Analysis
-
max time kernel
129s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
30-06-2024 06:36
General
-
Target
HBCD/WinTools/ComboFix.exe
-
Size
2.9MB
-
MD5
14b582165769a58e64a74e007e7a2e3e
-
SHA1
ddb5384c93794f0aca59c6d0b384a19028189076
-
SHA256
ac5700575a0776c7ac6bb2b2fdcd7ea9e2914cfd9ac72dd6d191557aa0479892
-
SHA512
94079cb6c72991bf6f50ca138136ff9a88302e26239d06e34a39c9df0a736aa3869974b027e1edf12776da9fb743d682384d32d1ce5c1100e34381e283190ccd
-
SSDEEP
49152:N/cX0+PRzFKDSiNUiVjHhAb5QgDmV/fK0fXU51/Mr84almQAG61ZdwJ0:aJp2+iNCFDo/V/wEYlmeSO0
Malware Config
Signatures
-
Nirsoft 3 IoCs
-
Disables RegEdit via registry modification 2 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 29 IoCs
-
Modifies system executable filetype association 2 TTPs 12 IoCs
-
UPX packed file 20 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops file in System32 directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 25 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 22 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\HBCD\WinTools\ComboFix.exe"C:\Users\Admin\AppData\Local\Temp\HBCD\WinTools\ComboFix.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\32788R22FWJFW\n.com"C:\32788R22FWJFW\n.com" shexec install 32788R22FWJFW\Prep.inf2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\InfDefaultInstall.exe"C:\Windows\System32\InfDefaultInstall.exe" "C:\32788R22FWJFW\Prep.inf"3⤵
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r4⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o5⤵
-
C:\32788R22FWJFW\hidec.exe"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /da:r /q2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\32788R22FWJFW\swreg.exe32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /da:r /q3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\32788R22FWJFW\hidec.exe"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Command Processor" /reset /q2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\32788R22FWJFW\swreg.exe32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Command Processor" /reset /q3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\32788R22FWJFW\hidec.exe"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\swreg.exe import 32788R22FWJFW\EXE.reg2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\32788R22FWJFW\swreg.exe32788R22FWJFW\swreg.exe import 32788R22FWJFW\EXE.reg3⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\32788R22FWJFW\n.com"C:\32788R22FWJFW\n.com" exec hide 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\32788R22FWJFW\SWREG.exe32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\32788R22FWJFW\n.com"C:\32788R22FWJFW\n.com" cmdwait 150 exec hide 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\32788R22FWJFW\SWREG.exe32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\32788R22FWJFW\n.com"C:\32788R22FWJFW\n.com" cmdwait 3000 exec hide 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /reset /q2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\32788R22FWJFW\swreg.exe32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /reset /q3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\32788R22FWJFW\n.com"C:\32788R22FWJFW\n.com" exec hide 32788R22FWJFW\GSAR.cfexe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "~$folder.system$\cmd.exe" "~$folder.system$\cmd.execf"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\32788R22FWJFW\GSAR.cfexe32788R22FWJFW\GSAR.cfexe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.execf"3⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\32788R22FWJFW\n.com"C:\32788R22FWJFW\n.com" cmdwait 1000 exec hide "~$folder.system$\cmd.execf" /c 32788R22FWJFW\prep.cmd >\Bug.txt 2>&12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execf"C:\Windows\system32\cmd.execf" /c 32788R22FWJFW\prep.cmd >\Bug.txt 2>&13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\32788R22FWJFW\pev.exe32788R22FWJFW\PEV.exe uzip "32788R22FWJFW\License\pv_5_2_2.zip" "32788R22FWJFW\License"4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\pv.exe32788R22FWJFW\pv.exe -kf n.com4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\32788R22FWJFW\pv.cfexe32788R22FWJFW\pv.cfexe -kf n.com4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\32788R22FWJFW\grep.cfexeGREP.cfexe -F "5.2." OsVer4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\grep.cfexeGREP.cfexe -F "5.1.2" OsVer4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\grep.cfexeGREP.cfexe -F "5.00.2" OsVer4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\swreg.exeSWREG.exe query "hklm\software\microsoft\windows nt\currentversion" /v currentversion4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\grep.cfexeGREP.cfexe -sq "currentversion.