Overview
overview
7Static
static
1WinX/Group...op.lnk
windows7-x64
3WinX/Group...op.lnk
windows10-2004-x64
7WinX/Group...un.lnk
windows7-x64
3WinX/Group...un.lnk
windows10-2004-x64
7WinX/Group...ch.lnk
windows7-x64
3WinX/Group...ch.lnk
windows10-2004-x64
7WinX/Group...er.lnk
windows7-x64
3WinX/Group...er.lnk
windows10-2004-x64
7WinX/Group...el.lnk
windows7-x64
3WinX/Group...el.lnk
windows10-2004-x64
3WinX/Group...er.lnk
windows7-x64
3WinX/Group...er.lnk
windows10-2004-x64
7WinX/Group...ll.lnk
windows7-x64
3WinX/Group...ll.lnk
windows10-2004-x64
7WinX/Group...ll.lnk
windows7-x64
3WinX/Group...ll.lnk
windows10-2004-x64
7WinX/Group...nt.lnk
windows7-x64
5WinX/Group...nt.lnk
windows10-2004-x64
7WinX/Group...nt.lnk
windows7-x64
5WinX/Group...nt.lnk
windows10-2004-x64
7WinX/Group...us.lnk
windows7-x64
3WinX/Group...us.lnk
windows10-2004-x64
3WinX/Group...er.lnk
windows7-x64
5WinX/Group...er.lnk
windows10-2004-x64
7WinX/Group...ut.lnk
windows7-x64
3WinX/Group...ut.lnk
windows10-2004-x64
3WinX/Group...er.lnk
windows7-x64
5WinX/Group...er.lnk
windows10-2004-x64
7WinX/Group...ep.lnk
windows7-x64
3WinX/Group...ep.lnk
windows10-2004-x64
3WinX/Group...er.lnk
windows7-x64
3WinX/Group...er.lnk
windows10-2004-x64
7Analysis
-
max time kernel
138s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29-08-2024 17:45
Static task
static1
Behavioral task
behavioral1
Sample
WinX/Group1/1 - Desktop.lnk
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
WinX/Group1/1 - Desktop.lnk
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
WinX/Group2/1 - Run.lnk
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
WinX/Group2/1 - Run.lnk
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
WinX/Group2/2 - Search.lnk
Resource
win7-20240705-en
Behavioral task
behavioral6
Sample
WinX/Group2/2 - Search.lnk
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
WinX/Group2/3 - Windows Explorer.lnk
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
WinX/Group2/3 - Windows Explorer.lnk
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
WinX/Group2/4 - Control Panel.lnk
Resource
win7-20240705-en
Behavioral task
behavioral10
Sample
WinX/Group2/4 - Control Panel.lnk
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
WinX/Group2/5 - Task Manager.lnk
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
WinX/Group2/5 - Task Manager.lnk
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
WinX/Group3/01a - Windows PowerShell.lnk
Resource
win7-20240704-en
Behavioral task
behavioral14
Sample
WinX/Group3/01a - Windows PowerShell.lnk
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
WinX/Group3/02a - Windows PowerShell.lnk
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
WinX/Group3/02a - Windows PowerShell.lnk
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
WinX/Group3/03 - Computer Management.lnk
Resource
win7-20240704-en
Behavioral task
behavioral18
Sample
WinX/Group3/03 - Computer Management.lnk
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
WinX/Group3/04 - Disk Management.lnk
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
WinX/Group3/04 - Disk Management.lnk
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
WinX/Group3/04-1 - NetworkStatus.lnk
Resource
win7-20240729-en
Behavioral task
behavioral22
Sample
WinX/Group3/04-1 - NetworkStatus.lnk
Resource
win10v2004-20240802-en
Behavioral task
