Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2024 00:20
Static task
static1
Behavioral task
behavioral1
Sample
2a8b2d4cf5f2054a01ea2d5c8d9b71e8f1706f74c251bb16684c98fa25b9a64dN.exe
Resource
win7-20240903-en
General
-
Target
2a8b2d4cf5f2054a01ea2d5c8d9b71e8f1706f74c251bb16684c98fa25b9a64dN.exe
-
Size
647KB
-
MD5
ff2da6a2d2e29d76e8ee869fa07f7530
-
SHA1
ece7a717f8a6e7973c78cadf87d6449e116fe9f4
-
SHA256
2a8b2d4cf5f2054a01ea2d5c8d9b71e8f1706f74c251bb16684c98fa25b9a64d
-
SHA512
03334e7e0903ba6b4c4611443722f5c8cf07c974b7ca36d7e1a0a62a4c83bb13702d5b3761f72c288d2bf1e0fbcc4a878559a864fe3147ce8f51a00345818721
-
SSDEEP
12288:ra/rmU5El82jSlI/ExacF3gnxbCEjLz35gRHHi3xED:rav5UjSlI/EPFmOmLz35g9H4xED
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2a8b2d4cf5f2054a01ea2d5c8d9b71e8f1706f74c251bb16684c98fa25b9a64dN.exefirewall-tmp.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation 2a8b2d4cf5f2054a01ea2d5c8d9b71e8f1706f74c251bb16684c98fa25b9a64dN.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation firewall-tmp.exe -
Drops startup file 1 IoCs
Processes:
firewall-tmp.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\firewall-tmp.lnk firewall-tmp.exe -
Executes dropped EXE 3 IoCs
Processes:
firewall-tmp.exefirewall-tmp.exefirewall-tmp.exepid Process 2024 firewall-tmp.exe 4620 firewall-tmp.exe 3624 firewall-tmp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
firewall-tmp.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DNS Monitor = "C:\\Program Files (x86)\\DNS Monitor\\dnsmon.exe" firewall-tmp.exe -
Processes:
firewall-tmp.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA firewall-tmp.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
firewall-tmp.exedescription pid Process procid_target PID 4620 set thread context of 3624 4620 firewall-tmp.exe 96 -
Drops file in Program Files directory 2 IoCs
Processes:
firewall-tmp.exedescription ioc Process File created C:\Program Files (x86)\DNS Monitor\dnsmon.exe firewall-tmp.exe File opened for modification C:\Program Files (x86)\DNS Monitor\dnsmon.exe firewall-tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
2a8b2d4cf5f2054a01ea2d5c8d9b71e8f1706f74c251bb16684c98fa25b9a64dN.exefirewall-tmp.execmd.exefirewall-tmp.exefirewall-tmp.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2a8b2d4cf5f2054a01ea2d5c8d9b71e8f1706f74c251bb16684c98fa25b9a64dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language firewall-tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language firewall-tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language firewall-tmp.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
firewall-tmp.exefirewall-tmp.exepid Process 4620 firewall-tmp.exe 4620 firewall-tmp.exe 3624 firewall-tmp.exe 3624 firewall-tmp.exe 3624 firewall-tmp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
firewall-tmp.exepid Process 3624 firewall-tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
firewall-tmp.exefirewall-tmp.exedescription pid Process Token: SeDebugPrivilege 4620 firewall-tmp.exe Token: SeDebugPrivilege 3624 firewall-tmp.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
