Analysis
-
max time kernel
91s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/11/2024, 05:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
final_executable.exe
Resource
win7-20240903-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
final_executable.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
final_executable.exe
-
Size
33.4MB
-
MD5
25dfca9be67c2943c53d9d2a1d478f1a
-
SHA1
ef7f907b47468164bdb76970278e876474c17bcb
-
SHA256
bf562448e3d9507d80ee0f89642ef0eeda1a0931ab0edd9d2574f52df4b0e740
-
SHA512
ab9a757b182347c971c2ef05636a9ddec67d12a7b0f7bc0468b44ce9c172801512022a48c3c3c8dbdd565e32058aa8fc6c95c07219443ea5b7efe95453b20b40
-
SSDEEP
393216:d76L6otUitqtH7wHtXq2pt2jbOCacCFIK0fpP9HF4VW8yf3nVQx4urYsANulL7ND:d0LoCOn+23s4urYDNulLBiuDj
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation cscript.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation cscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2352 WMIC.exe Token: SeSecurityPrivilege 2352 WMIC.exe Token: SeTakeOwnershipPrivilege 2352 WMIC.exe Token: SeLoadDriverPrivilege 2352 WMIC.exe Token: SeSystemProfilePrivilege 2352 WMIC.exe Token: SeSystemtimePrivilege 2352 WMIC.exe Token: SeProfSingleProcessPrivilege 2352 WMIC.exe Token: SeIncBasePriorityPrivilege 2352 WMIC.exe Token: SeCreatePagefilePrivilege 2352 WMIC.exe Token: SeBackupPrivilege 2352 WMIC.exe Token: SeRestorePrivilege 2352 WMIC.exe Token: SeShutdownPrivilege 2352 WMIC.exe Token: SeDebugPrivilege 2352 WMIC.exe Token: SeSystemEnvironmentPrivilege 2352 WMIC.exe Token: SeRemoteShutdownPrivilege 2352 WMIC.exe Token: SeUndockPrivilege 2352 WMIC.exe Token: SeManageVolumePrivilege 2352 WMIC.exe Token: 33 2352 WMIC.exe Token: 34 2352 WMIC.exe Token: 35 2352 WMIC.exe Token: 36 2352 WMIC.exe Token: SeIncreaseQuotaPrivilege 2352 WMIC.exe Token: SeSecurityPrivilege 2352 WMIC.exe Token: SeTakeOwnershipPrivilege 2352 WMIC.exe Token: SeLoadDriverPrivilege 2352 WMIC.exe Token: SeSystemProfilePrivilege 2352 WMIC.exe Token: SeSystemtimePrivilege 2352 WMIC.exe Token: SeProfSingleProcessPrivilege 2352 WMIC.exe Token: SeIncBasePriorityPrivilege 2352 WMIC.exe Token: SeCreatePagefilePrivilege 2352 WMIC.exe Token: SeBackupPrivilege 2352 WMIC.exe Token: SeRestorePrivilege 2352 WMIC.exe Token: SeShutdownPrivilege 2352 WMIC.exe Token: SeDebugPrivilege 2352 WMIC.exe Token: SeSystemEnvironmentPrivilege 2352 WMIC.exe Token: SeRemoteShutdownPrivilege 2352 WMIC.exe Token: SeUndockPrivilege 2352 WMIC.exe Token: SeManageVolumePrivilege 2352 WMIC.exe Token: 33 2352 WMIC.exe Token: 34 2352 WMIC.exe Token: 35 2352 WMIC.exe Token: 36 2352 WMIC.exe Token: SeIncreaseQuotaPrivilege 1828 WMIC.exe Token: SeSecurityPrivilege 1828 WMIC.exe Token: SeTakeOwnershipPrivilege 1828 WMIC.exe Token: SeLoadDriverPrivilege 1828 WMIC.exe Token: SeSystemProfilePrivilege 1828 WMIC.exe Token: SeSystemtimePrivilege 1828 WMIC.exe Token: SeProfSingleProcessPrivilege 1828 WMIC.exe Token: SeIncBasePriorityPrivilege 1828 WMIC.exe Token: SeCreatePagefilePrivilege 1828 WMIC.exe Token: SeBackupPrivilege 1828 WMIC.exe Token: SeRestorePrivilege 1828 WMIC.exe Token: SeShutdownPrivilege 1828 WMIC.exe Token: SeDebugPrivilege 1828 WMIC.exe Token: SeSystemEnvironmentPrivilege 1828 WMIC.exe Token: SeRemoteShutdownPrivilege 1828 WMIC.exe Token: SeUndockPrivilege 1828 WMIC.exe Token: SeManageVolumePrivilege 1828 WMIC.exe Token: 33 1828 WMIC.exe Token: 34 1828 WMIC.exe Token: 35 1828 WMIC.exe Token: 36 1828 WMIC.exe Token: SeIncreaseQuotaPrivilege 1828 WMIC.