Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
30-09-2024 03:56
Static task
static1
Behavioral task
behavioral1
Sample
48db9d908b5db4c809f5175c99d0a8e9957a559d976568e8b0f8db853eb3d766N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
48db9d908b5db4c809f5175c99d0a8e9957a559d976568e8b0f8db853eb3d766N.exe
Resource
win10v2004-20240802-en
General
-
Target
48db9d908b5db4c809f5175c99d0a8e9957a559d976568e8b0f8db853eb3d766N.exe
-
Size
758KB
-
MD5
226b5c545640bb6033225c40bc758850
-
SHA1
fda9652f4e51bf9c593962aaf47cffbaea216f86
-
SHA256
48db9d908b5db4c809f5175c99d0a8e9957a559d976568e8b0f8db853eb3d766
-
SHA512
ea51a59beb4a1e5f9ee4f18f9070b07076284ee7181a0f24a579347fc89cd424d3de5ab65ca904eefc2321e00313514fb58a52240c9aeb0350d659a956035266
-
SSDEEP
12288:xyveQB/fTHIGaPkKEYzURNAwbAgB2X+t4qsEfFEZjAHuKDAS7vM5nP1ZSz:xuDXTIGaPhEYzUzA0/0qsEfFmvqLMxHY
Malware Config
Extracted
latentbot
zxceblan228sexpenis.zapto.org
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4636 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation SERVER~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation 48db9d908b5db4c809f5175c99d0a8e9957a559d976568e8b0f8db853eb3d766N.exe -
Executes dropped EXE 3 IoCs
pid Process 4940 11111.exe 2260 SERVER~1.EXE 3204 server.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 11111.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 3204 server.exe Token: 33 3204 server.exe Token: SeIncBasePriorityPrivilege 3204 server.exe Token: 33 3204 server.exe Token: SeIncBasePriorityPrivilege 3204 server.exe Token: 33 3204 server.exe Token: SeIncBasePriorityPrivilege 3204 server.exe Token: 33 3204 server.exe Token: SeIncBasePriorityPrivilege 3204 server.exe Token: 33 3204 server.exe Token: SeIncBasePriorityPrivilege 3204 server.exe Token: 33 3204 server.exe Token: SeIncBasePriorityPrivilege 3204 server.exe Token: 33 3204 server.exe Token: SeIncBasePriorityPrivilege 3204 server.exe Token: 33 3204 server.exe Token: SeIncBasePriorityPrivilege 3204 server.exe Token: 33 3204 server.exe Token: SeIncBasePriorityPrivilege 3204 server.exe Token: 33 3204 server.exe Token: SeIncBasePriorityPrivilege 3204 server.exe Token: 33 3204 server.exe Token: SeIncBasePriorityPrivilege 3204 server.exe Token: 33 3204 server.exe Token: SeIncBasePriorityPrivilege 3204 server.exe Token: 33 3204 server.exe Token: SeIncBasePriorityPrivilege 3204 server.exe Token: 33 3204 server.exe Token: SeIncBasePriorityPrivilege 3204 server.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1196 wrote to memory of 4940 1196 48db9d908b5db4c809f5175c99d0a8e9957a559d976568e8b0f8db853eb3d766N.exe 82 PID 1196 wrote to memory of 4940 1196 48db9d908b5db4c809f5175c99d0a8e9957a559d976568e8b0f8db853eb3d766N.exe 82 PID 4940 wrote to memory of 2260 4940 11111.exe 84 PID 4940 wrote to memory of 2260 4940 11111.exe 84 PID 2260 wrote to memory of 3204 2260 SERVER~1.EXE 85 PID 2260 wrote to memory of 3204 2260 SERVER~1.EXE 85 PID 2260 wrote to memory of 3204 2260 SERVER~1.EXE 85 PID 3204 wrote to memory of 4636 3204 server.exe 86 PID 3204 wrote to memory of 4636 3204 server.exe 86 PID 3204 wrote to memory of 4636 3204 server.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\48db9d908b5db4c809f5175c99d0a8e9957a559d976568e8b0f8db853eb3d766N.exe"C:\Users\Admin\AppData\Local\Temp\48db9d908b5db4c809f5175c99d0a8e9957a559d976568e8b0f8db853eb3d766N.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Users\Admin\AppData\Local\Temp\11111.exe"C:\Users\Admin\AppData\Local\Temp\11111.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe" "server.exe" ENABLE5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4636
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
374KB
MD51e4f8f81465a3b3824b027f7f7e16286
SHA11a050c903b80ed73f66e7e7c97c652ea4ade7cf4
SHA25642506f70287a39356a976330894d88e16dd80c894ddee382d23ff32d3c771164
SHA512a7992ddd8da8f17be1b88b575a892374771e37d84f29ddd410cf63e58c509c41945e867381d199777bca28b6c761a2d34ec668fcc104a83c7bd2e66bcd734ec2
-
Filesize
453KB
MD549eacc3b29a6c91501e2e084dddc1e33
SHA1acf4585f11e0a72946d0e4a31b0151b31a82776a
SHA256677110fa532a0751b174ef841ea0aec5f76af2a0545ce64e6df7d047b936114a
SHA5126b6d1060858a21cbb76faabd3596d64880941cbccbcfd420cf44ad80372d3b9aba9a78781b1711b2a2d1af04916a6517eb87afb1332271e651a7f3f1c1138836
-
Filesize
37KB
MD53c15da341bbd762a44d84b8325709b10
SHA1927388d7c7e80f9a2b0d4b500cf040c1c17b1133
SHA256e340d343d38eb7b22bf2cbbc7001e2e174de1abcc37c81a8d624c9281bbf9123
SHA5128f53976d2c63849b4b58945167d81ee6296c8c74dcaf6da22b537a07eed4b9c2ccce1c1d6c84f9ab9f8d6ad0facbf2e50d5d014ba0c070bf10c7686df997cfaf