Overview
overview
10Static
static
10017b236bf3...d6.exe
windows7-x64
10017b236bf3...d6.exe
windows10-2004-x64
1005676f2007...fb.exe
windows7-x64
305676f2007...fb.exe
windows10-2004-x64
70a025116a8...57.exe
windows7-x64
80a025116a8...57.exe
windows10-2004-x64
8$PLUGINSDIR/INetC.dll
windows7-x64
3$PLUGINSDIR/INetC.dll
windows10-2004-x64
31.exe
windows7-x64
81.exe
windows10-2004-x64
818674bbd9a...38.exe
windows7-x64
818674bbd9a...38.exe
windows10-2004-x64
8$PLUGINSDIR/INetC.dll
windows7-x64
3$PLUGINSDIR/INetC.dll
windows10-2004-x64
3234901adb1...b2.exe
windows7-x64
10234901adb1...b2.exe
windows10-2004-x64
102ae06537d1...b6.exe
windows7-x64
82ae06537d1...b6.exe
windows10-2004-x64
8$PLUGINSDIR/INetC.dll
windows7-x64
3$PLUGINSDIR/INetC.dll
windows10-2004-x64
32c02c65090...91.exe
windows7-x64
72c02c65090...91.exe
windows10-2004-x64
73.exe
windows7-x64
103.exe
windows10-2004-x64
10329b3ddbf1...f9.exe
windows7-x64
10329b3ddbf1...f9.exe
windows10-2004-x64
10336fe6e8bc...de.exe
windows7-x64
8336fe6e8bc...de.exe
windows10-2004-x64
8$PLUGINSDIR/INetC.dll
windows7-x64
3$PLUGINSDIR/INetC.dll
windows10-2004-x64
34bd31921c8...be.exe
windows7-x64
84bd31921c8...be.exe
windows10-2004-x64
8Analysis
-
max time kernel
94s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-11-2024 13:46
Behavioral task
behavioral1
Sample
017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
0a025116a860d7568fbda8ed84925cac06b13d6441eddf7428ac79359cd09b57.exe
Resource
win7-20241023-en
Behavioral task
behavioral6
Sample
0a025116a860d7568fbda8ed84925cac06b13d6441eddf7428ac79359cd09b57.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/INetC.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
1.exe
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
18674bbd9af6e4e7396363a4f7d72312a50514f72ee4c4ceb131738801100438.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
18674bbd9af6e4e7396363a4f7d72312a50514f72ee4c4ceb131738801100438.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/INetC.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
234901adb1100979c1e842133901f0bb8617683efeed4e3d56245f71f71aa6b2.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
234901adb1100979c1e842133901f0bb8617683efeed4e3d56245f71f71aa6b2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
2ae06537d1e90d4ac1d2bca7c6309c9d1958f3e1ae9d7625bd914b10609d41b6.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
2ae06537d1e90d4ac1d2bca7c6309c9d1958f3e1ae9d7625bd914b10609d41b6.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/INetC.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
2c02c650903a9cc289c62b83a56de001871b58531c4da3fc838a32b3b9e84291.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
2c02c650903a9cc289c62b83a56de001871b58531c4da3fc838a32b3b9e84291.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
3.exe
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
3.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.exe
Resource
win7-20241010-en
Behavioral task
behavioral26
Sample
329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
336fe6e8bcdbe46641a6124436547df8e1090d978e3777d220bfa7553c9903de.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
336fe6e8bcdbe46641a6124436547df8e1090d978e3777d220bfa7553c9903de.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240729-en
Behavioral task
behavioral30
Sample
$PLUGINSDIR/INetC.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
4bd31921c87104105a1f11a3cbe3a93bf74593220f70bf70f678d2d468c991be.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
4bd31921c87104105a1f11a3cbe3a93bf74593220f70bf70f678d2d468c991be.exe
Resource
win10v2004-20241007-en
General
-
Target
05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe
-
Size
16KB
-
MD5
ffe4f9b654ff2900c2361444e1b8cc11
-
SHA1