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 4732 wrote to memory of 3732 4732 final_executable.exe 85 PID 4732 wrote to memory of 3732 4732 final_executable.exe 85 PID 4732 wrote to memory of 2904 4732 final_executable.exe 86 PID 4732 wrote to memory of 2904 4732 final_executable.exe 86 PID 3732 wrote to memory of 2352 3732 cmd.exe 88 PID 3732 wrote to memory of 2352 3732 cmd.exe 88 PID 2904 wrote to memory of 1388 2904 cmd.exe 87 PID 2904 wrote to memory of 1388 2904 cmd.exe 87 PID 1388 wrote to memory of 456 1388 cscript.exe 90 PID 1388 wrote to memory of 456 1388 cscript.exe 90 PID 4732 wrote to memory of 1032 4732 final_executable.exe 92 PID 4732 wrote to memory of 1032 4732 final_executable.exe 92 PID 1032 wrote to memory of 1828 1032 cmd.exe 93 PID 1032 wrote to memory of 1828 1032 cmd.exe 93 PID 1388 wrote to memory of 2556 1388 cscript.exe 94 PID 1388 wrote to memory of 2556 1388 cscript.exe 94 PID 764 wrote to memory of 1384 764 cmd.exe 112 PID 764 wrote to memory of 1384 764 cmd.exe 112 PID 1384 wrote to memory of 3080 1384 final_executable.exe 113 PID 1384 wrote to memory of 3080 1384 final_executable.exe 113 PID 1384 wrote to memory of 2008 1384 final_executable.exe 114 PID 1384 wrote to memory of 2008 1384 final_executable.exe 114 PID 2008 wrote to memory of 3336 2008 cmd.exe 115 PID 2008 wrote to memory of 3336 2008 cmd.exe 115 PID 3080 wrote to memory of 2136 3080 cmd.exe 116 PID 3080 wrote to memory of 2136 3080 cmd.exe 116 PID 1384 wrote to memory of 5048 1384 final_executable.exe 117 PID 1384 wrote to memory of 5048 1384 final_executable.exe 117 PID 3336 wrote to memory of 3536 3336 cscript.exe 118 PID 3336 wrote to memory of 3536 3336 cscript.exe 118 PID 5048 wrote to memory of 2516 5048 cmd.exe 120 PID 5048 wrote to memory of 2516 5048 cmd.exe 120 PID 3336 wrote to memory of 2944 3336 cscript.exe 121 PID 3336 wrote to memory of 2944 3336 cscript.exe 121
Processes
-
C:\Users\Admin\AppData\Local\Temp\final_executable.exe"C:\Users\Admin\AppData\Local\Temp\final_executable.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"2⤵
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\Users\Admin\AppData\Roaming\run.vbs""2⤵
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\system32\cscript.execscript //nologo "C:\Users\Admin\AppData\Roaming\run.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c installer.bat4⤵PID:456
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c exit4⤵PID:2556
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"2⤵
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1828
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Users\Admin\AppData\Local\Temp\final_executable.exefinal_executable.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"3⤵
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber4⤵PID:2136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\Users\Admin\AppData\Roaming\run.vbs""3⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\system32\cscript.execscript //nologo "C:\Users\Admin\AppData\Roaming\run.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c installer.bat5⤵PID:3536
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c exit5⤵PID:2944
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"3⤵
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber4⤵PID:2516
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
258B
MD56bae05162350845f5dbd4ecad51065d1
SHA16bfc63d7dd01c682cb1625db80cb9a3ac7e6b9b4
SHA2561a1df7abdb6699417df6d0ac8af95680405c124536f0859346a2a1871d2c53ee
SHA5126ee25a6cad103f7ac746f2dbe7184200d31b72ff27696e2945f9eb9cac6bdc85e981ed5b30a7206aa9d8fcdb31bb36a0e3945423a85a7d413fdd8cf89e95afda
-
Filesize
132B
MD56faa3748845b506c5c43ca84dac689ce
SHA197ecda70f297d5d42e7b83b38ff9942c33446014
SHA256cf9626dcc990dec707da1d09c5bdb26d6ca1a3dfcddb17f3135d9a6aff51b159
SHA512b42da4cd7a85003d0f9c8cae55f461b862cd2a94296dfe1262bd832d5342d30f6eb971e1549e818bb26cea944f080a42ea54453f64c01a8fc50b4038a3f963bc