Analysis
-
max time kernel
118s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 13:53
Static task
static1
Behavioral task
behavioral1
Sample
ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe
Resource
win10v2004-20241007-en
General
-
Target
ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe
-
Size
665KB
-
MD5
4c0c38e7fad334322adc74c33eb50ac0
-
SHA1
d0706bfa6dab31f79f7cbe6265569e8b1184dbdb
-
SHA256
ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0
-
SHA512
5542d4f78b1af871ab097fc2caeaeb84fb82064a73e7da94cb9d613a10e1442c924358c15f5b5fd6128eba75312096c3a66170ff087bfadaa5c9d46013e60523
-
SSDEEP
12288:3Z8nkF9oy1ADvMKdhAS0jjLz7hoo3RpEcvALALdt/xBot/FcEic/3IWVscSfVo8o:3Z8nkF9oySiLz72ooSru/so3V9xmFXA
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\service.exe" service.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe -
Executes dropped EXE 2 IoCs
pid Process 3104 service.exe 3732 service.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Service Application = "C:\\Windows\\service.exe" service.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4932 set thread context of 1884 4932 ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe 83 PID 3104 set thread context of 3732 3104 service.exe 94 -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\service.exe ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe File opened for modification C:\Windows\service.exe ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe File created C:\Windows\service.exe service.exe File opened for modification C:\Windows\service.exe service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 service.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz service.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4932 wrote to memory of 1884 4932 ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe 83 PID 4932 wrote to memory of 1884 4932 ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe 83 PID 4932 wrote to memory of 1884 4932 ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe 83 PID 4932 wrote to memory of 1884 4932 ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe 83 PID 4932 wrote to memory of 1884 4932 ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe 83 PID 4932 wrote to memory of 1884 4932 ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe 83 PID 4932 wrote to memory of 1884 4932 ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe 83 PID 1884 wrote to memory of 4332 1884 ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe 91 PID 1884 wrote to memory of 4332 1884 ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe 91 PID 1884 wrote to memory of 4332 1884 ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe 91 PID 1884 wrote to memory of 3104 1884 ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe 93 PID 1884 wrote to memory of 3104 1884 ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe 93 PID 1884 wrote to memory of 3104 1884 ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe 93 PID 3104 wrote to memory of 3732 3104 service.exe 94 PID 3104 wrote to memory of 3732 3104 service.exe 94 PID 3104 wrote to memory of 3732 3104 service.exe 94 PID 3104 wrote to memory of 3732 3104 service.exe 94 PID 3104 wrote to memory of 3732 3104 service.exe 94 PID 3104 wrote to memory of 3732 3104 service.exe 94 PID 3104 wrote to memory of 3732 3104 service.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe"C:\Users\Admin\AppData\Local\Temp\ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Users\Admin\AppData\Local\Temp\ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe"C:\Users\Admin\AppData\Local\Temp\ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\remove30108.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:4332
-
-
C:\Windows\service.exe"C:\Windows\service.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\service.exe"C:\Windows\service.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:3732
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
269B
MD56c6503303985b1ff09b979223e9b682c
SHA11172ca8d6ced99fe023e0de563e8ac36608e197d
SHA25685d657a903ab6a6b8d226e273ba311b0c58074a7d3b01a0d402dfbf5910c9a43
SHA5121d9ffffe6ac051b85852190228e687351dd275d1f0e0478826735699992646ee2b6f7bb79c0712ea274e68fe3606c8af14dfd292421c9c2fbbc68b03398fdad3
-
Filesize
51B
MD5cac6c9c44b7ba77569037004849f4d6d
SHA16bdf754cf0bb144e17ffd703663e4c5801598317
SHA256745528a15bf44f5504e5a1a27a5397e70dd6b1790093928f730a181e74776835
SHA512a38711de27f0ca7a3f0673f3fdc16e1aa20e7828b7db16041d6307e7c68f3ef78ee3e007754f98a4ff113f99ec1b32ffece6e16a7dfdae3e1a287e009b9fa114
-
Filesize
668KB
MD56e3a65fc1cde08d4b32b9a5ffb493c4d
SHA1a984cc254aae4ab91f3156c2ce3a6654c9c8a715
SHA2564422e3f6805d73d8d0460489f46a52c630ab9856f1693e79b0c0980d9b86e62e
SHA5125b89506ae0c1eb2d683b9c5033ba6aff379e5a83dd4f695fc0490f9e7314dafa9c344a5b1ddec95588111c397a4aef3a52ba253aa928e9af556b612f7f14f8fc