Analysis
-
max time kernel
121s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-11-2024 18:19
Static task
static1
Behavioral task
behavioral1
Sample
Client/Client.exe
Resource
win7-20240903-en
General
-
Target
Client/Client.exe
-
Size
59.8MB
-
MD5
07185b28ac6e7b8a49d452ededb9a6f8
-
SHA1
2390ff463d4cb37799f46081f381fc7a8551a959
-
SHA256
d30a1b9d067bac02d43e660d0c3924e44fb64becef529a86b9eb0799312d97be
-
SHA512
7f8852e4b8db80c22370ee62d49c1e5871551dd7e4a0ab56d5f7e1479ba9dffc1a11e0a92318c139322663f1c9c287ac8e0aecd9e0d758bd4ca8ccb46cb6d937
-
SSDEEP
786432:L9T/j0+mSyv3+gc5ibDB28+oFwjvYKM289vy3TOZ34wWIN34:L9T/j1mSyvf28+u289l4u
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2584 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\Geo\Nation twdbjgyu.0jc.exe -
Executes dropped EXE 1 IoCs
pid Process 2360 twdbjgyu.0jc.exe -
Loads dropped DLL 1 IoCs
pid Process 2664 Client.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2584 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2584 powershell.exe Token: SeDebugPrivilege 2360 twdbjgyu.0jc.exe Token: SeImpersonatePrivilege 2360 twdbjgyu.0jc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2664 wrote to memory of 2584 2664 Client.exe 31 PID 2664 wrote to memory of 2584 2664 Client.exe 31 PID 2664 wrote to memory of 2584 2664 Client.exe 31 PID 2664 wrote to memory of 2584 2664 Client.exe 31 PID 2664 wrote to memory of 2360 2664 Client.exe 33 PID 2664 wrote to memory of 2360 2664 Client.exe 33 PID 2664 wrote to memory of 2360 2664 Client.exe 33 PID 2664 wrote to memory of 2360 2664 Client.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client\Client.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
-
C:\Windows\Temp\twdbjgyu.0jc.exe"C:\\Windows\\Temp\twdbjgyu.0jc.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2360
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD58e2766a1d5ffabdae6603d9dffc5d4bf
SHA145f1bedf90db66c5af35e80f93d8d0a6181485a5
SHA256127a36b98ea43a374146a0dd7bef8a0323db12a6a74eff3290d3974a1f077714
SHA512adc31e9fe214424f80604383be44b8d9ec9dfd8a5c968dd5b037f0df757e99bb071ceb0019bf98c6b169f7fe328db7fe84a7f1586504fc0e4281830279eb1ecd