2a8b2d4cf5f2054a01ea2d5c8d9b71e8f1706f74c251bb16684c98fa25b9a64dN.exefirewall-tmp.exefirewall-tmp.exedescription pid Process procid_target PID 2088 wrote to memory of 2024 2088 2a8b2d4cf5f2054a01ea2d5c8d9b71e8f1706f74c251bb16684c98fa25b9a64dN.exe 82 PID 2088 wrote to memory of 2024 2088 2a8b2d4cf5f2054a01ea2d5c8d9b71e8f1706f74c251bb16684c98fa25b9a64dN.exe 82 PID 2088 wrote to memory of 2024 2088 2a8b2d4cf5f2054a01ea2d5c8d9b71e8f1706f74c251bb16684c98fa25b9a64dN.exe 82 PID 2024 wrote to memory of 3272 2024 firewall-tmp.exe 91 PID 2024 wrote to memory of 3272 2024 firewall-tmp.exe 91 PID 2024 wrote to memory of 3272 2024 firewall-tmp.exe 91 PID 2024 wrote to memory of 4620 2024 firewall-tmp.exe 93 PID 2024 wrote to memory of 4620 2024 firewall-tmp.exe 93 PID 2024 wrote to memory of 4620 2024 firewall-tmp.exe 93 PID 4620 wrote to memory of 3624 4620 firewall-tmp.exe 96 PID 4620 wrote to memory of 3624 4620 firewall-tmp.exe 96 PID 4620 wrote to memory of 3624 4620 firewall-tmp.exe 96 PID 4620 wrote to memory of 3624 4620 firewall-tmp.exe 96 PID 4620 wrote to memory of 3624 4620 firewall-tmp.exe 96 PID 4620 wrote to memory of 3624 4620 firewall-tmp.exe 96 PID 4620 wrote to memory of 3624 4620 firewall-tmp.exe 96 PID 4620 wrote to memory of 3624 4620 firewall-tmp.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a8b2d4cf5f2054a01ea2d5c8d9b71e8f1706f74c251bb16684c98fa25b9a64dN.exe"C:\Users\Admin\AppData\Local\Temp\2a8b2d4cf5f2054a01ea2d5c8d9b71e8f1706f74c251bb16684c98fa25b9a64dN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\firewall-tmp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\firewall-tmp.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\cmd.execmd /c copy "C:\Users\Admin\AppData\Local\Temp\RarSFX0\*.*" "C:\Users\Admin\AppData\Roaming\Explorer" & exit3⤵
- System Location Discovery: System Language Discovery
PID:3272
-
-
C:\Users\Admin\AppData\Roaming\Explorer\firewall-tmp.exe"C:\Users\Admin\AppData\Roaming\Explorer\firewall-tmp.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Users\Admin\AppData\Roaming\Explorer\firewall-tmp.exe"C:\Users\Admin\AppData\Roaming\Explorer\firewall-tmp.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3624
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
594B
MD5c94dfeb3fce284a48382d77bcc392730
SHA14e7d49492dae8f169d86d9af95f68a9f9cbd3998
SHA2562f3dbeb392f82563bb0bb8e5a91873fd1fa3bf4fe34e285fcecb8c5cf0530815
SHA51238eb711c5a4399baa16f667d92d41bd02c27bfc06c1ecf1e26c70a92f69318b05cda6146f6e8d4b357084674e3bbc93a5462eb62f28ca05349af6166e8637d13
-
Filesize
225KB
MD551f1ce5d176efbe96f90041f021ffc01
SHA1ea0e79728896bdb069a8415e39870e840016a067
SHA256608f68fcb0b4cbb3a2e688757ca461d14a1b15eb183f814fcfbeca882d9d1c6d
SHA51222c19013ee68e7f78633e6e3b1254fe99eb9ad6145dd1c0b0bc6e8dd952405449c55df49ae986d8886d62ce4e18b73764f98c39b806f57c56aadcbca7721619d
-
Filesize
1024KB
MD57f80c68c6a830a70710814f8f826f4f2
SHA1340d3725bd2fb249ef23b74695383acfc143f518
SHA25659148dbade1cb116605f776b6cad15e7cdd5fe0303cedaef657768face638f3e
SHA51277d3d9a24d815b8f3143a594dab9d07ddc77f40f0f26b9e12a7d22986f7505b3e02efe8bbe4caf2acc050777594e00246532bba39d45c451a68049c79cf8143d
-
Filesize
165KB
MD51c8bfc1aa27be1ef777946a6388ba879
SHA1a375d403558a3e2203237178163f65770f5ac702
SHA256ea6edfbb4f758fedc4e46256a30300bb80479cb854f83c51501e548b51bbfe72
SHA5128eccdd4d58008d6d872e3983242d1118c98583c12894dbee4d5fd6e9528cd7d6d73fad2bbc175a0ba57aa8dc6baae8caad2d816347544bda22adcf9468111d4e