e19af8a7a59f36f6dc60fccf3fed14558485400c
-
SHA256
05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb
-
SHA512
0c6b6103ec9666dd55549e9825d1b22705eb113ca3e323f4d39ef375ab58280467bc0b2677345929f46f1d558a58d356a8e469b020bb184710b18ee1220a3413
-
SSDEEP
384:CaeADspZKz4N+D8eoeH2uA1L7P+TPXHTBO:/spIz4N+9F2uA1nqP3g
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3500 powershell.exe 3500 powershell.exe 1816 powershell.exe 5024 powershell.exe 5024 powershell.exe 1728 powershell.exe 1816 powershell.exe 1728 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3500 powershell.exe Token: SeDebugPrivilege 1816 powershell.exe Token: SeDebugPrivilege 5024 powershell.exe Token: SeDebugPrivilege 1728 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4480 wrote to memory of 3500 4480 05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe 84 PID 4480 wrote to memory of 3500 4480 05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe 84 PID 4480 wrote to memory of 5024 4480 05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe 85 PID 4480 wrote to memory of 5024 4480 05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe 85 PID 4480 wrote to memory of 1816 4480 05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe 87 PID 4480 wrote to memory of 1816 4480 05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe 87 PID 4480 wrote to memory of 1728 4480 05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe 89 PID 4480 wrote to memory of 1728 4480 05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe"C:\Users\Admin\AppData\Local\Temp\05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemProperty -Path Registry::HKEY_CURRENT_USER\Software2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-ItemProperty -Path Registry::HKEY_CURRENT_USER\Software -Name 'ISUSED' -PropertyType String -Value 'True'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5024
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-ItemProperty -Path Registry::HKEY_CURRENT_USER\Software -Name 'SYS1' -PropertyType String -Value 'M8cdwSViEEn+BZpa3eTafy72TydkM6Hr'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-ItemProperty -Path Registry::HKEY_CURRENT_USER\Software -Name 'SYS2' -PropertyType String -Value '+WeFco132Ds='2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
64B
MD550a8221b93fbd2628ac460dd408a9fc1
SHA17e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA25646e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA51227dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD55d15173b959fc44f9f7d0f6267e1ac6f
SHA1e313e3f77f1b39dd3526b76b46f39b8d6a4542b0
SHA25602f773989e9bc9c47e276c9e9059ec0f29c5dbf94ffa891120e7e939faed2770
SHA512eca2025ef6f39a36dd2b9802d94169e31788f903a8142b9efd21e4452bd2010615d1b8bfa67a083d7f648e198b9a9e65475bcd8910638e42754a52ef36b2a64e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD5b3eac365fc193ccd411f9a5af1e33f8b
SHA1df59ed50ee21db18a458a7b255f2d7d2267384b4
SHA2562392bcb8200fc585afab90bb9d9ba0284be25fe2ea65c860221c8e8020358f05
SHA51223abcb73acf2303c80c0a99d0c046c87d5ebd9e41ebeb26070218097e358028a9cbdecb887895744e007bffccc853ff34989d16ce816dadcc843564bb5e57359
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD5b6e503744e0f32783eeb750594cbcc3d
SHA1dd3b6b77ff860d6b22494493b22a9cf0381a6874
SHA25698af92253a97ee7d79fdaae0f5fbc75d2246b11ba98466fa99a3672df79a7592
SHA512feb525129aec882a4f68adcd4db7a3b11d628feda9c38989e838900bd15831ef440a4419a9750f9fd7a1c1b03ec78bbf7bd2180a0e0db9b26e53add50541b97d
-
Filesize
819B
MD572b47d154e48cd3ba2c34dc22780d7f3
SHA1150cb795b88c6a48601f56fba99715abfe3d812b
SHA2560757c374065ef622cbf487e875f2ebabd91503bc7b1d5909c609bc4a4a54ca8e
SHA512381332bc3e0ed1428c1b2fd6f077b0ddcf57ccdf172831ac953b713d0709511616e960db8fa758f02e150fbb8f6df75177d18871814af14de8c253d3d8d2e538