Analysis
-
max time kernel
133s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24-08-2024 16:34
Static task
static1
Behavioral task
behavioral1
Sample
PekzLOG.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
PekzLOG.exe
Resource
win10v2004-20240802-en
General
-
Target
PekzLOG.exe
-
Size
535KB
-
MD5
5504cead28af15658cd2c26c358759e6
-
SHA1
5d444a6f79f1ce9069c4a940687ced21b96e616c
-
SHA256
f2cea2ace90fadcf5ee82ed9ebc1f7dc577a3b1fbce75b2831c1b170879d5494
-
SHA512
ce79c86f3ac81b9e8786e49af78b13f1804635d64d19d2798b00e05b201433c0297a99cf09fabe4f05ddd0c4327ed72982049fbee4b209724de543bfd20ac188
-
SSDEEP
12288:PDcHFdwvfQky4ng/q2cTvw/oXTQUxTkGAVTeTveexB2sOr:PDcHF6XHBeWUoXv5lokee+r
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
PekzLOG.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation PekzLOG.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/4308-5-0x000000001B6A0000-0x000000001B7E2000-memory.dmp agile_net C:\Users\Admin\AppData\Local\Temp\1239694C.dll agile_net -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PekzLOG.exedescription pid process Token: SeDebugPrivilege 4308 PekzLOG.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
PekzLOG.execmd.exedescription pid process target process PID 4308 wrote to memory of 664 4308 PekzLOG.exe cmd.exe PID 4308 wrote to memory of 664 4308 PekzLOG.exe cmd.exe PID 664 wrote to memory of 1160 664 cmd.exe choice.exe PID 664 wrote to memory of 1160 664 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PekzLOG.exe"C:\Users\Admin\AppData\Local\Temp\PekzLOG.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1239694C.dll" /A:H2⤵
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵PID:1160
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
584KB
MD5feb5236bd41cc5f9cfc5b5dc25e66d25
SHA16e3f599e8a57733655ddaa7703bbe939fd447216
SHA2566b64d5962e50dd590831dd7fbc6a09196fe03696d2767fc6416ac11edd2e0593
SHA5128e250045bf4acccd05ea0fddb54c936b9a1c7e25995f09815d31a86fbf9d28d17e71c33990420aa660e885c3950095499cf51d6944c4dd2735b2f993eb0b9507