Analysis

  • max time kernel
    99s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/11/2024, 01:01

General

  • Target

    74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe

  • Size

    34KB

  • MD5

    40af464f0782f35bbacd8f4b8f5b7440

  • SHA1

    59e421ee5fee9b5185207a7667fbd6301a7d6b0d

  • SHA256

    74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcd

  • SHA512

    3a5978276aa697333d9fad9f17231bab37a862ab6e6308a6b64b36c04d2c30b15d9e3c4af957bb44404edfa6c6c917951583a281b10bf948ba168a31aba975f1

  • SSDEEP

    384:s+fn2s0F7/KVf8+FiiftR2okw6nUlSeCFufxVguHniYcLMR7:sSm7/KB/ZT9lSdKxVgwiYcLMR

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe
    "C:\Users\Admin\AppData\Local\Temp\74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Disables cmd.exe use via registry modification
    • Checks computer location settings
    • Sets desktop wallpaper using registry
    • Suspicious use of WriteProcessMemory
    PID:1952
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C taskkill /F /IM rundll32.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2428
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM rundll32.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3756
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C regsvr32 user32.dll
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2072
      • C:\Windows\system32\regsvr32.exe
        regsvr32 user32.dll
        3⤵
          PID:4812
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C rundll32 user32.dll
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4496
        • C:\Windows\system32\rundll32.exe
          rundll32 user32.dll
          3⤵
            PID:2968
        • C:\Windows\System32\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" user32.dll
          2⤵
            PID:4300
          • C:\Windows\System32\rundll32.exe
            "C:\Windows\System32\rundll32.exe" user32.dll
            2⤵
              PID:2648

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • memory/1952-0-0x00007FFCED675000-0x00007FFCED676000-memory.dmp

                  Filesize

                  4KB

                • memory/1952-1-0x00007FFCED3C0000-0x00007FFCEDD61000-memory.dmp

                  Filesize

                  9.6MB

                • memory/1952-2-0x00007FFCED3C0000-0x00007FFCEDD61000-memory.dmp

                  Filesize

                  9.6MB

                • memory/1952-3-0x00007FFCED675000-0x00007FFCED676000-memory.dmp

                  Filesize

                  4KB

                • memory/1952-4-0x00007FFCED3C0000-0x00007FFCEDD61000-memory.dmp

                  Filesize

                  9.6MB

                • memory/1952-6-0x00007FFCED3C0000-0x00007FFCEDD61000-memory.dmp

                  Filesize

                  9.6MB