* 6.0" OsVer004⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\swreg.exeSWREG ACL "hklm\software\microsoft\windows nt\currentversion\windows" /RESET /Q4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\32788R22FWJFW\swreg.exeSWREG ACL "hklm\software\microsoft\windows nt\currentversion\windows" /RO:F /RA:F /Q4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\chcp.comCHCP 12524⤵
-
C:\32788R22FWJFW\n.comn.com infobox "Incompatible OS. ComboFix only works for workstations with Windows 2000 and XP~n~nOS incompatible. ComboFix ne fonctionne que pour Windows 2000 et XP~n~nOS niet compatibel. ComboFix kan enkel gebruikt worden voor Windows 2000 en XP~n~nInkompatibles Betriebssystem. ComboFix läuft nur unter Windows 2000 und XP~n~nKäyttöjärjestelmä ei ole yhteensopiva. ComboFix toimii vain Windows 2000- ja XP-käyttöjärjestelmissä.~n~nSistema Operativo Incompat¡vel. ComboFix apenas funciona em Windows 2000 e XP~n~nSO. Incompatible. ComboFix funciona únicamente en Windows 2000 y XP~n~nOS Incompatibile. Combofix funziona solo su windows 2000 e XP" "Error - Win32 only"4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\n.com"C:\32788R22FWJFW\n.com" cmdwait 2500 exec hide "~$folder.system$\cmd.execf" /c 32788R22FWJFW\prep.cmd2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Event Triggered Execution
1Change Default File Association
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\32788R22FWJFW\License\pv.exeFilesize
72KB
MD592bd80f82fe8a28385b7d9d3f215e8b3
SHA1e1ec40d4458b269d009d9c60344de3d187385290
SHA2565fc1b8e1cdd4d80b9818b854f70c009b7c182824e22c8eed7f524b4da2c60f4a
SHA51232a0d8551a4861f7ce40a9b4c127dfaace92eaf9d20407441714c475e1e0110c1225f5cc508999d832458d7e940f8711dee8853e49c1c963ffb0aaa884a94a2a
-
C:\32788R22FWJFW\OsVerFilesize
104B
MD581107438325dd733bb955160756d8c08
SHA1fb50243b24da6daef8ae5671d7cbb1a30bd4c4ca
SHA25629f6c98e2dc762764bce3fcd63826f7038170b4644e1a2e676463734e59a0ff6
SHA512d4ed17c94ffb44bfac3ed5ea22f4c42cd39d6f87623a1e96cecca52b30caf1b745c4ce8bd5f04ca670ef71789af92a29db603a897be2e539c8745fb68a43b1ed
-
C:\32788R22FWJFW\OsVer00Filesize
180B
MD5565b4fcda29a1d96b7d24cf989068f72
SHA13b2a83f8f1c436145defd842ad9c6c4c3509e8ed
SHA256c13525d71c5c05c054078a8634d639d899878ba1943491f18a31bc63c19b6772
SHA51227e10a4eee95ab0597cc570f4cbb7ff0a7cb957968c017d0204d0dbd4a75d8875eb42152610123366c4d3ab58d8f03f8766578759a62d7bed90c91c586a7dc05
-
C:\32788R22FWJFW\Prep.cmdFilesize
11KB
MD532bfd8a67ce1d117464212f534ddc4e8
SHA1c88fda96795f5b8a41e62d40a0064fd2e5fb441c
SHA2569049dbbfea87257ddfccd499e99bd00aa9d5f3770d478833ce8385a7cc90a57f
SHA512ba4e39ac9ecd822d82581b522c8a982316fffab125a723dd5fd1ca2f20ff5d7f6fafcde66d23382e046d13af5decb07bc0ded01e17dfef98e55e9d99d6cf2742
-
C:\32788R22FWJFW\Prep.infFilesize
2KB
MD57b6282af0c15cdb2087d27f55940c9f1
SHA128eab995e41d72560812140af2bfc55a06cd1507
SHA2560566cb7b0f8f8d287d298a247db0c72cde0d77250147e94d37b435c58b468119
SHA51269a598d54972a83a81421f05fb02e8408cc52126f81b9243c5ea0603e84b5963172cbf116e560a4096867270f394972aedf632e4d9412b988882dbd26df53eca
-
C:\32788R22FWJFW\Rkey.cmdFilesize
241B
MD572b52f9a4fb6ac4d77ef2dbeeac4e2bc
SHA11f0ff2972a53f4bd60dd92471164b14c54d37909
SHA256ba956605d2993a8186f7138a70feaf39242f1710d0683a3e66644792a48258d9
SHA5124d392f1d6c0f4d646409df127399f12a76bda669a531c5206b6437e0e326406dcc53e88fff16130af0c59ca54112d01d353fe23a0ea51c4ab2c4d1a2852d0127
-
C:\32788R22FWJFW\grep.cfexeFilesize
78KB
MD59e05a9c264c8a908a8e79450fcbff047
SHA1363b2ee171de15aeea793bd7fdffd68d0feb8ba4
SHA256c2ef6fc419630d566154f8372e94859df8141d02805bc7bce39c726a1ffef7c1
