Overview
overview
10Static
static
101214e5f9de...98.exe
windows7-x64
61214e5f9de...98.exe
windows10-2004-x64
7236020bb91...f6.exe
windows7-x64
10236020bb91...f6.exe
windows10-2004-x64
1025dc70a3de...60.exe
windows7-x64
1025dc70a3de...60.exe
windows10-2004-x64
1054de718b63...d9.exe
windows7-x64
154de718b63...d9.exe
windows10-2004-x64
37ae9504811...a4.exe
windows7-x64
107ae9504811...a4.exe
windows10-2004-x64
109c2554e79b...a0.exe
windows7-x64
109c2554e79b...a0.exe
windows10-2004-x64
10a568f22004...3b.exe
windows7-x64
10a568f22004...3b.exe
windows10-2004-x64
8aefd0c7794...37.exe
windows7-x64
10aefd0c7794...37.exe
windows10-2004-x64
10d68b4d6cec...27.exe
windows7-x64
10d68b4d6cec...27.exe
windows10-2004-x64
10Analysis
-
max time kernel
147s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 02:11
Behavioral task
behavioral1
Sample
1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
54de718b634d2dbddaf2530aa3b1768823dfdd97f5a2782b4131fe369e903dd9.exe
Resource
win7-20241023-en
Behavioral task
behavioral8
Sample
54de718b634d2dbddaf2530aa3b1768823dfdd97f5a2782b4131fe369e903dd9.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
d68b4d6cec032458824abdf3ac6f379f33db2167cb0c399845f4d7735a426827.exe
Resource
win7-20240903-en
General
-
Target
a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe
-
Size
83KB
-
MD5
4ed7de390496be3ec2ea7fdb3804282a
-
SHA1
2c919d469853fac9a7719f59407b395e8e360a49
-
SHA256
a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b
-
SHA512
5716a8d9d86f9b1f1ad53f3fca96b5622b83ede56d370edc309a503263ad52b542b29e5d74810aed013e9f2e00b77b8c54d81aa0b43c77bfdf5bc7227251bd86
-
SSDEEP
1536:83kml69eWJKrec/tOu6Qes2cI2FDrj7fk1ImNUITeT0MB:80mlketr1/Qu6o2QFkSmN4p
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 5008 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe -
Executes dropped EXE 2 IoCs
pid Process 2344 Checker.exe 5016 SA_Checker.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 55 2.tcp.ngrok.io 71 2.tcp.ngrok.io 16 2.tcp.ngrok.io 43 2.tcp.ngrok.io 45 2.tcp.ngrok.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Checker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SA_Checker.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2344 Checker.exe 2344 Checker.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5016 SA_Checker.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 5016 SA_Checker.exe Token: 33 5016 SA_Checker.exe Token: SeIncBasePriorityPrivilege 5016 SA_Checker.exe Token: 33 5016 SA_Checker.exe Token: SeIncBasePriorityPrivilege 5016 SA_Checker.exe Token: 33 5016 SA_Checker.exe Token: SeIncBasePriorityPrivilege 5016 SA_Checker.exe Token: 33 5016 SA_Checker.exe Token: SeIncBasePriorityPrivilege 5016 SA_Checker.exe Token: 33 5016 SA_Checker.exe Token: SeIncBasePriorityPrivilege 5016 SA_Checker.exe Token: 33 5016 SA_Checker.exe Token: SeIncBasePriorityPrivilege 5016 SA_Checker.exe Token: 33 5016 SA_Checker.exe Token: SeIncBasePriorityPrivilege 5016 SA_Checker.exe Token: 33 5016 SA_Checker.exe Token: SeIncBasePriorityPrivilege 5016 SA_Checker.exe Token: 33 5016 SA_Checker.exe Token: SeIncBasePriorityPrivilege 5016 SA_Checker.exe Token: 33 5016 SA_Checker.exe Token: SeIncBasePriorityPrivilege 5016 SA_Checker.exe Token: 33 5016 SA_Checker.exe Token: SeIncBasePriorityPrivilege 5016 SA_Checker.exe Token: 33 5016 SA_Checker.exe Token: SeIncBasePriorityPrivilege 5016 SA_Checker.exe Token: 33 5016 SA_Checker.exe Token: SeIncBasePriorityPrivilege 5016 SA_Checker.exe Token: 33 5016 SA_Checker.exe Token: SeIncBasePriorityPrivilege 5016 SA_Checker.exe Token: 33 5016 SA_Checker.exe Token: SeIncBasePriorityPrivilege 5016 SA_Checker.exe Token: 33 5016 SA_Checker.exe Token: SeIncBasePriorityPrivilege 5016 SA_Checker.exe Token: 33 5016 SA_Checker.exe Token: SeIncBasePriorityPrivilege 5016 SA_Checker.exe Token: 33 5016 SA_Checker.exe Token: SeIncBasePriorityPrivilege 5016 SA_Checker.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1796 wrote to memory of 2344 1796 a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe 86 PID 1796 wrote to memory of 2344 1796 a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe 86 PID 1796 wrote to memory of 2344 1796 a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe 86 PID 1796 wrote to memory of 5016 1796 a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe 88 PID 1796 wrote to memory of 5016 1796 a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe 88 PID 1796 wrote to memory of 5016 1796 a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe 88 PID 2344 wrote to memory of 1952 2344 Checker.exe 89 PID 2344 wrote to memory of 1952 2344 Checker.exe 89 PID 2344 wrote to memory of 1952 2344 Checker.exe 89 PID 5016 wrote to memory of 5008 5016 SA_Checker.exe 90 PID 5016 wrote to memory of 5008 5016 SA_Checker.exe 90 PID 5016 wrote to memory of 5008 5016 SA_Checker.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe"C:\Users\Admin\AppData\Local\Temp\a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Users\Admin\AppData\Local\Temp\Checker.exe"C:\Users\Admin\AppData\Local\Temp\Checker.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause3⤵
- System Location Discovery: System Language Discovery
PID:1952
-
-
-
C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe"C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe" "SA_Checker.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5008
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD5970dbe61f878ffef5c98df482a33b93a
SHA12f8e4f7dd06cc67da661f7a33e6a6f79182bc957
SHA256bda3eaba6bd0015d68a261b9f8afd2431f702524b7a333fca3b3514058aaff48
SHA512f1c9b203e1770e3327217998b4a002a3494e61b8883b2ad4cb6439d3105b65c8cf807d77c029331b678df15dfc89bdff52bd93124b78c67d6f342fc48e2c8621
-
Filesize
93KB
MD588949354d6430e1c6fd4ee0e0d987070
SHA110d1014f00cd173449f1d3ea2b698a5443688584
SHA256d08373a237b6f58a7b1215926fac0faefcdddbf7967b4226f84cbdb275a261f0
SHA5128a18883b2f89bc87449d9fde1ef835fba2186c494ffa3b2adcded7b86103ddd0154856dd5fa9b2e565b6bedd50b80975a8a07ac56560bc725c84c5d7d90abe29