e4ec3a45621dd556deeea5f953fa05909c82630e9f17baf6b14272a0360d62d1

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2024, 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4356	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	run.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4a87b5397a2736773782f50e108b2da4.exe	conhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4a87b5397a2736773782f50e108b2da4.exe	conhost.exe

Executes dropped EXE 3 IoCs

pid	Process
4692	444.exe
4756	run.exe
3644	conhost.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1952	icacls.exe
1584	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4a87b5397a2736773782f50e108b2da4 = "\"C:\\Users\\Admin\\AppData\\Roaming\\conhost.exe\" .."	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4a87b5397a2736773782f50e108b2da4 = "\"C:\\Users\\Admin\\AppData\\Roaming\\conhost.exe\" .."	conhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
23	raw.githubusercontent.com
24	raw.githubusercontent.com

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\autorun.inf	conhost.exe
File created	C:\autorun.inf	conhost.exe
File opened for modification	C:\autorun.inf	conhost.exe
File created	D:\autorun.inf	conhost.exe
File created	F:\autorun.inf	conhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	444.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	run.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe
3644	conhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3644	conhost.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	4076	4363463463464363463463463.exe
Token: SeDebugPrivilege	3644	conhost.exe
Token: 33	3644	conhost.exe
Token: SeIncBasePriorityPrivilege	3644	conhost.exe
Token: 33	3644	conhost.exe
Token: SeIncBasePriorityPrivilege	3644	conhost.exe
Token: 33	3644	conhost.exe
Token: SeIncBasePriorityPrivilege	3644	conhost.exe
Token: 33	3644	conhost.exe
Token: SeIncBasePriorityPrivilege	3644	conhost.exe
Token: 33	3644	conhost.exe
Token: SeIncBasePriorityPrivilege	3644	conhost.exe
Token: 33	3644	conhost.exe
Token: SeIncBasePriorityPrivilege	3644	conhost.exe
Token: 33	3644	conhost.exe
Token: SeIncBasePriorityPrivilege	3644	conhost.exe
Token: 33	3644	conhost.exe
Token: SeIncBasePriorityPrivilege	3644	conhost.exe
Token: 33	3644	conhost.exe
Token: SeIncBasePriorityPrivilege	3644	conhost.exe
Token: 33	3644	conhost.exe
Token: SeIncBasePriorityPrivilege	3644	conhost.exe
Token: 33	3644	conhost.exe
Token: SeIncBasePriorityPrivilege	3644	conhost.exe
Token: 33	3644	conhost.exe
Token: SeIncBasePriorityPrivilege	3644	conhost.exe
Token: 33	3644	conhost.exe
Token: SeIncBasePriorityPrivilege	3644	conhost.exe
Token: 33	3644	conhost.exe
Token: SeIncBasePriorityPrivilege	3644	conhost.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 4692	4076	4363463463464363463463463.exe	98
PID 4076 wrote to memory of 4692	4076	4363463463464363463463463.exe	98
PID 4076 wrote to memory of 4692	4076	4363463463464363463463463.exe	98
PID 4076 wrote to memory of 4756	4076	4363463463464363463463463.exe	99
PID 4076 wrote to memory of 4756	4076	4363463463464363463463463.exe	99
PID 4076 wrote to memory of 4756	4076	4363463463464363463463463.exe	99
PID 4756 wrote to memory of 3452	4756	run.exe	100
PID 4756 wrote to memory of 3452	4756	run.exe	100
PID 3452 wrote to memory of 1952	3452	cmd.exe	104
PID 3452 wrote to memory of 1952	3452	cmd.exe	104
PID 3452 wrote to memory of 1584	3452	cmd.exe	105
PID 3452 wrote to memory of 1584	3452	cmd.exe	105
PID 3452 wrote to memory of 2416	3452	cmd.exe	106
PID 3452 wrote to memory of 2416	3452	cmd.exe	106
PID 3452 wrote to memory of 5008	3452	cmd.exe	107
PID 3452 wrote to memory of 5008	3452	cmd.exe	107
PID 3452 wrote to memory of 3508	3452	cmd.exe	108
PID 3452 wrote to memory of 3508	3452	cmd.exe	108
PID 3452 wrote to memory of 2252	3452	cmd.exe	109
PID 3452 wrote to memory of 2252	3452	cmd.exe	109
PID 3452 wrote to memory of 2896	3452	cmd.exe	110
PID 3452 wrote to memory of 2896	3452	cmd.exe	110
PID 3452 wrote to memory of 2168	3452	cmd.exe	111
PID 3452 wrote to memory of 2168	3452	cmd.exe	111
PID 3452 wrote to memory of 3180	3452	cmd.exe	112
PID 3452 wrote to memory of 3180	3452	cmd.exe	112
PID 3452 wrote to memory of 4148	3452	cmd.exe	113
PID 3452 wrote to memory of 4148	3452	cmd.exe	113
PID 3452 wrote to memory of 640	3452	cmd.exe	114
PID 3452 wrote to memory of 640	3452	cmd.exe	114
PID 3452 wrote to memory of 4948	3452	cmd.exe	115
PID 3452 wrote to memory of 4948	3452	cmd.exe	115
PID 4692 wrote to memory of 3644	4692	444.exe	118
PID 4692 wrote to memory of 3644	4692	444.exe	118
PID 4692 wrote to memory of 3644	4692	444.exe	118
PID 3644 wrote to memory of 4356	3644	conhost.exe	119
PID 3644 wrote to memory of 4356	3644	conhost.exe	119
PID 3644 wrote to memory of 4356	3644	conhost.exe	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5008	attrib.exe
3508	attrib.exe

