5e7b2ee24c0a19ed58248822ca0e65ca40d154f35ff67d704ee209cd52856d76

Analysis

max time kernel
103s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2024 03:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e7b2ee24c0a19ed58248822ca0e65ca40d154f35ff67d704ee209cd52856d76N.exe
Size

276KB
MD5

2721d2dc342221266f426ebd6a4f90d0
SHA1

a35f0e094b0874b8102e88759fdbf615a4acc615
SHA256

5e7b2ee24c0a19ed58248822ca0e65ca40d154f35ff67d704ee209cd52856d76
SHA512

6e877432dd6b4060e7537689b15ccceb1909444a1cd44b6953d00bec94e244f477019d60764bd73d8015992e5985afbeaf1f66b58eb54e9dada5e4c2bc531c81
SSDEEP

6144:esaocyLCJdsc9jO0HqzcRc7vBgEhC3U+zV5Di+L9ymRNF:etobGdtZG6czek8Vo+xyS

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	i5.exe

Executes dropped EXE 2 IoCs

pid	Process
1692	i5.exe
4436	50b892e5-d96c-476b-834e-555c5bc06f2f.exe

Loads dropped DLL 1 IoCs

pid	Process
112	5e7b2ee24c0a19ed58248822ca0e65ca40d154f35ff67d704ee209cd52856d76N.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	i5.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	i5.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	i5.exe
File opened for modification	C:\Windows\assembly	i5.exe
File created	C:\Windows\assembly\Desktop.ini	i5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e7b2ee24c0a19ed58248822ca0e65ca40d154f35ff67d704ee209cd52856d76N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50b892e5-d96c-476b-834e-555c5bc06f2f.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	i5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60168000000010000000000000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	i5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 5c000000010000000400000000080000190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b816800000001000000000000007e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8122000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	i5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4436	50b892e5-d96c-476b-834e-555c5bc06f2f.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4436	50b892e5-d96c-476b-834e-555c5bc06f2f.exe
4436	50b892e5-d96c-476b-834e-555c5bc06f2f.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 112 wrote to memory of 1692	112	5e7b2ee24c0a19ed58248822ca0e65ca40d154f35ff67d704ee209cd52856d76N.exe	86
PID 112 wrote to memory of 1692	112	5e7b2ee24c0a19ed58248822ca0e65ca40d154f35ff67d704ee209cd52856d76N.exe	86
PID 112 wrote to memory of 1692	112	5e7b2ee24c0a19ed58248822ca0e65ca40d154f35ff67d704ee209cd52856d76N.exe	86
PID 1692 wrote to memory of 4436	1692	i5.exe	89
PID 1692 wrote to memory of 4436	1692	i5.exe	89
PID 1692 wrote to memory of 4436	1692	i5.exe	89

C:\Users\Admin\AppData\Local\Temp\5e7b2ee24c0a19ed58248822ca0e65ca40d154f35ff67d704ee209cd52856d76N.exe
"C:\Users\Admin\AppData\Local\Temp\5e7b2ee24c0a19ed58248822ca0e65ca40d154f35ff67d704ee209cd52856d76N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:112
- C:\Users\Admin\AppData\Local\Temp\nsk6CB6.tmp\i5.exe
  C:\Users\Admin\AppData\Local\Temp\nsk6CB6.tmp\i5.exe 50b892e5-d96c-476b-834e-555c5bc06f2f.exe /t /dT131970150S /e5758413 /u50b892e5-d96c-476b-834e-555c5bc06f2f
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Users\Admin\AppData\Local\Temp\nsk6CB6.tmp\50b892e5-d96c-476b-834e-555c5bc06f2f.exe
    "C:\Users\Admin\AppData\Local\Temp\nsk6CB6.tmp\50b892e5-d96c-476b-834e-555c5bc06f2f.exe" /t /dT131970150S /e5758413 /u50b892e5-d96c-476b-834e-555c5bc06f2f
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\12236C41CDDF9E40BA5606CDF086B821

Filesize
74KB

MD5
6e686cff09f02fca79da6d9fbee366f1

SHA1
d7d0694603d6ef99050c3ce5e95d27f25b4efe2e

SHA256
f12fbe11b90fdf53a446db5b62e90efaff1aa68e0c3e81e41e8b628211f6fc02

SHA512
41717d36a54df996c838ea8b7aae4faf48096a92fee58e0a41a1e0dba8065a11e38a267a7c59b8a42c89c1cca43d08c320633b41c4fe6e03e40609713f982199

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EDCF682921FE94F4A02A43CD1A28E6B

Filesize
604B

MD5
3a0e39c53630ecfc2720aee27fe32557

SHA1
ce9b2fbd4efce495b07ac98b4cb54b12dd3cf3c0

SHA256
18da8779683e3e688ac75a896d738eb4e958763e153e56cb06432bafd3d6ef38

SHA512
3598a8fa245b68d4ea236355c00c80710105704efb08e889edea0afd79e079224083c0d034e6b2454189bb8057ea9037ae48e0791bc5b6c54a4af90541fda166

