Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12-09-2024 04:51
Static task
static1
Behavioral task
behavioral1
Sample
ba03d8007be11c301434a6a4bbf3af40N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ba03d8007be11c301434a6a4bbf3af40N.exe
Resource
win10v2004-20240802-en
General
-
Target
ba03d8007be11c301434a6a4bbf3af40N.exe
-
Size
88KB
-
MD5
ba03d8007be11c301434a6a4bbf3af40
-
SHA1
8028e9d4c66248cdf263a835266588a16f57d01f
-
SHA256
493ec1e2c1f4c26a6c39941304d219d99e846314d90fe7b250086ed023f28e8f
-
SHA512
46142559e53479efb0a4d0883eae98d5370a0b6ac154d51f06c4bc2a5956b6fabe64eef2251fae1709e9224b7d9d17b6cc8f83bf3e88c64da81827bf9437e5ad
-
SSDEEP
768:aQNIscPXcOAKrm//4SE6rdcIz0M6mc39vAqBbXml/X4B0blMTIWo90UvIC2TVGpC:aCILvs9NctvAqlWpoBjpUv72TDFP
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation ba03d8007be11c301434a6a4bbf3af40N.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation configs.exe -
Executes dropped EXE 4 IoCs
pid Process 3092 configs.exe 1564 configs.exe 3108 configs.exe 4896 configs.exe -
resource yara_rule behavioral2/memory/3948-5-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3948-7-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3948-8-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3948-9-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3948-35-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3948-54-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1564-84-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audio Driver = "C:\\Users\\Admin\\AppData\\Roaming\\system\\configs.exe" reg.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1980 set thread context of 3948 1980 ba03d8007be11c301434a6a4bbf3af40N.exe 91 PID 3092 set thread context of 1564 3092 configs.exe 99 PID 3092 set thread context of 3108 3092 configs.exe 100 PID 3108 set thread context of 4896 3108 configs.exe 101 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language configs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language configs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language configs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language configs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ba03d8007be11c301434a6a4bbf3af40N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ba03d8007be11c301434a6a4bbf3af40N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe Token: SeDebugPrivilege 1564 configs.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1980 ba03d8007be11c301434a6a4bbf3af40N.exe 3948 ba03d8007be11c301434a6a4bbf3af40N.exe 3092 configs.exe 1564 configs.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 1980 wrote to memory of 3948 1980 ba03d8007be11c301434a6a4bbf3af40N.exe 91 PID 1980 wrote to memory of 3948 1980 ba03d8007be11c301434a6a4bbf3af40N.exe 91 PID 1980 wrote to memory of 3948 1980 ba03d8007be11c301434a6a4bbf3af40N.exe 91 PID 1980 wrote to memory of 3948 1980 ba03d8007be11c301434a6a4bbf3af40N.exe 91 PID 1980 wrote to memory of 3948 1980 ba03d8007be11c301434a6a4bbf3af40N.exe 91 PID 1980 wrote to memory of 3948 1980 ba03d8007be11c301434a6a4bbf3af40N.exe 91 PID 1980 wrote to memory of 3948 1980 ba03d8007be11c301434a6a4bbf3af40N.exe 91 PID 1980 wrote to memory of 3948 1980 ba03d8007be11c301434a6a4bbf3af40N.exe 91 PID 3948 wrote to memory of 4440 3948 ba03d8007be11c301434a6a4bbf3af40N.exe 94 PID 3948 wrote to memory of 4440 3948 ba03d8007be11c301434a6a4bbf3af40N.exe 94 PID 3948 wrote to memory of 4440 3948 ba03d8007be11c301434a6a4bbf3af40N.exe 94 PID 4440 wrote to memory of 696 4440 cmd.exe 97 PID 4440 wrote to memory of 696 4440 cmd.exe 97 PID 4440 