Analysis
-
max time kernel
30s -
max time network
31s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
09/11/2024, 11:02
Static task
static1
Behavioral task
behavioral1
Sample
Full-SystemRank1Shop.exe
Resource
win10ltsc2021-20241023-en
General
-
Target
Full-SystemRank1Shop.exe
-
Size
8.2MB
-
MD5
0fb70b93da6b867cd41a8985df87ec88
-
SHA1
ce980599b55dac7a73fb87d0a2bb9358b2211eef
-
SHA256
ad8c2c9077bafff7613f5830ade88d4f029024e58e84faeea8b79482b2518c6d
-
SHA512
8fbe77fa275fdb5944d3258c2da43c34783e1c27b4ce1323ee263e72fb281aa02b1e18a9917b091c585074af125a6388aa47c2b7fb2a53165a60c6e7bc76d89c
-
SSDEEP
196608:wqwMjUIT2O4d4Lid+TIouGKfNTtckpSDr+CNkSG:RXT2JdeiwTIrAaCWn
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation Full-SystemRank1Shop.exe -
Executes dropped EXE 1 IoCs
pid Process 5240 aRuntimeV4.5.3.exe.exe -
Loads dropped DLL 6 IoCs
pid Process 5240 aRuntimeV4.5.3.exe.exe 5240 aRuntimeV4.5.3.exe.exe 5240 aRuntimeV4.5.3.exe.exe 5240 aRuntimeV4.5.3.exe.exe 5240 aRuntimeV4.5.3.exe.exe 5240 aRuntimeV4.5.3.exe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aRuntimeV4.5.3.exe.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 5240 aRuntimeV4.5.3.exe.exe Token: 33 5276 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 5276 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4592 wrote to memory of 5240 4592 Full-SystemRank1Shop.exe 82 PID 4592 wrote to memory of 5240 4592 Full-SystemRank1Shop.exe 82 PID 4592 wrote to memory of 5240 4592 Full-SystemRank1Shop.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\Full-SystemRank1Shop.exe"C:\Users\Admin\AppData\Local\Temp\Full-SystemRank1Shop.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\aRuntimeV4.5.3.exe.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\aRuntimeV4.5.3.exe.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5240
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x33c 0x48c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5276
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112KB
MD5abf250bdc2fbc4f31423195650e35868
SHA1e4276555c486591bbf5859030e8559948cd0917d
SHA256ad2dfd8cbafd7f77f176d7952907a2dc0b70fd961bf164ac6229e116cf1a935c
SHA512982ab811def9bf7a71bd172d0f05b8a50216e44ec6361109330552b9f4ec99dc2f1fbd54ee75c3580389a52b329551ed41fab3dd8be12322b43c23e609d0f524
-
Filesize
520KB
MD5d9bfe1c2dcf71dfb8256132005d831f3
SHA1ff620c166c2550212a6f910a2faf18adf6df3450
SHA2561196842942ac28e174f24492f76147758dcaa06c6d330c114ace3197f5407861
SHA51287af78e26f8e94f1551477a8de21537fc87435f2811014d1efde87a483d74b7b9ebb79b91ab5d85eebb6f272808b8f9838a8ab51496b3cc99ea74ca9ce3d0627
-
Filesize
695KB
MD5195ffb7167db3219b217c4fd439eedd6
SHA11e76e6099570ede620b76ed47cf8d03a936d49f8
SHA256e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d
SHA51256eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac
-
Filesize
1.3MB
MD52474124f9a70301411e5a42caa0225f6
SHA123c561479001148931601b14889d0c10c1420e85
SHA256283346e95883d2c51743b725ecd41f2afd97adbbf86ec9d9735072505d5726b4
SHA512a4c798779674fefde60b87cb7b57f1b7b723649189ce7f89e6993b1ee84e84c18eb5f97fce4a531fe8f361fa4ecda79e482f57f695b968e9543345cc40e321ff
-
Filesize
28KB
MD56c36530ed3cb415f23b221dd85868f07
SHA1481a31a1c2dfb8883bcf9dcbe4a6734e60c99782
SHA2561cdad73cd55de2a724d5f949c6467eb5367e1d026b6a8ea5eb809c19423eab20
SHA51209c2a69c7b21eda1b56b7b5e2c4d9be57e7e1485cee7d84772329e9d218c8e3f9dade068063375bcaf9cfe65b9c8dcc507578f5573992e5e75f4b4f0fe053062
-
Filesize
1.8MB
MD52d566aba68a782cc07344fbd8311bb92
SHA1ae8ffe1f92099db46f70fd711749f4c0268aff68
SHA25634e2c19fa32ead59832dfa9639d9d79a68936a5f35cc6572fbe8f53ecea414be
SHA51270f0434c3927f8c5e795c779204bfc0b8e83eac00efb602d2d6a8218a9078bd37b32594035b1ef7d88714a28fae1e86c8ab7dc52a1664a3591f99b85af8ce302