Analysis
-
max time kernel
99s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06/11/2024, 01:01
Static task
static1
Behavioral task
behavioral1
Sample
74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe
Resource
win10v2004-20241007-en
General
-
Target
74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe
-
Size
34KB
-
MD5
40af464f0782f35bbacd8f4b8f5b7440
-
SHA1
59e421ee5fee9b5185207a7667fbd6301a7d6b0d
-
SHA256
74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcd
-
SHA512
3a5978276aa697333d9fad9f17231bab37a862ab6e6308a6b64b36c04d2c30b15d9e3c4af957bb44404edfa6c6c917951583a281b10bf948ba168a31aba975f1
-
SSDEEP
384:s+fn2s0F7/KVf8+FiiftR2okw6nUlSeCFufxVguHniYcLMR7:sSm7/KB/ZT9lSdKxVgwiYcLMR
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty" 74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\Wallpaper 74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 3756 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3756 taskkill.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1952 wrote to memory of 2428 1952 74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe 94 PID 1952 wrote to memory of 2428 1952 74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe 94 PID 1952 wrote to memory of 2072 1952 74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe 96 PID 1952 wrote to memory of 2072 1952 74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe 96 PID 1952 wrote to memory of 4496 1952 74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe 98 PID 1952 wrote to memory of 4496 1952 74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe 98 PID 1952 wrote to memory of 4300 1952 74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe 100 PID 1952 wrote to memory of 4300 1952 74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe 100 PID 1952 wrote to memory of 2648 1952 74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe 101 PID 1952 wrote to memory of 2648 1952 74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe 101 PID 2428 wrote to memory of 3756 2428 cmd.exe 102 PID 2428 wrote to memory of 3756 2428 cmd.exe 102 PID 2072 wrote to memory of 4812 2072 cmd.exe 103 PID 2072 wrote to memory of 4812 2072 cmd.exe 103 PID 4496 wrote to memory of 2968 4496 cmd.exe 104 PID 4496 wrote to memory of 2968 4496 cmd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe"C:\Users\Admin\AppData\Local\Temp\74bd6ba5807d3181a8608f30ec3b27d050510e3a39a41cdf20bdfa03b147efcdN.exe"1⤵
- Modifies WinLogon for persistence
- Disables cmd.exe use via registry modification
- Checks computer location settings
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C taskkill /F /IM rundll32.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\system32\taskkill.exetaskkill /F /IM rundll32.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3756
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C regsvr32 user32.dll2⤵
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\system32\regsvr32.exeregsvr32 user32.dll3⤵PID:4812
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rundll32 user32.dll2⤵
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\system32\rundll32.exerundll32 user32.dll3⤵PID:2968
-
-
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" user32.dll2⤵PID:4300
-
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" user32.dll2⤵PID:2648
-