Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2024 07:07
Static task
static1
Behavioral task
behavioral1
Sample
bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exe
Resource
win7-20240903-en
General
-
Target
bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exe
-
Size
9.2MB
-
MD5
d511554c3e89879625547bfe436cbf80
-
SHA1
df37505e4f1bc919432b5a80c1f5d32484438ce8
-
SHA256
bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8
-
SHA512
360b811f826e6d695d7f1659503b33db92b8c43001f05666b2820c587a95f62e079c0ddb3b23d0159767a29835da6386c882e5383a88629fe562d251df9bdcd9
-
SSDEEP
196608:lQKdvgDDwRB/rYSExCaWeQx12c00AL3MBEre9s4mEqaB2R5oBPLm8eiveeeI/:JVSDwRZYSExCaxk2rgR9saZk5CPSivem
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Setup.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Setup.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exeWindowsLoader.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation WindowsLoader.exe -
Executes dropped EXE 3 IoCs
Processes:
PDloewpjkG.exeWindowsLoader.exeSetup.exepid Process 392 PDloewpjkG.exe 4240 WindowsLoader.exe 4224 Setup.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
WindowsLoader.exepid Process 4240 WindowsLoader.exe 4240 WindowsLoader.exe -
Processes:
resource yara_rule behavioral2/files/0x00070000000234c8-29.dat upx behavioral2/memory/4224-36-0x0000000000400000-0x0000000000623000-memory.dmp upx behavioral2/memory/4224-102-0x0000000000400000-0x0000000000623000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Setup.exebdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exePDloewpjkG.exeWindowsLoader.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PDloewpjkG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WindowsLoader.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
Setup.exedescription ioc Process Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct Setup.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WindowsLoader.exeSetup.exepid Process 4240 WindowsLoader.exe 4240 WindowsLoader.exe 4224 Setup.exe 4224 Setup.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Setup.exedescription pid Process Token: 33 4224 Setup.exe Token: SeIncBasePriorityPrivilege 4224 Setup.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Setup.exepid Process 4224 Setup.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exeWindowsLoader.exedescription pid Process procid_target PID 1300 wrote to memory of 392 1300 bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exe 82 PID 1300 wrote to memory of 392 1300 bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exe 82 PID 1300 wrote to memory of 392 1300 bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exe 82 PID 1300 wrote to memory of 4240 1300 bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exe 84 PID 1300 wrote to memory of 4240 1300 bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exe 84 PID 1300 wrote to memory of 4240 1300 bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exe 84 PID 4240 wrote to memory of 4224 4240 WindowsLoader.exe 89 PID 4240 wrote to memory of 4224 4240 WindowsLoader.exe 89 PID 4240 wrote to memory of 4224 4240 WindowsLoader.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exe"C:\Users\Admin\AppData\Local\Temp\bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Users\Admin\AppData\Local\Temp\PDloewpjkG.exe"C:\Users\Admin\AppData\Local\Temp\PDloewpjkG.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:392
-
-
C:\Users\Admin\AppData\Local\Temp\WindowsLoader.exe"C:\Users\Admin\AppData\Local\Temp\WindowsLoader.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4224
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.3MB
MD55d6a303668e616ff81485949f18515b3
SHA1fc7ca4ae06279a78d0e0fcbf7f3a874ff8230cfe
SHA256d48ac7a7f98179c41d161ab90c08fac46fac8680e10b6f8fa605d5b029839d01
SHA51249b86188cd9847afb9230cf59e1d29069b37bcaf178d50fb78d64dfe918ec523e140f1ee12f790d1daaa11c1e198f8744b3117683f7c91d637c91c6779a63fd3
-
Filesize
3.8MB
MD5323c0fd51071400b51eedb1be90a8188
SHA10efc35935957c25193bbe9a83ab6caa25a487ada
SHA2562f2aba1e074f5f4baa08b524875461889f8f04d4ffc43972ac212e286022ab94
SHA5124c501c7135962e2f02b68d6069f2191ddb76f990528dacd209955a44972122718b9598400ba829abab2d4345b4e1a4b93453c8e7ba42080bd492a34cf8443e7e