Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
26-11-2024 01:09
General
-
Target
9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe
-
Size
76KB
-
MD5
6837c99ab4aad2a81b42165194ab5ea0
-
SHA1
5240c3538e1aedbd29e6a927f3d7ca258805fbca
-
SHA256
9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00
-
SHA512
dc5fa9ede53098bb386e5f96a9cb530509771e977210475270dbaa705c128079e8d3bb404d6eb5ad027117ba3cd7c5ceada9447a1e1333cf59e7f2c0a654216c
-
SSDEEP
1536:v70ak+ddygXAyy9v7Z+NoykJHBOAFRfBjG3ldoI0:T0aXdfXAyy9DZ+N7eB+II0
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 12 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 1 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 29 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of SetWindowsHookEx 20 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe"C:\Users\Admin\AppData\Local\Temp\9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9aa139668b2654f1ca70477de8fc19ca6214be62bb6eed49efe8a6d210404d00N.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD55b820b1dda6e7b4b0bb17c6cb51be67a
SHA1822d7e85fce2d92d85d71ae06926ac0d77dd9db6
SHA256ddb6d756238814713651d6dde6ad5fffd5bad94e4a325cd4b281c97d35897931
SHA5120652131fc17069535f40d846895c1027ba613a993c7cdae6fedd543e72e11fac947bae9f591c0310ff10d3a1e5766c1a62eb931dd1a618b30ad3b54a139eaf16
-
Filesize
76KB
MD50254db6780013b34c4df47f5e2c9ddb0
SHA1bb9cfa51892c6be7a5895a3192f764cf9e621751
SHA25697c0cc248f80a5ac163c957e72869d8e1d62afb57e3f3f321e7421d4186be793
SHA5124ec24573b942a0adf2f4ee0344684b55b3adf20ed5d9a35a9eea9ace940c627a2f60019ee12df6176139b83f53fadfac8180118bcf596a5689521b6bae3b8a67
-
Filesize
2KB
MD51a1dce35d60d2c70ca8894954fd5d384
SHA158547dd65d506c892290755010d0232da34ee000
SHA2562661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c
SHA5124abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
2KB
MD57f8dd00d34f363d46f391f054b6d9b60
SHA12ceaeee33cef3f8a34790000b5da10d75757ac21
SHA256f1275ee0c90f00357131b375df728c64effabda4d9fd490ff882cafae8677622
SHA512b1f2df4a7bcf9f02a7f1bf4fa8d159f013bf240f76b815f39f18943f67d7b86afd01b775192f9c2a95d98778af2e7da6686b736af1a860551a862568f6044be1
-
Filesize
76KB
MD55736759f94af718cdc552fd05d4b470d
SHA1b7c708c63331f439623940d7f170b8fe8527f5cc
SHA256bcd39d0ce76df01f0c6bb21c7a8eefe91764c3ad53a54676fd2dbf21a83c7251
SHA51209e669ae503bd925a6e32875f90b0d35879a8e4ca29dce15730c98c97f4c4b803637d5d799a3d57311dc66694a72bef509491fcb06f9f565c9fd413430193885
-
Filesize
76KB
MD5adec91bc1bd9535436b16fb031c9ec5b
SHA1fe6892cb400f4d8ddad79f1bfc7fc504c84367aa
SHA256190503853fa7fa6f2a0a4dab5c213c0ef6d03509ac841f2ef0010161dadaa8a4
SHA51228e8efda691d9b7d94f163249a635f5796bb08abb25b9a56e8c6d97cd89498d9ce4ebae4f95c719737704a4b84020711fa5161c003e56356e8df0b856e3b68fd
-
Filesize
76KB
MD58c40362d1df8587a6cffbfeba30023f5
SHA136d35d3639cc892bd0702309101820343abdb1ce
SHA256060d1706e19ed8ae4c2fca77bd760487ceeb3e0aa772cf2f05c33fd1403f894b
SHA5123847fdc0b595c43743316b1aaa9832cd062817368eff789619e91d4f4469dddb1d76efd130f0f912a867f9c93c7e801dd9b8b6dd961571f6bc51bfc269c1da41
-
Filesize
2B
MD52b9d4fa85c8e82132bde46b143040142
SHA1a02431cf7c501a5b368c91e41283419d8fa9fb03
SHA2564658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142
SHA512c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be
-
Filesize
76KB
MD5120349ecd96f45b75a8a92509dad2a23
SHA1e6d364aa5e7667def2ece44b3ebc421c261a99b2
SHA2566cf6fe37d0167c7cef320a9f8beeedc98b3359dd967ae7471323d53ebfafb5b6
SHA5121bd380284d323f6500dd25bd63e2d7bfb3dfa36ba5a3f3125c18d3397f5712febaad4d478b5ec6da50c2adf51d35102715f13b6ed24d5a87f16797ff750c08a9
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB