Analysis
-
max time kernel
119s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 14:10
Static task
static1
Behavioral task
behavioral1
Sample
e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe
Resource
win10v2004-20241007-en
General
-
Target
e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe
-
Size
88KB
-
MD5
90d50b75294418d1771bcb4e50700996
-
SHA1
d0eaf4a52fe497966adeca2a02cef5decdc9c8a6
-
SHA256
e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3
-
SHA512
a029d156445fd56222cd31fa002207bcce59fdb78e8ff9002c7fdf49a6284f2426f561739aaa3dd7cad6bb5d8625bd8379b78929632d7a16a6dbc3cd433c03c0
-
SSDEEP
1536:ahUDofByDJWbMGcEFLPEPKOJUsy1+VMAO:aIofBHbKMP0PvMAO
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 4316 explorer.exe 3776 explorer.exe 3424 explorer.exe 1924 explorer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Video Driver = "C:\\Users\\Admin\\AppData\\Roaming\\config\\explorer.exe" reg.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4232 set thread context of 1616 4232 e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe 86 PID 4316 set thread context of 3776 4316 explorer.exe 96 PID 4316 set thread context of 3424 4316 explorer.exe 97 PID 3424 set thread context of 1924 3424 explorer.exe 98 -
resource yara_rule behavioral2/memory/1616-16-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1616-19-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1616-21-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1616-63-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1616-67-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3776-97-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeDebugPrivilege 3776 explorer.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4232 e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe 1616 e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe 4316 explorer.exe 3776 explorer.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 4232 wrote to memory of 1616 4232 e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe 86 PID 4232 wrote to memory of 1616 4232 e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe 86 PID 4232 wrote to memory of 1616 4232 e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe 86 PID 4232 wrote to memory of 1616 4232 e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe 86 PID 4232 wrote to memory of 1616 4232 e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe 86 PID 4232 wrote to memory of 1616 4232 e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe 86 PID 4232 wrote to memory of 1616 4232 e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe 86 PID 4232 wrote to memory of 1616 4232 e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe 86 PID 1616 wrote to memory of 2028 1616 e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe 90 PID 1616 wrote to memory of 2028 1616 e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe 90 PID 1616 wrote to memory of 2028 1616 e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe 90 PID 2028 wrote to memory of 1948 2028 cmd.exe 94 PID 2028 wrote to memory of 1948 2028 cmd.exe 94 PID 2028 wrote to memory of 1948 2028 cmd.exe 94 PID 1616 wrote to memory of 4316 1616 e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe 95 PID 1616 wrote to memory of 4316 1616 e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe 95 PID 1616 wrote to memory of 4316 1616 e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe 95 PID 4316 wrote to memory of 3776 4316 explorer.exe 96 PID 4316 wrote to memory of 3776 4316 explorer.exe 96 PID 4316 wrote to memory of 3776 4316 explorer.exe 96 PID 4316 wrote to memory of 3776 4316 explorer.exe 96 PID 4316 wrote to memory of 3776 4316 explorer.exe 96 PID 4316 wrote to memory of 3776 4316 explorer.exe 96 PID 4316 wrote to memory of 3776 4316 explorer.exe 96 PID 4316 wrote to memory of 3776 4316 explorer.exe 96 PID 4316 wrote to memory of 3424 4316 explorer.exe 97 PID 4316 wrote to memory of 3424 4316 explorer.exe 97 PID 4316 wrote to memory of 3424 4316 explorer.exe 97 PID 4316 wrote to memory of 3424 4316 explorer.exe 97 PID 4316 wrote to memory of 3424 4316 explorer.exe 97 PID 4316 wrote to memory of 3424 4316 explorer.exe 97 PID 4316 wrote to memory of 3424 4316 explorer.exe 97 PID 3424 wrote to memory of 1924 3424 explorer.exe 98 PID 3424 wrote to memory of 1924 3424 explorer.exe 98 PID 3424 wrote to memory of 1924 3424 explorer.exe 98 PID 3424 wrote to memory of 1924 3424 explorer.exe 98 PID 3424 wrote to memory of 1924 3424 explorer.exe 98 PID 3424 wrote to memory of 1924 3424 explorer.exe 98 PID 3424 wrote to memory of 1924 3424 explorer.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe"C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe"C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GOCDW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Video Driver" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\config\explorer.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1948
-
-
-
C:\Users\Admin\AppData\Roaming\config\explorer.exe"C:\Users\Admin\AppData\Roaming\config\explorer.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Users\Admin\AppData\Roaming\config\explorer.exe"C:\Users\Admin\AppData\Roaming\config\explorer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3776
-
-
C:\Users\Admin\AppData\Roaming\config\explorer.exe"C:\Users\Admin\AppData\Roaming\config\explorer.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Users\Admin\AppData\Roaming\config\explorer.exe"C:\Users\Admin\AppData\Roaming\config\explorer.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1924
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
294B
MD58d94b726e00da21df5b0a34b91e12c83
SHA187c6ef15d8bef6eebb43debca518e7f2a87b53a4
SHA256fc6f56e4dc22274d977f52edfa89a6ff852c0c69893d1bd0c5ac2e21a1cf3546
SHA5129b8bf127f25ef6d2c2a1c8aa17a3f7424095333b13004f155cd8d08de98730d3ccff52e6de43d2749002ea7e2ed37a434afa1b4d0d643a6e29092e08743cc93e
-
Filesize
149B
MD5fc1798b7c7938454220fda837a76f354
SHA1b232912930b2bc24ff18bf7ecd58f872bbe01ea0
SHA2567f0a5917b5aca9c5beb153aad0ef95bf0aeafb83768da5b086c3f029ba42d7c8
SHA512d1abdd45a8e5d33893b9d19424174a07feed145d2e6b4be318ab5fde503f850579a4a101a010f30e16ecde2c7123f45357a8341214655321ee0f0097ca911331
-
Filesize
88KB
MD5fe0a97a0412644f2073d790daac7036f
SHA1101b063de06362b898596f497d66d66b9a48c591
SHA25612f58522cfe2e232464751f7a3626c95f52af0b2f83851c06d66cca38cf3133d
SHA5129d015c88c21a98c221e57478a5f0a8f7429fd2f24c9e536d8385e84c45a10b34c62d7cca435b348913e1d4f9f25d9d0470e32f13254b657d996ed64672533ffa