Overview

overview

10

Static

static

10

idk.exe

windows10-ltsc 2021-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    138s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250113-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    15-01-2025 20:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    idk.exe

  • Size

    93KB

  • MD5

    83f90cb80993c51fe93a9f341922a3c8

  • SHA1

    0fb07736f3a7be6f69e17525e32337bd88ff4fd6

  • SHA256

    6289a6f437dbe477d4648b112653a1e6de8c191489671d3e2fd51a31946103bd

  • SHA512

    7600ce9c8e603b2329c2fd98d36143ccb52ff6e11a2679c8cc47b1ce78938c752003c4d482c6fbfe5ad22f5e4594b72f5ed46443e9c2b0b7483116757a529c4f

  • SSDEEP

    768:4Y3TVfhWXxyFcxovUKUJuROprXtWN8eYhYbmXxrjEtCdnl2pi1Rz4Rk3rTYsGdpv:TV5WhIUKcuOJhPhBjEwzGi1dD3gDPgS

Score
8/10
discoveryevasionpersistenceprivilege_escalation

Malware Config

Signatures

  • Disables Task Manager via registry modification
    evasion
  • Modifies Windows Firewall 2 TTPs 3 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\idk.exe
    "C:\Users\Admin\AppData\Local\Temp\idk.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:760
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      2⤵
      • Executes dropped EXE
      • Drops autorun.inf file
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:232
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:1936
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:4924
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:4480

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\server.exe
    Filesize

    93KB

    MD5

    83f90cb80993c51fe93a9f341922a3c8

    SHA1

    0fb07736f3a7be6f69e17525e32337bd88ff4fd6

    SHA256

    6289a6f437dbe477d4648b112653a1e6de8c191489671d3e2fd51a31946103bd

    SHA512

    7600ce9c8e603b2329c2fd98d36143ccb52ff6e11a2679c8cc47b1ce78938c752003c4d482c6fbfe5ad22f5e4594b72f5ed46443e9c2b0b7483116757a529c4f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\app
    Filesize

    5B

    MD5

    aa3cce4f6c83d5adfcfc45934b274cc6

    SHA1

    20e102f0ad9f95951786af279e5215d2ecf85126

    SHA256

    57a8ff317e913b7e08c0a1758997ed0ffc2f1aba0a3b3310c7697bc207fd15e5

    SHA512

    f9ec7cd14188f6f7cc00d64dfd7781fc425b7dd24d8fa70d9382cd127bbcc657c734812bc50ba0761393b1a89de9dc02f0d90e8377d6387f24e2d36c98d185cf

    Download Submit

  • memory/232-17-0x00000000752B0000-0x0000000075861000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/232-18-0x00000000752B0000-0x0000000075861000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/232-25-0x00000000752B0000-0x0000000075861000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/232-26-0x00000000752B0000-0x0000000075861000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/232-27-0x00000000752B0000-0x0000000075861000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/760-0-0x00000000752B2000-0x00000000752B3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/760-1-0x00000000752B0000-0x0000000075861000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/760-2-0x00000000752B0000-0x0000000075861000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/760-16-0x00000000752B0000-0x0000000075861000-memory.dmp

    Filesize

    5.7MB

    Download