SHA512712892e9b08a22b795f9627f6d13412cb2a4610404de33c6f83a37178b920e7bb9d3042c3a2191e49d661a34a05202e18224c67811d8b52fa0fc2c757ef0f6fa
-
C:\32788R22FWJFW\gsar.cfexeFilesize
15KB
MD5d6a005f8facff88e260688ddb7ae00c1
SHA14e22c7a9fc89587addc4d5ddab71199e08ea5b50
SHA2560ff5348012225418d31ded6d2eb43f081ad8f7035b24e20d3e158ba320a42d49
SHA5127e3ba326c7c6a03cebece8e28cfdc75f89a9a541b07623b77a5825982c2c612477a0adc64eb29afea2faf49a211361fff9009b3979805514fd99163e218b18e7
-
C:\32788R22FWJFW\hidec.exeFilesize
1KB
MD5abc6379205de2618851c4fcbf72112eb
SHA11ed7b1e965eab56f55efda975f9f7ade95337267
SHA25622e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1
-
C:\32788R22FWJFW\n.comFilesize
30KB
MD5ae72e8619cb31d84da25e2435e55003c
SHA12ed893a9aa82da248b5f4344819fcf6ad2d28240
SHA256eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24
SHA5121013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982
-
C:\32788R22FWJFW\pev.exeFilesize
151KB
MD5915a05f3839497fa5ed64036b376f5bf
SHA182c7b739aa6a25522280fa33e7cec351524fc95b
SHA256b56a43b98983ecd011a9611150af2cc9b2bf1f7e055531e1ffa32c1999e39492
SHA512dd80cc41349c41b7e3bd63fc0ca913e164feb04d7f6437480b6e572c6667bbcd24f5d9eac0b53e509a3a39ecb179660b321dcb128f2632cecf7e557405c68118
-
C:\32788R22FWJFW\swreg.exeFilesize
158KB
MD501d95a1f8cf13d07cc564aabb36bcc0b
SHA1be229bde90b82d21fe94c67e2b096334e93d78c2
SHA2561eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3
SHA512342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48
-
C:\Windows\SysWOW64\cmd.execfFilesize
231KB
MD529824dce144b6134797729005107ee1f
SHA1d0bb9999154b87c32658b55c5c3bc2c5cbe156b6
SHA256bf313ea50b8a199fe4482f83123af4a4b40f8a15a8899d05f036a00a74bdaba5
SHA512f794953628bbd8e787a84705b61a5504f769f0aa5151771357a2fe5a3eec3e87597ed6f25d875c2beebf298ad79dded0dc133727156beaaebdfa7e23468fd6cd
-
C:\\32788R22FWJFW\License\pv_5_2_2.zipFilesize
38KB
MD5ee4f5df5ff87dfd72cf4c6b1c9fecb8f
SHA1abcc01a6b8c1e5ad7a75343dccb749cc7a38449e
SHA25640d6357bb63352b259a3a4fa7ce68daf61764efeacdb41d473d535cf09a7aff6
SHA512dcf030e0c007e63ec6dcd11d46f6b61b2ad3b5d6627b13050f6db3f43753cbf729553dcaa10e4dc3de0a9cf433af0b70a1eb3b6a380acea93e328653bd3d8b19
-
C:\\32788r22fwjfw\exe.regFilesize
7KB
MD541a42847640838accb27d89797932bba
SHA13982d3cab64faecaabce9179e900a87d2f7913fa
SHA25600e6f28b3a1606659fb55c216418be823e2eccff105e9d55de7d80de478b5571
SHA51272cfa964169e2a7bcaf52f097a47651df87fc8889462f21c909f6eb4af90b12c061fbe63bd463e239940c828c8648fd9132eb60107577c2d052f5b3eba8a9750
-
memory/1104-295-0x0000000000400000-0x0000000000402000-memory.dmpFilesize
8KB
-
memory/1200-351-0x0000000000110000-0x000000000017F000-memory.dmpFilesize
444KB
-
memory/1200-347-0x0000000000110000-0x000000000017F000-memory.dmpFilesize
444KB
-
memory/1556-325-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/1748-369-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1936-395-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/2336-390-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2336-0-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2336-311-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2512-338-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/2780-380-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/2788-375-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/2868-334-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2944-307-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/3240-392-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/3368-397-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/3632-279-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/3632-282-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/3664-313-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/3664-298-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/3692-315-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/4372-320-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/4604-372-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/4800-318-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/4844-386-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB