Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/10/2024, 04:01
Static task
static1
Behavioral task
behavioral1
Sample
e2e80b0741c2d200a8225fe4fa63baf39f32316ddf709822b3dfd4cf3e411c7d.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
e2e80b0741c2d200a8225fe4fa63baf39f32316ddf709822b3dfd4cf3e411c7d.exe
Resource
win10v2004-20241007-en
General
-
Target
e2e80b0741c2d200a8225fe4fa63baf39f32316ddf709822b3dfd4cf3e411c7d.exe
-
Size
88KB
-
MD5
3354ada9a255b76ec79474e6f3ccd42f
-
SHA1
85a9fcc5b96b71868e84541dca479347ad1efe30
-
SHA256
e2e80b0741c2d200a8225fe4fa63baf39f32316ddf709822b3dfd4cf3e411c7d
-
SHA512
0c572608d58e9496b656f3988e92c445ea70bc0c15880d4b421348b399361829ae79bacf7d38b860cea4d9f55d8d59a1d83c65b9e5182c618f2ac3b3e67e206f
-
SSDEEP
1536:ahUDofByDJWbMGcEFLPEPKOJUsy1+VMA:aIofBHbKMP0PvMA
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation e2e80b0741c2d200a8225fe4fa63baf39f32316ddf709822b3dfd4cf3e411c7d.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 4544 explorer.exe 3020 explorer.exe 4632 explorer.exe 1228 explorer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Video Driver = "C:\\Users\\Admin\\AppData\\Roaming\\config\\explorer.exe" reg.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3388 set thread context of 1448 3388 e2e80b0741c2d200a8225fe4fa63baf39f32316ddf709822b3dfd4cf3e411c7d.exe 87 PID 4544 set thread context of 3020 4544 explorer.exe 93 PID 4544 set thread context of 4632 4544 explorer.exe 94 PID 4632 set thread context of 1228 4632 explorer.exe 95 -
resource yara_rule behavioral2/memory/1448-13-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1448-15-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1448-17-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1448-57-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1448-61-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3020-92-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2e80b0741c2d200a8225fe4fa63baf39f32316ddf709822b3dfd4cf3e411c7d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2e80b0741c2d200a8225fe4fa63baf39f32316ddf709822b3dfd4cf3e411c7d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3388 e2e80b0741c2d200a8225fe4fa63baf39f32316ddf709822b3dfd4cf3e411c7d.exe 1448 e2e80b0741c2d200a8225fe4fa63baf39f32316ddf709822b3dfd4cf3e411c7d.exe 4544 explorer.exe 3020 explorer.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 3388 wrote to memory of 1448 3388 e2e80b0741c2d200a8225fe4fa63baf39f32316ddf709822b3dfd4cf3e411c7d.exe 87 PID 3388 wrote to memory of 1448 3388 e2e80b0741c2d200a8225fe4fa63baf39f32316ddf709822b3dfd4cf3e411c7d.exe 87 PID 3388 wrote to memory of 1448 3388 e2e80b0741c2d200a8225fe4fa63baf39f32316ddf709822b3dfd4cf3e411c7d.exe 87 PID 3388 wrote to memory of 1448 3388 e2e80b0741c2d200a8225fe4fa63baf39f32316ddf709822b3dfd4cf3e411c7d.exe 87 PID 3388 wrote to memory of 1448 3388 e2e80b0741c2d200a8225fe4fa63baf39f32316ddf709822b3dfd4cf3e411c7d.exe 87 PID 3388 wrote to memory of 1448 3388 e2e80b0741c2d200a8225fe4fa63baf39f32316ddf709822b3dfd4cf3e411c7d.exe 87 PID 3388 wrote to memory of 1448 3388 e2e80b0741c2d200a8225fe4fa63baf39f32316ddf709822b3dfd4cf3e411c7d.exe 87 PID 3388 wrote to memory of 1448 3388 e2e80b0741c2d200a8225fe4fa63baf39f32316ddf709822b3dfd4cf3e411c7d.exe 87 PID 1448 wrote to memory of 5024 1448 e2e80b0741c2d200a8225fe4fa63baf39f32316ddf709822b3dfd4cf3e411c7d.exe 88 PID 1448 wrote to memory of 5024 1448 e2e80b0741c2d200a8225fe4fa63baf39f32316ddf709822b3dfd4cf3e411c7d.exe 88 PID 1448 wrote to memory of 5024 1448 e2e80b0741c2d200a8225fe4fa63baf39f32316ddf709822b3dfd4cf3e411c7d.exe 88 PID 5024 wrote to memory of 4212 5024 cmd.exe 91 PID 5024 wrote to memory of 4212 5024 cmd.exe 91 PID 5024 wrote to memory of 4212 5024 cmd.exe 91 PID 1448 wrote to memory of 4544 