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Users\Admin\AppData\Local\Temp\Files\444.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\444.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4692
- - C:\Users\Admin\AppData\Roaming\conhost.exe
    "C:\Users\Admin\AppData\Roaming\conhost.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops autorun.inf file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3644
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\conhost.exe" "conhost.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:4356
- C:\Users\Admin\AppData\Local\Temp\Files\run.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\run.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\27C.tmp\27D.tmp\27E.bat C:\Users\Admin\AppData\Local\Temp\Files\run.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3452
  - - C:\Windows\system32\icacls.exe
      icacls "C:\ProgramData\GBClientApp\Wallpapers" /deny administrator:(OI)(CI)F /t /c
      4⤵
      Modifies file permissions
      PID:1952
  - - C:\Windows\system32\icacls.exe
      icacls "C:\ProgramData\GBClientApp\Wallpapers" /deny administrators:(OI)(CI)F /t /c
      4⤵
      Modifies file permissions
      PID:1584
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2416
  - - C:\Windows\system32\attrib.exe
      attrib -h "C:\Users\Administrator\Desktop\Google Chrome.exe"
      4⤵
      Views/modifies file attributes
      PID:5008
  - - C:\Windows\system32\attrib.exe
      attrib -h "C:\Users\Administrator\Desktop\Coc Coc.exe"
      4⤵
      Views/modifies file attributes
      PID:3508
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2252
  - - C:\Windows\system32\schtasks.exe
      SchTasks /Delete /TN "\Microsoft\Windows\Task Manager\Interactive" /F
      4⤵
      PID:2896
  - - C:\Windows\system32\schtasks.exe
      SchTasks /Delete /TN "\Microsoft\Windows\USB\Usb-Notifications" /F
      4⤵
      PID:2168
  - - C:\Windows\system32\schtasks.exe
      SchTasks /Delete /TN "\Microsoft\Windows\Feedback\Siuf\DmClient" /F
      4⤵
      PID:3180
  - - C:\Windows\system32\schtasks.exe
      SchTasks /Delete /TN "Fix Getting Devices" /F
      4⤵
      PID:4148
  - - C:\Windows\system32\schtasks.exe
      SchTasks /Delete /TN "Windows Optimize" /F
      4⤵
      PID:640
  - - C:\Windows\system32\schtasks.exe
      SchTasks /Delete /TN "ChangeWallpaper" /F
      4⤵
      PID:4948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\27C.tmp\27D.tmp\27E.bat

Filesize
1KB

MD5
badacd09f87be0512dc647adc35d85eb

SHA1
a8313f919df88c40ad5750e18ac7006ac8bc9da6

SHA256
77ed2cbe0b5588bcdc370b9c2f2d99b3191e54cd87e8a132e3d01aebb11fa5db

SHA512
fb3c8f1130459304d9bc59d373203c65c7c5318cb3e2986d5ccb31f8f49118242a89ae8eaa6295bb3ef986c147f57826b298328aa62bc482db55f5fb7ed66986

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\444.exe

Filesize
37KB

MD5
fb0bdd758f8a9f405e6af2358da06ae1

SHA1
6c283ab5e49e6fe3a93a996f850a5639fc49e3f5

SHA256
9da4778fce03b654f62009b3d88958213f139b2f35fe1bed438100fae35bdfbf

SHA512
71d3bd1c621a93bc54f1104285da5bf8e59bc26c3055cf708f61070c1a80ee705c33efd4a05acf3d3a90a9d9fca0357c66894dcb5045ab38b27834ff56c06253

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\run.exe

Filesize
88KB

MD5
4c2bc1df6a253aeedb93fca6703c944c

SHA1
f9b33cc3ead7af759cdd205f489ec29fde4c954d

SHA256
daaa52e4529cd43d8293010ad6125dff9ccba7cacdeea7f6d0dc02572e682b5f

SHA512
145217ec581c2597dc066684f68f119f0a2579f7e9000d6cc1760c411e6a73ed7b957479ea53b56899fefb99ddca98bca91d1b8fc43cedefa49ed95a7c173944

Download Submit
memory/4076-3-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/4076-4-0x000000007468E000-0x000000007468F000-memory.dmp

Filesize
4KB

Download
memory/4076-5-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/4076-0-0x000000007468E000-0x000000007468F000-memory.dmp

Filesize
4KB

Download
memory/4076-2-0x0000000005560000-0x00000000055FC000-memory.dmp

Filesize
624KB

Download
memory/4076-1-0x0000000000AA0000-0x0000000000AA8000-memory.dmp

Filesize
32KB

Download
memory/4692-14-0x000000006F7E2000-0x000000006F7E3000-memory.dmp

Filesize
4KB

Download
memory/4692-15-0x000000006F7E0000-0x000000006FD91000-memory.dmp

Filesize
5.7MB

Download
memory/4692-16-0x000000006F7E0000-0x000000006FD91000-memory.dmp

Filesize
5.7MB

Download
memory/4692-36-0x000000006F7E0000-0x000000006FD91000-memory.dmp

Filesize
5.7MB

Download