78bc7c32c2bb5c14e897d9eacda509ddebe9b999f801a2784bdf8adc1b5e3dbd

Analysis

max time kernel
119s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d31f8d38425830a10bc442254d632f0N.exe
Size

40KB
MD5

4d31f8d38425830a10bc442254d632f0
SHA1

69af75c5e56fa9f140b1879c73743d7cb1ac65fa
SHA256

78bc7c32c2bb5c14e897d9eacda509ddebe9b999f801a2784bdf8adc1b5e3dbd
SHA512

ba44a425f944bd4b6b531b614e513ba25568eab144f791d3d28c060ce4c4f692a4a62b4ab7f7a78bae97e848548ca2114e18def20810c8838003443774458407
SSDEEP

768:/I0HsbtxJImBU6PP7+JLdHXGHljCOecAH2CZvc:/6fBU6X7+JpIXRjAvc

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	4d31f8d38425830a10bc442254d632f0N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Admin.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	4d31f8d38425830a10bc442254d632f0N.exe

Executes dropped EXE 1 IoCs

pid	Process
4568	Admin.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe"	4d31f8d38425830a10bc442254d632f0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe"	Admin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d31f8d38425830a10bc442254d632f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3400	4d31f8d38425830a10bc442254d632f0N.exe
3400	4d31f8d38425830a10bc442254d632f0N.exe
3400	4d31f8d38425830a10bc442254d632f0N.exe
3400	4d31f8d38425830a10bc442254d632f0N.exe
3400	4d31f8d38425830a10bc442254d632f0N.exe
3400	4d31f8d38425830a10bc442254d632f0N.exe
3400	4d31f8d38425830a10bc442254d632f0N.exe
3400	4d31f8d38425830a10bc442254d632f0N.exe
4568	Admin.exe
4568	Admin.exe
3400	4d31f8d38425830a10bc442254d632f0N.exe
3400	4d31f8d38425830a10bc442254d632f0N.exe
3400	4d31f8d38425830a10bc442254d632f0N.exe
3400	4d31f8d38425830a10bc442254d632f0N.exe
3400	4d31f8d38425830a10bc442254d632f0N.exe
3400	4d31f8d38425830a10bc442254d632f0N.exe
4568	Admin.exe
4568	Admin.exe
3400	4d31f8d38425830a10bc442254d632f0N.exe
3400	4d31f8d38425830a10bc442254d632f0N.exe
4568	Admin.exe
4568	Admin.exe
3400	4d31f8d38425830a10bc442254d632f0N.exe
3400	4d31f8d38425830a10bc442254d632f0N.exe
4568	Admin.exe
4568	Admin.exe
3400	4d31f8d38425830a10bc442254d632f0N.exe
3400	4d31f8d38425830a10bc442254d632f0N.exe
4568	Admin.exe
4568	Admin.exe
3400	4d31f8d38425830a10bc442254d632f0N.exe
3400	4d31f8d38425830a10bc442254d632f0N.exe
4568	Admin.exe
4568	Admin.exe
3400	4d31f8d38425830a10bc442254d632f0N.exe
3400	4d31f8d38425830a10bc442254d632f0N.exe
4568	Admin.exe
4568	Admin.exe
3400	4d31f8d38425830a10bc442254d632f0N.exe
3400	4d31f8d38425830a10bc442254d632f0N.exe
4568	Admin.exe
4568	Admin.exe
3400	4d31f8d38425830a10bc442254d632f0N.exe
4568	Admin.exe
3400	4d31f8d38425830a10bc442254d632f0N.exe
4568	Admin.exe
4568	Admin.exe
3400	4d31f8d38425830a10bc442254d632f0N.exe
4568	Admin.exe
3400	4d31f8d38425830a10bc442254d632f0N.exe
3400	4d31f8d38425830a10bc442254d632f0N.exe
4568	Admin.exe
4568	Admin.exe
3400	4d31f8d38425830a10bc442254d632f0N.exe
4568	Admin.exe
3400	4d31f8d38425830a10bc442254d632f0N.exe
4568	Admin.exe
3400	4d31f8d38425830a10bc442254d632f0N.exe
3400	4d31f8d38425830a10bc442254d632f0N.exe
4568	Admin.exe
4568	Admin.exe
3400	4d31f8d38425830a10bc442254d632f0N.exe
4568	Admin.exe
3400	4d31f8d38425830a10bc442254d632f0N.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3400	4d31f8d38425830a10bc442254d632f0N.exe
4568	Admin.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3400 wrote to memory of 4568	3400	4d31f8d38425830a10bc442254d632f0N.exe	87
PID 3400 wrote to memory of 4568	3400	4d31f8d38425830a10bc442254d632f0N.exe	87
PID 3400 wrote to memory of 4568	3400	4d31f8d38425830a10bc442254d632f0N.exe	87

C:\Users\Admin\AppData\Local\Temp\4d31f8d38425830a10bc442254d632f0N.exe
"C:\Users\Admin\AppData\Local\Temp\4d31f8d38425830a10bc442254d632f0N.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3400
- C:\Users\Admin\Admin.exe
  "C:\Users\Admin\Admin.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Admin.exe

Filesize
40KB

MD5
3a7035fa401efd05f7743eed53c4dcb0

SHA1
dc7332007cda6a2d9aa492934900cb402a649704

SHA256
29a446161b6de54c8923b90da3ef54268a9b8bf66a558c9537a80db700825a9a

SHA512
816e1de0f2f117c8fe92618c246a56cd04afc2e3b467060bb5b00c512b3e0c4ee87bee62a0145808dbd774eaafa85e7941a5f5f17b2c965f71807e3252ba7bfc

Download Submit