Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
16/03/2025, 00:03
Behavioral task
behavioral1
Sample
3f128a6477d3d836accf898a564082a9ba4b50168bd16eac89c16ea09edd85ea.exe
Resource
win7-20240903-en
General
-
Target
3f128a6477d3d836accf898a564082a9ba4b50168bd16eac89c16ea09edd85ea.exe
-
Size
803KB
-
MD5
d9088a749f3b68662c2773eb637b0b6b
-
SHA1
907d48cbda81f3e4d9cd724154605f0657935ef8
-
SHA256
3f128a6477d3d836accf898a564082a9ba4b50168bd16eac89c16ea09edd85ea
-
SHA512
ac27136531285dc2292d1ca8604955c0460f4d481f33857e72ab77d09cb89d0929c1bd4a624cf39c94fe87353ca201af4f914edf74fe2fd1a72c22d2688e2e73
-
SSDEEP
24576:bkGvM/P1U4bBTOKr26GU5OYsnXgxvrQrAnuIw9:b2/P1UOtOKC6GrYsgxTQTIG
Malware Config
Signatures
-
Imminent family
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation 3f128a6477d3d836accf898a564082a9ba4b50168bd16eac89c16ea09edd85ea.exe Key value queried \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation refsutil.exe Key value queried \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation refsutil.exe -
Executes dropped EXE 2 IoCs
pid Process 5108 refsutil.exe 2336 refsutil.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini RegAsm.exe File opened for modification C:\Windows\assembly\Desktop.ini RegAsm.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1280-11-0x00000000003F0000-0x0000000000578000-memory.dmp autoit_exe behavioral2/memory/5108-30-0x0000000000580000-0x0000000000708000-memory.dmp autoit_exe behavioral2/memory/2336-41-0x0000000000580000-0x0000000000708000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1280 set thread context of 4476 1280 3f128a6477d3d836accf898a564082a9ba4b50168bd16eac89c16ea09edd85ea.exe 88 PID 5108 set thread context of 4828 5108 refsutil.exe 103 PID 2336 set thread context of 1296 2336 refsutil.exe 107 -
resource yara_rule behavioral2/memory/1280-0-0x00000000003F0000-0x0000000000578000-memory.dmp upx behavioral2/memory/1280-11-0x00000000003F0000-0x0000000000578000-memory.dmp upx behavioral2/files/0x000800000002405c-22.dat upx behavioral2/memory/5108-23-0x0000000000580000-0x0000000000708000-memory.dmp upx behavioral2/memory/5108-30-0x0000000000580000-0x0000000000708000-memory.dmp upx behavioral2/memory/2336-41-0x0000000000580000-0x0000000000708000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly RegAsm.exe File created C:\Windows\assembly\Desktop.ini RegAsm.exe File opened for modification C:\Windows\assembly\Desktop.ini RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3f128a6477d3d836accf898a564082a9ba4b50168bd16eac89c16ea09edd85ea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language refsutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language refsutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3528 schtasks.exe 3820 schtasks.exe 1544 schtasks.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4476 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4476 RegAsm.exe Token: 33 4476 RegAsm.exe Token: SeIncBasePriorityPrivilege 4476 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4476 RegAsm.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1280 wrote to memory of 4476 1280 3f128a6477d3d836accf898a564082a9ba4b50168bd16eac89c16ea09edd85ea.exe 88 PID 1280 wrote to memory of 4476 1280 3f128a6477d3d836accf898a564082a9ba4b50168bd16eac89c16ea09edd85ea.exe 88 PID 1280 wrote to memory of 4476 1280 3f128a6477d3d836accf898a564082a9ba4b50168bd16eac89c16ea09edd85ea.exe 88 PID 1280 wrote to memory of 4476 1280 3f128a6477d3d836accf898a564082a9ba4b50168bd16eac89c16ea09edd85ea.exe 88 PID 1280 wrote to memory of 4476 1280 3f128a6477d3d836accf898a564082a9ba4b50168bd16eac89c16ea09edd85ea.exe 88 PID 1280 wrote to memory of 1544 1280 3f128a6477d3d836accf898a564082a9ba4b50168bd16eac89c16ea09edd85ea.exe 90 PID 1280 wrote to memory of 1544 1280 3f128a6477d3d836accf898a564082a9ba4b50168bd16eac89c16ea09edd85ea.exe 90 PID 1280 wrote to memory of 1544 1280 3f128a6477d3d836accf898a564082a9ba4b50168bd16eac89c16ea09edd85ea.exe 90 PID 5108 wrote to memory of 4828 5108 refsutil.exe 103 PID 5108 wrote to memory of 4828 5108 refsutil.exe 103 PID 5108 wrote to memory of 4828 5108 refsutil.exe 103 PID 5108 wrote to memory of 4828 5108 refsutil.exe 103 PID 5108 wrote to memory of 4828 5108 refsutil.exe 103 PID 5108 wrote to memory of 3528 5108 refsutil.exe 104 PID 5108 wrote to memory of 3528 5108 refsutil.exe 104 PID 5108 wrote to memory of 3528 5108 refsutil.exe 104 PID 2336 wrote to memory of 1296 2336 refsutil.exe 107 PID 2336 wrote to memory of 1296 2336 refsutil.exe 107 PID 2336 wrote to memory of 1296 2336 refsutil.exe 107 PID 2336 wrote to memory of 1296 2336 refsutil.exe 107 PID 2336 wrote to memory of 1296 2336 refsutil.exe 107 PID 2336 wrote to memory of 3820 2336 refsutil.exe 108 PID 2336 wrote to memory of 3820 2336 refsutil.exe 108 PID 2336 wrote to memory of 3820 2336 refsutil.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f128a6477d3d836accf898a564082a9ba4b50168bd16eac89c16ea09edd85ea.exe"C:\Users\Admin\AppData\Local\Temp\3f128a6477d3d836accf898a564082a9ba4b50168bd16eac89c16ea09edd85ea.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4476
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn NgcIso /tr "C:\Users\Admin\advpack\refsutil.exe" /sc minute /mo 1 /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1544
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:3532
-
C:\Users\Admin\advpack\refsutil.exeC:\Users\Admin\advpack\refsutil.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
PID:4828
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn NgcIso /tr "C:\Users\Admin\advpack\refsutil.exe" /sc minute /mo 1 /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3528
-
-
C:\Users\Admin\advpack\refsutil.exeC:\Users\Admin\advpack\refsutil.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1296
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn NgcIso /tr "C:\Users\Admin\advpack\refsutil.exe" /sc minute /mo 1 /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3820
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
319B
MD5c0ed926cd0e608944ad99322aaedb97a
SHA1007e5bc9d8650a46f48f75045034702c24be39c5
SHA256eb035294fbea39baa6e6c65cb7e06451987c51c5536586f23de5dc7f91096943
SHA51283891a4984208720a224937101313759ffec75f5ebb2225c30555e5a28c7cc753162d802b176694ecc7404e2723f75d86d313adb835d4ec826ac13ff24cce42a
-
Filesize
803KB
MD57617fdf2046de5c33df51c76a8b45d85
SHA15f6fe36902d3917333473341e82635602df0ebfa
SHA256a7bc166bcd73bc5d5269c6b1e4afcabeb2e0a02fb4d373c64ae6dbc6c499b482
SHA512ea63e10ebc7868c425060c089f911ed0babcff5901b05b18b457690379bafb20b2758d3c151350458612fce55e938101432915fb9a9bbbe629a23a73e018c731