Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 15:34
Static task
static1
Behavioral task
behavioral1
Sample
2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe
Resource
win10v2004-20241007-en
General
-
Target
2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe
-
Size
524KB
-
MD5
088da2d6bac46c6d2df6c6c29e28b170
-
SHA1
a7ce89dc0265d52ba26727ceed4a9102511d7e0d
-
SHA256
2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628
-
SHA512
f813d4e4e46233b4edccf41c1a891b82059251d59b7341ced80bd623bc4f53d6f4057eb3436bbdf12e67c210c77a1efa0ac73f0f3216510abbc6ca8afe2a67ad
-
SSDEEP
12288:LLS65eo7WOcg3kXaD5Ny6+KW78FCjIwQpe:LLS65eKWOpkXaLy6OECXQpe
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe -
Executes dropped EXE 2 IoCs
pid Process 4848 WindowsService.exe 3664 WindowsService.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsService = "C:\\Users\\Admin\\AppData\\Roaming\\SystemWindowsWindowsService\\WindowsService.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4996 set thread context of 2400 4996 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 93 PID 4848 set thread context of 3664 4848 WindowsService.exe 104 PID 4848 set thread context of 0 4848 WindowsService.exe -
resource yara_rule behavioral2/memory/2400-3-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2400-5-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2400-7-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2400-33-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2400-43-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3664-46-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WindowsService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WindowsService.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe Token: SeDebugPrivilege 3664 WindowsService.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4996 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 2400 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 4848 WindowsService.exe 3664 WindowsService.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 4996 wrote to memory of 2400 4996 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 93 PID 4996 wrote to memory of 2400 4996 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 93 PID 4996 wrote to memory of 2400 4996 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 93 PID 4996 wrote to memory of 2400 4996 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 93 PID 4996 wrote to memory of 2400 4996 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 93 PID 4996 wrote to memory of 2400 4996 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 93 PID 4996 wrote to memory of 2400 4996 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 93 PID 4996 wrote to memory of 2400 4996 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 93 PID 2400 wrote to memory of 2632 2400 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 98 PID 2400 wrote to memory of 2632 2400 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 98 PID 2400 wrote to memory of 2632 2400 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 98 PID 2632 wrote to memory of 2512 2632 cmd.exe 102 PID 2632 wrote to memory of 2512 2632 cmd.exe 102 PID 2632 wrote to memory of 2512 2632 cmd.exe 102 PID 2400 wrote to memory of 4848 2400 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 103 PID 2400 wrote to memory of 4848 2400 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 103 PID 2400 wrote to memory of 4848 2400 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 103 PID 4848 wrote to memory of 3664 4848 WindowsService.exe 104 PID 4848 wrote to memory of 3664 4848 WindowsService.exe 104 PID 4848 wrote to memory of 3664 4848 WindowsService.exe 104 PID 4848 wrote to memory of 3664 4848 WindowsService.exe 104 PID 4848 wrote to memory of 3664 4848 WindowsService.exe 104 PID 4848 wrote to memory of 3664 4848 WindowsService.exe 104 PID 4848 wrote to memory of 3664 4848 WindowsService.exe 104 PID 4848 wrote to memory of 3664 4848 WindowsService.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe"C:\Users\Admin\AppData\Local\Temp\2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Users\Admin\AppData\Local\Temp\2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe"C:\Users\Admin\AppData\Local\Temp\2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QGCYX.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsService" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SystemWindowsWindowsService\WindowsService.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2512
-
-
-
C:\Users\Admin\AppData\Roaming\SystemWindowsWindowsService\WindowsService.exe"C:\Users\Admin\AppData\Roaming\SystemWindowsWindowsService\WindowsService.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Users\Admin\AppData\Roaming\SystemWindowsWindowsService\WindowsService.exe"C:\Users\Admin\AppData\Roaming\SystemWindowsWindowsService\WindowsService.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3664
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
178B
MD5c2cc427c87f0a6e231266dbb4d5b6ac5
SHA1e0849fc705f915d218b2dc2f744bb24157022355
SHA2561b985a6f00b15b5eb13fd2b9c79f163e2c3ed1b8d4133e08f213dc6dc7850999
SHA512be4d6b172b0c92d1ffa33b30c642db3ccbda637af92234853918ef5e3c6c40121ec10c42557c96ddbc234d0d539c47c6c5adc8bf4c77e9daf8204661215a8e37
-
Filesize
524KB
MD5c8f84f6b33d1369e8a7060d4077abf86
SHA1f78aa729e5f5da2f804f9b233119f8d35fde11a1
SHA256100ec2156964292c7d67bd47520ce2b3eda5f351bc685831dca8f765c97a1324
SHA512342f01ee58f841ea9a38050ed4be45be6dcba861396bbdf98acd1dce90c1882c5c309d228128ae7922da55a91a5ac34743410f660a63c07bff50341d9771cd8f