124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
10-02-2023 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe
Size

245KB
MD5

e538f67d529d672c55304f3c9ad05392
SHA1

f7ff40a1901d51dd6222b420bbece575b46b2cd2
SHA256

124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf
SHA512

22344125223dcc5d66a5d0a6b860e547b408123d75e3d8f698fa45b9ea33e7a736ccaa7ae4e32a0989a9d0637db16443502e7bd56beb8093bb6c09a0289361c6
SSDEEP

3072:eTIu4ZQ8M2A1vA7m5+C6ZoEHBAnpK37nXz8o1008Q75wPsoB74tyJhvSK/KkMc/X:LHA1vweOR8CTwPnLKkM/u

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exetaskshostw.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	taskshostw.exe

Drops startup file 1 IoCs

Processes:

taskshostw.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskshostw.exe taskshostw.exe
Executes dropped EXE 3 IoCs

Processes:

taskshostw.exetaskshostw.exetaskshostw.exe

pid process

2800 taskshostw.exe
3604 taskshostw.exe
4704 taskshostw.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4540 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4360 timeout.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

3084 powershell.exe
3084 powershell.exe
1400 powershell.exe
1400 powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskshostw.exe	taskshostw.exe

pid	process
2800	taskshostw.exe
3604	taskshostw.exe
4704	taskshostw.exe

pid	process
4540	schtasks.exe

pid	process
4360	timeout.exe

pid	process
3084	powershell.exe
3084	powershell.exe
1400	powershell.exe
1400	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exevssvc.exepowershell.exepowershell.exetaskshostw.exetaskshostw.exetaskshostw.exe

description	pid	process
Token: SeDebugPrivilege	1048	124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe
Token: SeBackupPrivilege	4892	vssvc.exe
Token: SeRestorePrivilege	4892	vssvc.exe
Token: SeAuditPrivilege	4892	vssvc.exe
Token: SeDebugPrivilege	3084	powershell.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeDebugPrivilege	2800	taskshostw.exe
Token: SeDebugPrivilege	2800	taskshostw.exe
Token: SeDebugPrivilege	3604	taskshostw.exe
Token: SeDebugPrivilege	4704	taskshostw.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.execmd.exetaskshostw.exe

description	pid	process	target process
PID 1048 wrote to memory of 3084	1048	124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe	powershell.exe
PID 1048 wrote to memory of 3084	1048	124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe	powershell.exe
PID 1048 wrote to memory of 1400	1048	124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe	powershell.exe
PID 1048 wrote to memory of 1400	1048	124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe	powershell.exe
PID 1048 wrote to memory of 3784	1048	124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe	cmd.exe
PID 1048 wrote to memory of 3784	1048	124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe	cmd.exe
PID 3784 wrote to memory of 4360	3784	cmd.exe	timeout.exe
PID 3784 wrote to memory of 4360	3784	cmd.exe	timeout.exe
PID 2800 wrote to memory of 4540	2800	taskshostw.exe	schtasks.exe
PID 2800 wrote to memory of 4540	2800	taskshostw.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe
"C:\Users\Admin\AppData\Local\Temp\124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\taskshostw.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskshostw.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1BE4.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:3784

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:4360

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Users\Admin\AppData\Local\Temp\taskshostw.exe
C:\Users\Admin\AppData\Local\Temp\taskshostw.exe
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "taskshostw" /tr "C:\Users\Admin\AppData\Roaming\taskshostw.exe"
2⤵
- Creates scheduled task(s)
PID:4540

C:\Users\Admin\AppData\Roaming\taskshostw.exe
C:\Users\Admin\AppData\Roaming\taskshostw.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3604

C:\Users\Admin\AppData\Roaming\taskshostw.exe
C:\Users\Admin\AppData\Roaming\taskshostw.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\taskshostw.exe.log

Filesize
1KB

MD5
c952c967a6c1013f7155cc3efed8cd03

SHA1
dc5bbab6c51387ee4d9863415a196e297457d045

SHA256
f825024aeb196af7aa49d77dccfae841aa55f9fef1c1f6f8f1e0c61032f8be12

SHA512
8126ef222f9ed0f332f56b8754ed24845fc03fadcbe61bf6d82e07da81b143e120ce82be14e59dc98b460e399563e8461bf0925089a71008af58b3acd6d6afef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
358897459512b9d5c2be170ec908d608

