Analysis

  • max time kernel
    138s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-08-2024 17:45

General

  • Target

    WinX/Group3/07 - Event Viewer.lnk

  • Size

    1015B

  • MD5

    37cef1a4002761c06890417f603c32cf

  • SHA1

    828b4a8021faba52a2efce55c56318dbd9c9b2dd

  • SHA256

    60e2965c8f44800f649a9555b713e0d703423445f21ecc23bbab148fcba677d5

  • SHA512

    274762a0849dbe230b135070a2cc76d9a5b7309be649e480cc89d877ec29fde8a9f4d9ccad51e578dd0d06ba3cc20b6fae94e2d586adad45f01da1ad29ef41d6

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 34 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\WinX\Group3\07 - Event Viewer.lnk"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:916
    • C:\Windows\system32\eventvwr.exe
      "C:\Windows\system32\eventvwr.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2892
      • C:\Windows\system32\mmc.exe
        "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"
        3⤵
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:5056

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads