Analysis
-
max time kernel
93s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2024 14:10
Static task
static1
Behavioral task
behavioral1
Sample
dropdrop part 2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
dropdrop part 2.exe
Resource
win11-20241007-en
General
-
Target
dropdrop part 2.exe
-
Size
29KB
-
MD5
a442915d156696bfbba8a83de1e57359
-
SHA1
c94294d815c19ad80cb46dcd16b008e47365bdd4
-
SHA256
e8121e6e976b91ee3a249446d228654cccfd3d22ccee958bfa583e5c00dc8152
-
SHA512
fd05a999e602144d16d54a3e91702220c0f8bfaf737e6735448d69993efae1d95f784878f549a4159e936c7da856adf2bf90f1f48696f952b8fcff33b4ffd1e7
-
SSDEEP
384:5daHArEY71hjWD0nytjRwgVfQaEg6qcldBmMgy2SciHEKPhScLaEFa9TUx6:faHYWDVjKgVf1mngyfFHG+X85Ux
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation dropdrop part 2.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.bat dropdrop part 2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.bat dropdrop part 2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2572 WMIC.exe Token: SeSecurityPrivilege 2572 WMIC.exe Token: SeTakeOwnershipPrivilege 2572 WMIC.exe Token: SeLoadDriverPrivilege 2572 WMIC.exe Token: SeSystemProfilePrivilege 2572 WMIC.exe Token: SeSystemtimePrivilege 2572 WMIC.exe Token: SeProfSingleProcessPrivilege 2572 WMIC.exe Token: SeIncBasePriorityPrivilege 2572 WMIC.exe Token: SeCreatePagefilePrivilege 2572 WMIC.exe Token: SeBackupPrivilege 2572 WMIC.exe Token: SeRestorePrivilege 2572 WMIC.exe Token: SeShutdownPrivilege 2572 WMIC.exe Token: SeDebugPrivilege 2572 WMIC.exe Token: SeSystemEnvironmentPrivilege 2572 WMIC.exe Token: SeRemoteShutdownPrivilege 2572 WMIC.exe Token: SeUndockPrivilege 2572 WMIC.exe Token: SeManageVolumePrivilege 2572 WMIC.exe Token: 33 2572 WMIC.exe Token: 34 2572 WMIC.exe Token: 35 2572 WMIC.exe Token: 36 2572 WMIC.exe Token: SeIncreaseQuotaPrivilege 2572 WMIC.exe Token: SeSecurityPrivilege 2572 WMIC.exe Token: SeTakeOwnershipPrivilege 2572 WMIC.exe Token: SeLoadDriverPrivilege 2572 WMIC.exe Token: SeSystemProfilePrivilege 2572 WMIC.exe Token: SeSystemtimePrivilege 2572 WMIC.exe Token: SeProfSingleProcessPrivilege 2572 WMIC.exe Token: SeIncBasePriorityPrivilege 2572 WMIC.exe Token: SeCreatePagefilePrivilege 2572 WMIC.exe Token: SeBackupPrivilege 2572 WMIC.exe Token: SeRestorePrivilege 2572 WMIC.exe Token: SeShutdownPrivilege 2572 WMIC.exe Token: SeDebugPrivilege 2572 WMIC.exe Token: SeSystemEnvironmentPrivilege 2572 WMIC.exe Token: SeRemoteShutdownPrivilege 2572 WMIC.exe Token: SeUndockPrivilege 2572 WMIC.exe Token: SeManageVolumePrivilege 2572 WMIC.exe Token: 33 2572 WMIC.exe Token: 34 2572 WMIC.exe Token: 35 2572 WMIC.exe Token: 36 2572 WMIC.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3576 wrote to memory of 516 3576 dropdrop part 2.exe 87 PID 3576 wrote to memory of 516 3576 dropdrop part 2.exe 87 PID 516 wrote to memory of 2572 516 cmd.exe 89 PID 516 wrote to memory of 2572 516 cmd.exe 89 PID 516 wrote to memory of 4724 516 cmd.exe 90 PID 516 wrote to memory of 4724 516 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\dropdrop part 2.exe"C:\Users\Admin\AppData\Local\Temp\dropdrop part 2.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get Model3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
-
C:\Windows\system32\findstr.exefindstr /i /c:"QEMU HARDDISK" /c:"WDS100T2B0A" /c:"DADY HARDDISK"3⤵PID:4724
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.0MB
MD5eb790c439e5d1d22b7c38d882b0ba1e2
SHA15b8a3513483508fbf0cf87c74fa68ff6b4001f0a
SHA256cc76762d502715085bec639150acb04dc63f24c4b9e060be7b083b141b1990bf
SHA512c62d36ea9980108ae3753d6c35d0b32ae26d07b9feab1749c722c7cfda18c310f0f76c46d0e7b2c1f0be653d6be706cba0146ff0fa4c64ca7494668a94469a17