Analysis
-
max time kernel
119s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 20:58
Static task
static1
Behavioral task
behavioral1
Sample
3ccb0991d432d131459fa814c1e9b20435e187b440abb82227434073cd148ff6N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3ccb0991d432d131459fa814c1e9b20435e187b440abb82227434073cd148ff6N.exe
Resource
win10v2004-20241007-en
General
-
Target
3ccb0991d432d131459fa814c1e9b20435e187b440abb82227434073cd148ff6N.exe
-
Size
116KB
-
MD5
6e183629c2bd4a87ca1a6e3af04f6710
-
SHA1
43746b80ddb45db4c4aadb4b848d39c0271519c9
-
SHA256
3ccb0991d432d131459fa814c1e9b20435e187b440abb82227434073cd148ff6
-
SHA512
978da7c1b51bece810018f999fb90e0a8174c96c6c66c7d611eb627228bca1e3ce7fc45d94c644da3565d857131d4734af0cbd4cb572ae69050971de60288f8f
-
SSDEEP
768:66eHIMgPRVUUC151Npquv3RnFKE7pGnbcuyD7UTTE:6Fo5U5bLpXRkPnouy8k
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 3ccb0991d432d131459fa814c1e9b20435e187b440abb82227434073cd148ff6N.exe -
Executes dropped EXE 1 IoCs
pid Process 2428 trys.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ineter Mc = "C:\\Users\\Admin\\AppData\\Roaming\\trys.exe" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ccb0991d432d131459fa814c1e9b20435e187b440abb82227434073cd148ff6N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language trys.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe Token: SeDebugPrivilege 2428 trys.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4152 3ccb0991d432d131459fa814c1e9b20435e187b440abb82227434073cd148ff6N.exe 2428 trys.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4152 wrote to memory of 2796 4152 3ccb0991d432d131459fa814c1e9b20435e187b440abb82227434073cd148ff6N.exe 87 PID 4152 wrote to memory of 2796 4152 3ccb0991d432d131459fa814c1e9b20435e187b440abb82227434073cd148ff6N.exe 87 PID 4152 wrote to memory of 2796 4152 3ccb0991d432d131459fa814c1e9b20435e187b440abb82227434073cd148ff6N.exe 87 PID 2796 wrote to memory of 3612 2796 cmd.exe 90 PID 2796 wrote to memory of 3612 2796 cmd.exe 90 PID 2796 wrote to memory of 3612 2796 cmd.exe 90 PID 4152 wrote to memory of 2428 4152 3ccb0991d432d131459fa814c1e9b20435e187b440abb82227434073cd148ff6N.exe 91 PID 4152 wrote to memory of 2428 4152 3ccb0991d432d131459fa814c1e9b20435e187b440abb82227434073cd148ff6N.exe 91 PID 4152 wrote to memory of 2428 4152 3ccb0991d432d131459fa814c1e9b20435e187b440abb82227434073cd148ff6N.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ccb0991d432d131459fa814c1e9b20435e187b440abb82227434073cd148ff6N.exe"C:\Users\Admin\AppData\Local\Temp\3ccb0991d432d131459fa814c1e9b20435e187b440abb82227434073cd148ff6N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IKXAX.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Ineter Mc" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\trys.exe" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3612
-
-
-
C:\Users\Admin\AppData\Roaming\trys.exe"C:\Users\Admin\AppData\Roaming\trys.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2428
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135B
MD56dbb2090ff90500da05a027765cde190
SHA1425b833d9d1df8d6df6e5a59f738058808271949
SHA25671ca0761f7187f2164f62b23d5d9d2dcfd28d9ab9a8dfc14796c3ac06db03881
SHA5127e4679e04bd5a69c026949a0d2760a630bc02249a04f3bd224dee41d1bf10f0a29e45812a67c583327a63e5401f0ff2aa9a3f4df8233b150943052c97e861ab3
-
Filesize
116KB
MD53b24d2561834d0649f518ef677aabeb5
SHA10a7fe82104165e31118a30378d638b9a53081576
SHA256672c0f989af85bfb8bf7f8b80a6163da26bea0e08bbcc365bb1278c5e5e635af
SHA5126cfae755d28f1c0c65ec27ec14a051fb2d16439677b99ad1722818f107faea13191761f52d19e06ad0b406c99074026c2753b5532092bc801603f25edde57c81