Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2024 03:47

General

  • Target

    e8561a2b79ca2be47a6d67e1ea56c05bba0bb82ceada5171b960b4041e98015a.exe

  • Size

    93KB

  • MD5

    d7526430b723e5b9b90defdb347897d4

  • SHA1

    00c6e39049ebbae9718f16ec6e12c6ddcff15ac3

  • SHA256

    e8561a2b79ca2be47a6d67e1ea56c05bba0bb82ceada5171b960b4041e98015a

  • SHA512

    3efa57f9ef73e6349c728406157dcd6b420910e6c41c5e4c4d6460f9c12dbe497dce2ee1a82de118f78c997e579596be8de7ec3d66df20622e036c43ede18afe

  • SSDEEP

    768:hY3EcnD9O/pBcxYsbae6GIXb9pDX2t98PL0OXLeuXxrjEtCdnl2pi1Rz4Rk3+sGV:fcxOx6baIa9RZj00ljEwzGi1dDaDxgS

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e8561a2b79ca2be47a6d67e1ea56c05bba0bb82ceada5171b960b4041e98015a.exe
    "C:\Users\Admin\AppData\Local\Temp\e8561a2b79ca2be47a6d67e1ea56c05bba0bb82ceada5171b960b4041e98015a.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3668
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4340
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:312

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\server.exe

    Filesize

    93KB

    MD5

    d7526430b723e5b9b90defdb347897d4

    SHA1

    00c6e39049ebbae9718f16ec6e12c6ddcff15ac3

    SHA256

    e8561a2b79ca2be47a6d67e1ea56c05bba0bb82ceada5171b960b4041e98015a

    SHA512

    3efa57f9ef73e6349c728406157dcd6b420910e6c41c5e4c4d6460f9c12dbe497dce2ee1a82de118f78c997e579596be8de7ec3d66df20622e036c43ede18afe

  • C:\Users\Admin\AppData\Roaming\app

    Filesize

    5B

    MD5

    8f11404a507cfb98455f89a534077f73

    SHA1

    0716c668f504450353527aff1a6457b8348cf435

    SHA256

    f7c301f3fcce1c2444b540090e5024f0cea1806ab8ae1d81901ecc3b63334cbb

    SHA512

    85403dd06da5851e8c4d727ca8d87cc0e7ff4974942ec22123366684ed0e51b543a29b6d2521e2e65784c69884fde8d711e5064f104b098293fcd18c44769492

  • memory/3668-0-0x0000000074892000-0x0000000074893000-memory.dmp

    Filesize

    4KB

  • memory/3668-1-0x0000000074890000-0x0000000074E41000-memory.dmp

    Filesize

    5.7MB

  • memory/3668-2-0x0000000074890000-0x0000000074E41000-memory.dmp

    Filesize

    5.7MB

  • memory/3668-13-0x0000000074890000-0x0000000074E41000-memory.dmp

    Filesize

    5.7MB

  • memory/4340-14-0x0000000074890000-0x0000000074E41000-memory.dmp

    Filesize

    5.7MB

  • memory/4340-15-0x0000000074890000-0x0000000074E41000-memory.dmp

    Filesize

    5.7MB

  • memory/4340-16-0x0000000074890000-0x0000000074E41000-memory.dmp

    Filesize

    5.7MB

  • memory/4340-47-0x0000000074890000-0x0000000074E41000-memory.dmp

    Filesize

    5.7MB