1448 e2e80b0741c2d200a8225fe4fa63baf39f32316ddf709822b3dfd4cf3e411c7d.exe 92 PID 1448 wrote to memory of 4544 1448 e2e80b0741c2d200a8225fe4fa63baf39f32316ddf709822b3dfd4cf3e411c7d.exe 92 PID 1448 wrote to memory of 4544 1448 e2e80b0741c2d200a8225fe4fa63baf39f32316ddf709822b3dfd4cf3e411c7d.exe 92 PID 4544 wrote to memory of 3020 4544 explorer.exe 93 PID 4544 wrote to memory of 3020 4544 explorer.exe 93 PID 4544 wrote to memory of 3020 4544 explorer.exe 93 PID 4544 wrote to memory of 3020 4544 explorer.exe 93 PID 4544 wrote to memory of 3020 4544 explorer.exe 93 PID 4544 wrote to memory of 3020 4544 explorer.exe 93 PID 4544 wrote to memory of 3020 4544 explorer.exe 93 PID 4544 wrote to memory of 3020 4544 explorer.exe 93 PID 4544 wrote to memory of 4632 4544 explorer.exe 94 PID 4544 wrote to memory of 4632 4544 explorer.exe 94 PID 4544 wrote to memory of 4632 4544 explorer.exe 94 PID 4544 wrote to memory of 4632 4544 explorer.exe 94 PID 4544 wrote to memory of 4632 4544 explorer.exe 94 PID 4544 wrote to memory of 4632 4544 explorer.exe 94 PID 4544 wrote to memory of 4632 4544 explorer.exe 94 PID 4632 wrote to memory of 1228 4632 explorer.exe 95 PID 4632 wrote to memory of 1228 4632 explorer.exe 95 PID 4632 wrote to memory of 1228 4632 explorer.exe 95 PID 4632 wrote to memory of 1228 4632 explorer.exe 95 PID 4632 wrote to memory of 1228 4632 explorer.exe 95 PID 4632 wrote to memory of 1228 4632 explorer.exe 95 PID 4632 wrote to memory of 1228 4632 explorer.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2e80b0741c2d200a8225fe4fa63baf39f32316ddf709822b3dfd4cf3e411c7d.exe"C:\Users\Admin\AppData\Local\Temp\e2e80b0741c2d200a8225fe4fa63baf39f32316ddf709822b3dfd4cf3e411c7d.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Users\Admin\AppData\Local\Temp\e2e80b0741c2d200a8225fe4fa63baf39f32316ddf709822b3dfd4cf3e411c7d.exe"C:\Users\Admin\AppData\Local\Temp\e2e80b0741c2d200a8225fe4fa63baf39f32316ddf709822b3dfd4cf3e411c7d.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TUGMT.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Video Driver" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\config\explorer.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4212
-
-
-
C:\Users\Admin\AppData\Roaming\config\explorer.exe"C:\Users\Admin\AppData\Roaming\config\explorer.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Users\Admin\AppData\Roaming\config\explorer.exe"C:\Users\Admin\AppData\Roaming\config\explorer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3020
-
-
C:\Users\Admin\AppData\Roaming\config\explorer.exe"C:\Users\Admin\AppData\Roaming\config\explorer.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Users\Admin\AppData\Roaming\config\explorer.exe"C:\Users\Admin\AppData\Roaming\config\explorer.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1228
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
294B
MD59bc6670ed8778d28e792cc0279bb7f78
SHA18a81490af6f1f605724f25e8053eedc1ffe2ec3b
SHA2561b7e22850bfbfdf60a4b2bea5beb76845918141c3d366d08ecaa17d3392957ae
SHA5127892bd64c576540ff9fdfdbac05afa36765798f3e8403e5271b96026f72e44c053fc2561d0a838f9f43421c4b6db2dd0ac075c15a3af76bc2f867e9c365ac5e0
-
Filesize
149B
MD5fc1798b7c7938454220fda837a76f354
SHA1b232912930b2bc24ff18bf7ecd58f872bbe01ea0
SHA2567f0a5917b5aca9c5beb153aad0ef95bf0aeafb83768da5b086c3f029ba42d7c8
SHA512d1abdd45a8e5d33893b9d19424174a07feed145d2e6b4be318ab5fde503f850579a4a101a010f30e16ecde2c7123f45357a8341214655321ee0f0097ca911331
-
Filesize
88KB
MD585dc557b37a02788eb24aec8bf1abaa2
SHA1b622e2eada0111d09375e97177990c86ed50e1e2
SHA2565f577e536824561fe1e59c6fdd27731d35a35c6ab923bb6e3585c4549f487fe3
SHA51210edd56a6906fcf48c7e0de2e5881f05debe528da775cb24b2f69679848ea509f572ae2b2f2749a79e93607be863e83bab84e1095a04d95d8aaad8378bc1fc38