Analysis
-
max time kernel
118s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 09:50
Behavioral task
behavioral1
Sample
afa97b6dbd655a5717f6d6a7122d6a40N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
afa97b6dbd655a5717f6d6a7122d6a40N.exe
Resource
win10v2004-20240802-en
General
-
Target
afa97b6dbd655a5717f6d6a7122d6a40N.exe
-
Size
161KB
-
MD5
afa97b6dbd655a5717f6d6a7122d6a40
-
SHA1
591c325a627ec08b485d843eb85d5335aec67d0f
-
SHA256
e60984f9b1bcc7b2159e84525a9fe8121eb0302bc3b3b2e20b7de076e2a6f9bf
-
SHA512
b39e71cb8f3cf7bffd51a522753344831bdf05729f0228015eb55e053ec53c5ac4ef6c5121689a34bcb3d58366bbce6549cd9a28a0849cb89019b5eefbb6e7b5
-
SSDEEP
3072:i5SVkkgUWib1UC7AdYzrV+Dljy/32ubwZZqJ:pUquCkdYzrVolu/J0ZZ
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation afa97b6dbd655a5717f6d6a7122d6a40N.exe -
Executes dropped EXE 3 IoCs
pid Process 4592 WindowsService.exe 4564 WindowsService.exe 1340 WindowsService.exe -
resource yara_rule behavioral2/memory/2516-0-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral2/memory/2516-4-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral2/memory/1540-6-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1540-8-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2516-10-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral2/memory/1540-11-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/files/0x0007000000023429-27.dat upx behavioral2/memory/4592-34-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral2/memory/1540-38-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4592-42-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral2/memory/4592-41-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral2/memory/4592-40-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral2/memory/4592-55-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral2/memory/1540-57-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4564-59-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sidebar = "C:\\Users\\Admin\\AppData\\Roaming\\SystemWindows\\WindowsService.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2516 set thread context of 1540 2516 afa97b6dbd655a5717f6d6a7122d6a40N.exe 91 PID 4592 set thread context of 4564 4592 WindowsService.exe 99 PID 4592 set thread context of 1340 4592 WindowsService.exe 100 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language afa97b6dbd655a5717f6d6a7122d6a40N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WindowsService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WindowsService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WindowsService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language afa97b6dbd655a5717f6d6a7122d6a40N.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe Token: SeDebugPrivilege 4564 WindowsService.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2516 afa97b6dbd655a5717f6d6a7122d6a40N.exe 1540 afa97b6dbd655a5717f6d6a7122d6a40N.exe 4592 WindowsService.exe 4564 WindowsService.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 2516 wrote to memory of 1540 2516 afa97b6dbd655a5717f6d6a7122d6a40N.exe 91 PID 2516 wrote to memory of 1540 2516 afa97b6dbd655a5717f6d6a7122d6a40N.exe 91 PID 2516 wrote to memory of 1540 2516 afa97b6dbd655a5717f6d6a7122d6a40N.exe 91 PID 2516 wrote to memory of 1540 2516 afa97b6dbd655a5717f6d6a7122d6a40N.exe 91 PID 2516 wrote to memory of 1540 2516 afa97b6dbd655a5717f6d6a7122d6a40N.exe 91 PID 2516 wrote to memory of 1540 2516 afa97b6dbd655a5717f6d6a7122d6a40N.exe 91 PID 2516 wrote to memory of 1540 2516 afa97b6dbd655a5717f6d6a7122d6a40N.exe 91 PID 2516 wrote to memory of 1540 2516 afa97b6dbd655a5717f6d6a7122d6a40N.exe 91 PID 1540 wrote to memory of 4816 1540 afa97b6dbd655a5717f6d6a7122d6a40N.exe 94 PID 1540 wrote to memory of 4816 1540 afa97b6dbd655a5717f6d6a7122d6a40N.exe 94 PID 1540 wrote to memory of 4816 1540 afa97b6dbd655a5717f6d6a7122d6a40N.exe 94 PID 4816 wrote to memory of 3152 4816 cmd.exe 97 PID 4816 wrote to memory of 3152 4816 cmd.exe 97 PID 4816 wrote to memory of 3152 4816 cmd.exe 97 PID 1540 wrote to memory of 4592 1540 afa97b6dbd655a5717f6d6a7122d6a40N.exe 98 PID 1540 wrote to memory of 4592 1540 afa97b6dbd655a5717f6d6a7122d6a40N.exe 98 PID 1540 wrote to memory of 4592 1540 afa97b6dbd655a5717f6d6a7122d6a40N.exe 98 PID 4592 wrote to memory of 4564 4592 WindowsService.exe 99 PID 4592 wrote to memory of 4564 4592 WindowsService.exe 99 PID 4592 wrote to memory of 4564 4592 WindowsService.exe 99 PID 4592 wrote to memory of 4564 4592 WindowsService.exe 99 PID 4592 wrote to memory of 4564 4592 WindowsService.exe 99 PID 4592 wrote to memory of 4564 4592 WindowsService.exe 99 PID 4592 wrote to memory of 4564 4592 WindowsService.exe 99 PID 4592 wrote to memory of 4564 4592 WindowsService.exe 99 PID 4592 wrote to memory of 1340 4592 WindowsService.exe 100 PID 4592 wrote to memory of 1340 4592 WindowsService.exe 100 PID 4592 wrote to memory of 1340 4592 WindowsService.exe 100 PID 4592 wrote to memory of 1340 4592 WindowsService.exe 100 PID 4592 wrote to memory of 1340 4592 WindowsService.exe 100 PID 4592 wrote to memory of 1340 4592 WindowsService.exe 100 PID 4592 wrote to memory of 1340 4592 WindowsService.exe 100 PID 4592 wrote to memory of 1340 4592 WindowsService.exe 100 PID 4592 wrote to memory of 1340 4592 WindowsService.exe 100 PID 4592 wrote to memory of 1340 4592 WindowsService.exe 100 PID 4592 wrote to memory of 1340 4592 WindowsService.exe 100 PID 4592 wrote to memory of 1340 4592 WindowsService.exe 100 PID 4592 wrote to memory of 1340 4592 WindowsService.exe 100 PID 4592 wrote to memory of 1340 4592 WindowsService.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\afa97b6dbd655a5717f6d6a7122d6a40N.exe"C:\Users\Admin\AppData\Local\Temp\afa97b6dbd655a5717f6d6a7122d6a40N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\afa97b6dbd655a5717f6d6a7122d6a40N.exe"C:\Users\Admin\AppData\Local\Temp\afa97b6dbd655a5717f6d6a7122d6a40N.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JBSKG.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3152
-
-
-
C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4564
-
-
C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1340
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
157B
MD5f6a90c20834f271a907a4e2bc28184c2
SHA136c9d1602b74f622346fbb22693597d7889df48d
SHA25673f29cd953eee40cea4de67842556ffd96efe8094a6a9b70f33a35df2582febd
SHA51239cabae19fe1faa37455e4bd242c868be60d6252b07f01224b3f7501c3cf734e503300b840d83381a452707cab6df2f95f920655884be56d4024676b26943804
-
Filesize
161KB
MD564430b5e6cf042484f77c8f39035da7f
SHA1aff7b5c6adab5ec6db97f258a2a2906f3ab29a63
SHA25675a26fded94692a9cb96ba3ddd191e5a323397f07379e3fe5a998ba2381089a6
SHA512c3e305af6adc1cee1a65b6a121a9b1dbf0dd13e48091089f1bf4a742b448775c0351febd694a548bdc2a6ced4c33f9046dac2c7dde63c713c2db9fb5d3eacadc