Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
10-02-2023 04:23
Static task
static1
Behavioral task
behavioral1
Sample
124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe
Resource
win10v2004-20220812-en
General
-
Target
124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe
-
Size
245KB
-
MD5
e538f67d529d672c55304f3c9ad05392
-
SHA1
f7ff40a1901d51dd6222b420bbece575b46b2cd2
-
SHA256
124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf
-
SHA512
22344125223dcc5d66a5d0a6b860e547b408123d75e3d8f698fa45b9ea33e7a736ccaa7ae4e32a0989a9d0637db16443502e7bd56beb8093bb6c09a0289361c6
-
SSDEEP
3072:eTIu4ZQ8M2A1vA7m5+C6ZoEHBAnpK37nXz8o1008Q75wPsoB74tyJhvSK/KkMc/X:LHA1vweOR8CTwPnLKkM/u
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exetaskshostw.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation taskshostw.exe -
Drops startup file 1 IoCs
Processes:
taskshostw.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskshostw.exe taskshostw.exe -
Executes dropped EXE 3 IoCs
Processes:
taskshostw.exetaskshostw.exetaskshostw.exepid process 2800 taskshostw.exe 3604 taskshostw.exe 4704 taskshostw.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4360 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 3084 powershell.exe 3084 powershell.exe 1400 powershell.exe 1400 powershell.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exevssvc.exepowershell.exepowershell.exetaskshostw.exetaskshostw.exetaskshostw.exedescription pid process Token: SeDebugPrivilege 1048 124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe Token: SeBackupPrivilege 4892 vssvc.exe Token: SeRestorePrivilege 4892 vssvc.exe Token: SeAuditPrivilege 4892 vssvc.exe Token: SeDebugPrivilege 3084 powershell.exe Token: SeDebugPrivilege 1400 powershell.exe Token: SeDebugPrivilege 2800 taskshostw.exe Token: SeDebugPrivilege 2800 taskshostw.exe Token: SeDebugPrivilege 3604 taskshostw.exe Token: SeDebugPrivilege 4704 taskshostw.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.execmd.exetaskshostw.exedescription pid process target process PID 1048 wrote to memory of 3084 1048 124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe powershell.exe PID 1048 wrote to memory of 3084 1048 124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe powershell.exe PID 1048 wrote to memory of 1400 1048 124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe powershell.exe PID 1048 wrote to memory of 1400 1048 124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe powershell.exe PID 1048 wrote to memory of 3784 1048 124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe cmd.exe PID 1048 wrote to memory of 3784 1048 124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe cmd.exe PID 3784 wrote to memory of 4360 3784 cmd.exe timeout.exe PID 3784 wrote to memory of 4360 3784 cmd.exe timeout.exe PID 2800 wrote to memory of 4540 2800 taskshostw.exe schtasks.exe PID 2800 wrote to memory of 4540 2800 taskshostw.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe"C:\Users\Admin\AppData\Local\Temp\124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\taskshostw.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3084 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskshostw.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1400 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1BE4.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:4360
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4892
-
C:\Users\Admin\AppData\Local\Temp\taskshostw.exeC:\Users\Admin\AppData\Local\Temp\taskshostw.exe1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "taskshostw" /tr "C:\Users\Admin\AppData\Roaming\taskshostw.exe"2⤵
- Creates scheduled task(s)
PID:4540
-
C:\Users\Admin\AppData\Roaming\taskshostw.exeC:\Users\Admin\AppData\Roaming\taskshostw.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3604
-
C:\Users\Admin\AppData\Roaming\taskshostw.exeC:\Users\Admin\AppData\Roaming\taskshostw.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4704
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5c952c967a6c1013f7155cc3efed8cd03
SHA1dc5bbab6c51387ee4d9863415a196e297457d045
SHA256f825024aeb196af7aa49d77dccfae841aa55f9fef1c1f6f8f1e0c61032f8be12
SHA5128126ef222f9ed0f332f56b8754ed24845fc03fadcbe61bf6d82e07da81b143e120ce82be14e59dc98b460e399563e8461bf0925089a71008af58b3acd6d6afef
-
Filesize
944B
MD5358897459512b9d5c2be170ec908d608
SHA1e148b7f56ef6acfb1559371f67c68ce9b8ab6078
SHA2561905dc1d997787318b7e03374d0153fa77c08cf76167758d539b00c48e417d3e
SHA5126edc8ecac30aa74f0eedbc33722878e0b8154e63f6c8f7cadca1b08c039535dc0fb64b046ba4631f269704d9bf7202fa1afb0f858aa5ae508387427b6f71627a
-
Filesize
245KB
MD5e538f67d529d672c55304f3c9ad05392
SHA1f7ff40a1901d51dd6222b420bbece575b46b2cd2
SHA256124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf
SHA51222344125223dcc5d66a5d0a6b860e547b408123d75e3d8f698fa45b9ea33e7a736ccaa7ae4e32a0989a9d0637db16443502e7bd56beb8093bb6c09a0289361c6
-
Filesize
245KB
MD5e538f67d529d672c55304f3c9ad05392
SHA1f7ff40a1901d51dd6222b420bbece575b46b2cd2
SHA256124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf
SHA51222344125223dcc5d66a5d0a6b860e547b408123d75e3d8f698fa45b9ea33e7a736ccaa7ae4e32a0989a9d0637db16443502e7bd56beb8093bb6c09a0289361c6
-
Filesize
216B
MD5c8e51789df8fcfa35bcc7550ac9b057d
SHA1e9ee3692b504f1c7abea2779ecfb3d843967e9b1
SHA25636e21fc402866713c90fa380e3507c0c5bff1eb7436fac79465549188048734c
SHA512d4a7ed7e4280d7e1d13213448c983842472e652dbe2add21fd5ae866ad922a5440c75b70dd2aa5403e20b9ca05cc3fb26d1f5341127eb6195fc80d827d384d16
-
Filesize
245KB
MD5e538f67d529d672c55304f3c9ad05392
SHA1f7ff40a1901d51dd6222b420bbece575b46b2cd2
SHA256124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf
SHA51222344125223dcc5d66a5d0a6b860e547b408123d75e3d8f698fa45b9ea33e7a736ccaa7ae4e32a0989a9d0637db16443502e7bd56beb8093bb6c09a0289361c6
-
Filesize
245KB
MD5e538f67d529d672c55304f3c9ad05392
SHA1f7ff40a1901d51dd6222b420bbece575b46b2cd2
SHA256124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf
SHA51222344125223dcc5d66a5d0a6b860e547b408123d75e3d8f698fa45b9ea33e7a736ccaa7ae4e32a0989a9d0637db16443502e7bd56beb8093bb6c09a0289361c6
-
Filesize
245KB
MD5e538f67d529d672c55304f3c9ad05392
SHA1f7ff40a1901d51dd6222b420bbece575b46b2cd2
SHA256124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf
SHA51222344125223dcc5d66a5d0a6b860e547b408123d75e3d8f698fa45b9ea33e7a736ccaa7ae4e32a0989a9d0637db16443502e7bd56beb8093bb6c09a0289361c6