wrote to memory of 696 4440 cmd.exe 97 PID 3948 wrote to memory of 3092 3948 ba03d8007be11c301434a6a4bbf3af40N.exe 98 PID 3948 wrote to memory of 3092 3948 ba03d8007be11c301434a6a4bbf3af40N.exe 98 PID 3948 wrote to memory of 3092 3948 ba03d8007be11c301434a6a4bbf3af40N.exe 98 PID 3092 wrote to memory of 1564 3092 configs.exe 99 PID 3092 wrote to memory of 1564 3092 configs.exe 99 PID 3092 wrote to memory of 1564 3092 configs.exe 99 PID 3092 wrote to memory of 1564 3092 configs.exe 99 PID 3092 wrote to memory of 1564 3092 configs.exe 99 PID 3092 wrote to memory of 1564 3092 configs.exe 99 PID 3092 wrote to memory of 1564 3092 configs.exe 99 PID 3092 wrote to memory of 1564 3092 configs.exe 99 PID 3092 wrote to memory of 3108 3092 configs.exe 100 PID 3092 wrote to memory of 3108 3092 configs.exe 100 PID 3092 wrote to memory of 3108 3092 configs.exe 100 PID 3092 wrote to memory of 3108 3092 configs.exe 100 PID 3092 wrote to memory of 3108 3092 configs.exe 100 PID 3092 wrote to memory of 3108 3092 configs.exe 100 PID 3092 wrote to memory of 3108 3092 configs.exe 100 PID 3108 wrote to memory of 4896 3108 configs.exe 101 PID 3108 wrote to memory of 4896 3108 configs.exe 101 PID 3108 wrote to memory of 4896 3108 configs.exe 101 PID 3108 wrote to memory of 4896 3108 configs.exe 101 PID 3108 wrote to memory of 4896 3108 configs.exe 101 PID 3108 wrote to memory of 4896 3108 configs.exe 101 PID 3108 wrote to memory of 4896 3108 configs.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba03d8007be11c301434a6a4bbf3af40N.exe"C:\Users\Admin\AppData\Local\Temp\ba03d8007be11c301434a6a4bbf3af40N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Users\Admin\AppData\Local\Temp\ba03d8007be11c301434a6a4bbf3af40N.exe"C:\Users\Admin\AppData\Local\Temp\ba03d8007be11c301434a6a4bbf3af40N.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EDQGU.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Audio Driver" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\configs.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:696
-
-
-
C:\Users\Admin\AppData\Roaming\system\configs.exe"C:\Users\Admin\AppData\Roaming\system\configs.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Users\Admin\AppData\Roaming\system\configs.exe"C:\Users\Admin\AppData\Roaming\system\configs.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1564
-
-
C:\Users\Admin\AppData\Roaming\system\configs.exe"C:\Users\Admin\AppData\Roaming\system\configs.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Users\Admin\AppData\Roaming\system\configs.exe"C:\Users\Admin\AppData\Roaming\system\configs.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4896
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
294B
MD5b023f407691c6a7b475a0652151c8662
SHA152e3debda3cfcf8abe0e3d5635841a20e5625d28
SHA2565dec47b8aad0d0f953f0c24996d800f867ec38a35fb321c4f032424a112a7d76
SHA51216f9565ba54d3dfee005054e6a8f6668f83eb494594e583db26de5a8f00c1fd90578c7fca2d73f2e018e4f70eb41dcc0bdfa669c2738f639f7849f363cfa1541
-
Filesize
148B
MD5c85bfe60cc1236f9ccf153a142bab133
SHA15d73ae02ea3ed5f99dfd2bbba218d6f0b1d2972b
SHA256958d6eb1237dfb77692e9b712b51ef05d6ac21bddfd8e7d7d9a2dbe71a975179
SHA512f5f8401b8ed5451497ec32525c299db94072be79af44c4384d006dc5acedceb779b07a0f6e9e8db74d475761190636403cb5ffd90cd5ca4a68ccf967a4a79b88
-
Filesize
88KB
MD589677d4fe757091bba513e97fa5aba04
SHA101424511767fd90854b0eb679cfd4725b3c4881f
SHA2561395e6a0e4cc72e932906540ddc45a9151c8fc1386a3c5e13554dda555e9e357
SHA512587b3a277816a436bce532bbbb2217a3e1e4eac242bd726273cee45348f402d9e6f4828b647b31537b160dd47a77c9e0050432254a381590e77f27249ea657ce