behavioral23
Sample
WinX/Group3/05 - Device Manager.lnk
Resource
win7-20240705-en
Behavioral task
behavioral24
Sample
WinX/Group3/05 - Device Manager.lnk
Resource
win10v2004-20240802-en
Behavioral task
behavioral25
Sample
WinX/Group3/06 - SystemAbout.lnk
Resource
win7-20240708-en
Behavioral task
behavioral26
Sample
WinX/Group3/06 - SystemAbout.lnk
Resource
win10v2004-20240802-en
Behavioral task
behavioral27
Sample
WinX/Group3/07 - Event Viewer.lnk
Resource
win7-20240704-en
Behavioral task
behavioral28
Sample
WinX/Group3/07 - Event Viewer.lnk
Resource
win10v2004-20240802-en
Behavioral task
behavioral29
Sample
WinX/Group3/08 - PowerAndSleep.lnk
Resource
win7-20240704-en
Behavioral task
behavioral30
Sample
WinX/Group3/08 - PowerAndSleep.lnk
Resource
win10v2004-20240802-en
Behavioral task
behavioral31
Sample
WinX/Group3/09 - Mobility Center.lnk
Resource
win7-20240729-en
Behavioral task
behavioral32
Sample
WinX/Group3/09 - Mobility Center.lnk
Resource
win10v2004-20240802-en
General
-
Target
WinX/Group3/07 - Event Viewer.lnk
-
Size
1015B
-
MD5
37cef1a4002761c06890417f603c32cf
-
SHA1
828b4a8021faba52a2efce55c56318dbd9c9b2dd
-
SHA256
60e2965c8f44800f649a9555b713e0d703423445f21ecc23bbab148fcba677d5
-
SHA512
274762a0849dbe230b135070a2cc76d9a5b7309be649e480cc89d877ec29fde8a9f4d9ccad51e578dd0d06ba3cc20b6fae94e2d586adad45f01da1ad29ef41d6
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation cmd.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\eventvwr.msc mmc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeSecurityPrivilege 5056 mmc.exe Token: 33 5056 mmc.exe Token: SeIncBasePriorityPrivilege 5056 mmc.exe Token: 33 5056 mmc.exe Token: SeIncBasePriorityPrivilege 5056 mmc.exe Token: 33 5056 mmc.exe Token: SeIncBasePriorityPrivilege 5056 mmc.exe Token: 33 5056 mmc.exe Token: SeIncBasePriorityPrivilege 5056 mmc.exe Token: 33 5056 mmc.exe Token: SeIncBasePriorityPrivilege 5056 mmc.exe Token: 33 5056 mmc.exe Token: SeIncBasePriorityPrivilege 5056 mmc.exe Token: 33 5056 mmc.exe Token: SeIncBasePriorityPrivilege 5056 mmc.exe Token: 33 5056 mmc.exe Token: SeIncBasePriorityPrivilege 5056 mmc.exe Token: 33 5056 mmc.exe Token: SeIncBasePriorityPrivilege 5056 mmc.exe Token: 33 5056 mmc.exe Token: SeIncBasePriorityPrivilege 5056 mmc.exe Token: 33 5056 mmc.exe Token: SeIncBasePriorityPrivilege 5056 mmc.exe Token: 33 5056 mmc.exe Token: SeIncBasePriorityPrivilege 5056 mmc.exe Token: 33 5056 mmc.exe Token: SeIncBasePriorityPrivilege 5056 mmc.exe Token: 33 5056 mmc.exe Token: SeIncBasePriorityPrivilege 5056 mmc.exe Token: 33 5056 mmc.exe Token: SeIncBasePriorityPrivilege 5056 mmc.exe Token: 33 5056 mmc.exe Token: SeIncBasePriorityPrivilege 5056 mmc.exe Token: SeSecurityPrivilege 5056 mmc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5056 mmc.exe 5056 mmc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 916 wrote to memory of 2892 916 cmd.exe 85 PID 916 wrote to memory of 2892 916 cmd.exe 85 PID 2892 wrote to memory of 5056 2892 eventvwr.exe 86 PID 2892 wrote to memory of 5056 2892 eventvwr.exe 86
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\WinX\Group3\07 - Event Viewer.lnk"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\system32\eventvwr.exe"C:\Windows\system32\eventvwr.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"3⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5056
-
-