Analysis
-
max time kernel
98s -
max time network
117s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
21-11-2024 11:04
General
-
Target
6f9fcdf305954ce3df1e87806efd915d469df15cfb38a843d6550ddc819189dc.exe
-
Size
936KB
-
MD5
00f1134ac30c0f5fc7394d3c5115430f
-
SHA1
01d262ab5e765a4c80c8b015055c91fc2ce944a3
-
SHA256
6f9fcdf305954ce3df1e87806efd915d469df15cfb38a843d6550ddc819189dc
-
SHA512
3b88134012fefafb992a239381226698832d5290623879c94797c97d7891ad8c1936238ac268a38f5dadff5e0bd6b936b312c57c7891316fa242850a878f77b7
-
SSDEEP
12288:pCoVUa6kt9k13IJmTQil+zNAfZb2hkMd4UyDebmmYfTJSgnqivM4+a3K8Q/K1P6Q:MU19kRImAzWb2hk+yWmmWdnqi5GW+pn4
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f9fcdf305954ce3df1e87806efd915d469df15cfb38a843d6550ddc819189dc.exe"C:\Users\Admin\AppData\Local\Temp\6f9fcdf305954ce3df1e87806efd915d469df15cfb38a843d6550ddc819189dc.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Nlyuypcnhupxytki.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\putty.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\MSBuild.exeC:\Users\Admin\AppData\Local\Temp\MSBuild.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD57edbb0f354c79e3fece6c503d79fcf11
SHA149d099b0318fc4a27626f034bcf2a1e92d9a610e
SHA256c127e3d3587b05bbea09ae292b28e337484f7b61590074eace8a4c986c96d273
SHA5127d84dc39a6de59afc82c272bcf9da3406a082f5966e3cecf92a89274fa53ed16655cc5b95fa7fcbb4518ab5741c95da7468be9088932fb53837a176515770222
-
Filesize
252KB
MD52edd0b288fe2459da84e4274d1942343
SHA1c6d88db3c6871b3bb7f9ba9bde893bfcac7c7ee4
SHA2566891da439a64108cc7fd7ca27f14bd726844b20c084506c13681078f5d9a3768
SHA5126c7b06101e33001a5e345246182cc2418bef0c310c382f55ecac9826773b8e37131c1d56a34aaf144f544e3047a55867aa9f22c82c59bbacb262c20dbb5b47f9
-
Filesize
173B
MD588d229354c4065c2b2834e43e225457b
SHA1cf08a692294c27053a643a8e0f44fcc1badb6c91
SHA256b9a524175681990f2f7787c4d29f2adfe7f1baec47beb1e5a2de6787cc039fd2
SHA512ff240b7f654f9ecb5ca4c1a316be6f6e49ecfe94b3c52cad144440a5138de51051c69af13418b15e3f5dec0977e484bbeb468cf8a770b85be49c3da68a7af7c7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
952KB
-
Filesize
8KB
-
Filesize
832KB
-
Filesize
496KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
448KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
544KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
328KB
-
Filesize
48KB
-
Filesize
336KB
-
Filesize
304KB
-
Filesize
136KB