SHA1
e148b7f56ef6acfb1559371f67c68ce9b8ab6078

SHA256
1905dc1d997787318b7e03374d0153fa77c08cf76167758d539b00c48e417d3e

SHA512
6edc8ecac30aa74f0eedbc33722878e0b8154e63f6c8f7cadca1b08c039535dc0fb64b046ba4631f269704d9bf7202fa1afb0f858aa5ae508387427b6f71627a

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskshostw.exe

Filesize
245KB

MD5
e538f67d529d672c55304f3c9ad05392

SHA1
f7ff40a1901d51dd6222b420bbece575b46b2cd2

SHA256
124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf

SHA512
22344125223dcc5d66a5d0a6b860e547b408123d75e3d8f698fa45b9ea33e7a736ccaa7ae4e32a0989a9d0637db16443502e7bd56beb8093bb6c09a0289361c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskshostw.exe

Filesize
245KB

MD5
e538f67d529d672c55304f3c9ad05392

SHA1
f7ff40a1901d51dd6222b420bbece575b46b2cd2

SHA256
124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf

SHA512
22344125223dcc5d66a5d0a6b860e547b408123d75e3d8f698fa45b9ea33e7a736ccaa7ae4e32a0989a9d0637db16443502e7bd56beb8093bb6c09a0289361c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1BE4.tmp.bat

Filesize
216B

MD5
c8e51789df8fcfa35bcc7550ac9b057d

SHA1
e9ee3692b504f1c7abea2779ecfb3d843967e9b1

SHA256
36e21fc402866713c90fa380e3507c0c5bff1eb7436fac79465549188048734c

SHA512
d4a7ed7e4280d7e1d13213448c983842472e652dbe2add21fd5ae866ad922a5440c75b70dd2aa5403e20b9ca05cc3fb26d1f5341127eb6195fc80d827d384d16

Download Submit
C:\Users\Admin\AppData\Roaming\taskshostw.exe

Filesize
245KB

MD5
e538f67d529d672c55304f3c9ad05392

SHA1
f7ff40a1901d51dd6222b420bbece575b46b2cd2

SHA256
124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf

SHA512
22344125223dcc5d66a5d0a6b860e547b408123d75e3d8f698fa45b9ea33e7a736ccaa7ae4e32a0989a9d0637db16443502e7bd56beb8093bb6c09a0289361c6

Download Submit
C:\Users\Admin\AppData\Roaming\taskshostw.exe

Filesize
245KB

MD5
e538f67d529d672c55304f3c9ad05392

SHA1
f7ff40a1901d51dd6222b420bbece575b46b2cd2

SHA256
124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf

SHA512
22344125223dcc5d66a5d0a6b860e547b408123d75e3d8f698fa45b9ea33e7a736ccaa7ae4e32a0989a9d0637db16443502e7bd56beb8093bb6c09a0289361c6

Download Submit
C:\Users\Admin\AppData\Roaming\taskshostw.exe

Filesize
245KB

MD5
e538f67d529d672c55304f3c9ad05392

SHA1
f7ff40a1901d51dd6222b420bbece575b46b2cd2

SHA256
124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf

SHA512
22344125223dcc5d66a5d0a6b860e547b408123d75e3d8f698fa45b9ea33e7a736ccaa7ae4e32a0989a9d0637db16443502e7bd56beb8093bb6c09a0289361c6

Download Submit
memory/1048-132-0x0000000000AC0000-0x0000000000B04000-memory.dmp

Filesize
272KB

Download
memory/1048-142-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/1048-147-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/1048-133-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/1400-138-0x0000000000000000-mapping.dmp

Download
memory/1400-141-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/1400-151-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/2800-145-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/2800-152-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/3084-135-0x0000026350960000-0x0000026350982000-memory.dmp

Filesize
136KB

Download
memory/3084-134-0x0000000000000000-mapping.dmp

Download
memory/3084-136-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/3084-137-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/3604-155-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download
memory/3784-146-0x0000000000000000-mapping.dmp

Download
memory/4360-149-0x0000000000000000-mapping.dmp

Download
memory/4540-150-0x0000000000000000-mapping.dmp

Download
memory/4704-158-0x00007FFE2FEB0000-0x00007FFE30971000-memory.dmp

Filesize
10.8MB

Download