a80d0N.exe 107 PID 4508 wrote to memory of 5116 4508 54df5e1d18f36a2d11eb1687d15a80d0N.exe 107 PID 5116 wrote to memory of 3448 5116 winlogonr.exe 111 PID 5116 wrote to memory of 3448 5116 winlogonr.exe 111 PID 5116 wrote to memory of 3448 5116 winlogonr.exe 111 PID 5116 wrote to memory of 3448 5116 winlogonr.exe 111 PID 5116 wrote to memory of 3448 5116 winlogonr.exe 111 PID 5116 wrote to memory of 3448 5116 winlogonr.exe 111 PID 5116 wrote to memory of 3448 5116 winlogonr.exe 111 PID 5116 wrote to memory of 3448 5116 winlogonr.exe 111 PID 5116 wrote to memory of 220 5116 winlogonr.exe 112 PID 5116 wrote to memory of 220 5116 winlogonr.exe 112 PID 5116 wrote to memory of 220 5116 winlogonr.exe 112 PID 5116 wrote to memory of 220 5116 winlogonr.exe 112 PID 5116 wrote to memory of 220 5116 winlogonr.exe 112 PID 5116 wrote to memory of 220 5116 winlogonr.exe 112 PID 220 wrote to memory of 1648 220 winlogonr.exe 113 PID 220 wrote to memory of 1648 220 winlogonr.exe 113 PID 220 wrote to memory of 1648 220 winlogonr.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\54df5e1d18f36a2d11eb1687d15a80d0N.exe"C:\Users\Admin\AppData\Local\Temp\54df5e1d18f36a2d11eb1687d15a80d0N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Users\Admin\AppData\Local\Temp\54df5e1d18f36a2d11eb1687d15a80d0N.exe"C:\Users\Admin\AppData\Local\Temp\54df5e1d18f36a2d11eb1687d15a80d0N.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NLPKS.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "winlogon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4460
-
-
-
C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe"C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe"C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3448
-
-
C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe"C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe"4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe5⤵
- Adds policy Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1648
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4088,i,1828333185976713750,7918646547767660928,262144 --variations-seed-version --mojo-platform-channel-handle=4384 /prefetch:81⤵PID:2232
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
149B
MD56831b89d0b8dc3e07588d733e75c122b
SHA18c70088c3224bbaf535ed19ec0f6bd5231c543be
SHA2569fe102f2c6dff35f03787b85f725d12347cf491c897730a7f2e818f65177ffc2
SHA512699fb44a25032ee4ad0ace1f941c826b333baddb65049c22e80b272909e85f4c8a00fef73fe2d97fa8998a0b6969b13461237bfc1e8f9bf711849d17d0cda6da
-
Filesize
88KB
MD5747e926dfb9874624e450458ff387469
SHA1d807e3d63f0c3d4d998b377d04ff3e317e3d2368
SHA256604f5039a41f793c6b465c99f200e7d61b006f0a00f7f220151fefdefa1a386a
SHA5128d6ebdf02d07128e5b82f6d088a84f06b20298d977f0a3a1d7d495774f328b204a12bf3d715e592b1855986452f315043095aaa520486c981d5760360c28b574