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\12236C41CDDF9E40BA5606CDF086B821

Filesize
202B

MD5
3c04f825de16c90e4141b4b4fd74a934

SHA1
8037541b292500cdb29cd09ec617212e345e4458

SHA256
f13df1f7f12ae533ae6827fe18cbd443bf3515ac8a28f796e09545ecafc51159

SHA512
48cf8b13b35421163e6861e65652098ce234628c36fc7e8c4a7fe7015ce307bd3a3fd310dab5dc72edac972121d0b1a33701d153ff0af62dc57b3789188a5485

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EDCF682921FE94F4A02A43CD1A28E6B

Filesize
188B

MD5
9d1f96b62e6cbff1112cb1d348350413

SHA1
c96f53a6245f89e95cf1b2fef59bbc2e5ba1c122

SHA256
87c898e8478d4935a1447c3179d89d5602ec6c9f369225a0289cd7cd496a2285

SHA512
087dc8bf24159f09d79a0f19c6420b76cef2423bf59d53d3d524875044b5ce5527e2fcceb4f645fa706cecbddfebff401b71cad3e2d9e183583de2947d2dd527

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9

Filesize
404B

MD5
bf661738b6b043ae99c4c6643bbfe80e

SHA1
e334d8bcdd24cdde5b627256b03fe92ce4fe309c

SHA256
2e3b81073900dfdeae6681792a3d7ccb4646fd0295d345fad754481b007a49b8

SHA512
734d603399ced4d53c817ff4c1c26f2c556a4d8035d58ecbc1a58b9915751c455c86f06a3fad48bb2957c11e7e27ab6a24061baeb517b2a0c617aff26db553a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk6CB6.tmp\50b892e5-d96c-476b-834e-555c5bc06f2f.exe

Filesize
256KB

MD5
6e68cf541f031c7de9da6ec8d86862aa

SHA1
115f143b5f585a27006159dc1b2d4d23a7af5295

SHA256
d1763b911eebce060a4c479190e83ff5747f5e75f938fb1cb23d5fcaba249e35

SHA512
022af872f2343293a0d71c6cc3ca3f13001ce7ad8e04cf740b75574272cad1dcb40a97a0e860082e7080a69a0367438728f1983317349d5a33ca969c3d877de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk6CB6.tmp\i5.exe

Filesize
214KB

MD5
0b168b79397a1c3d5a181787e27ea323

SHA1
1867e953755169de011fd12009c2f42f300a9d47

SHA256
c681e32d308452ee7c24eeebb335ee86cfe42783db2289ef2caa0d0671b53d5a

SHA512
3b3e2ff7ad58a677cfbd22dec0c294e0b27ec0b81e8e6e20f45ac228c90472318ec0bec15d6689180b73061b94ea750049688ee5ed95a4e1d205eb94e7d0a250

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk6CB6.tmp\nsExec.dll

Filesize
8KB

MD5
249ae678f0dac4c625c6de6aca53823a

SHA1
6ac2b9e90e8445fed4c45c5dbf2d0227cd3b5201

SHA256
7298024a36310b7c4c112be87b61b62a0b1be493e2d5252a19e5e976daf674ce

SHA512
66e4081a40f3191bf28b810cf8411cb3c8c3e3ec5943e18d6672414fb5e7b4364f862cba44c9115c599ac90890ef02a773e254e7c979e930946bc52b0693aad7

Download Submit
memory/112-63-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1692-54-0x0000000074122000-0x0000000074123000-memory.dmp

Filesize
4KB

Download
memory/1692-11-0x0000000074120000-0x00000000746D1000-memory.dmp

Filesize
5.7MB

Download
memory/1692-10-0x0000000074120000-0x00000000746D1000-memory.dmp

Filesize
5.7MB

Download
memory/1692-9-0x0000000074122000-0x0000000074123000-memory.dmp

Filesize
4KB

Download
memory/1692-59-0x0000000074120000-0x00000000746D1000-memory.dmp

Filesize
5.7MB

Download
memory/1692-55-0x0000000074120000-0x00000000746D1000-memory.dmp

Filesize
5.7MB

Download
memory/4436-50-0x0000000074120000-0x00000000746D1000-memory.dmp

Filesize
5.7MB

Download
memory/4436-53-0x0000000074120000-0x00000000746D1000-memory.dmp

Filesize
5.7MB

Download
memory/4436-52-0x0000000074120000-0x00000000746D1000-memory.dmp

Filesize
5.7MB

Download
memory/4436-57-0x0000000074120000-0x00000000746D1000-memory.dmp

Filesize
5.7MB

Download
memory/4436-51-0x0000000074120000-0x00000000746D1000-memory.dmp

Filesize
5.7MB

Download
memory/4436-43-0x0000000074120000-0x00000000746D1000-memory.dmp

Filesize
5.7MB

Download