Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
17-03-2023 09:33
Static task
static1
Behavioral task
behavioral1
Sample
124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe
Resource
win10v2004-20230220-en
General
-
Target
124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe
-
Size
245KB
-
MD5
e538f67d529d672c55304f3c9ad05392
-
SHA1
f7ff40a1901d51dd6222b420bbece575b46b2cd2
-
SHA256
124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf
-
SHA512
22344125223dcc5d66a5d0a6b860e547b408123d75e3d8f698fa45b9ea33e7a736ccaa7ae4e32a0989a9d0637db16443502e7bd56beb8093bb6c09a0289361c6
-
SSDEEP
3072:eTIu4ZQ8M2A1vA7m5+C6ZoEHBAnpK37nXz8o1008Q75wPsoB74tyJhvSK/KkMc/X:LHA1vweOR8CTwPnLKkM/u
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exetaskshostw.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation 124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation taskshostw.exe -
Drops startup file 1 IoCs
Processes:
taskshostw.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskshostw.exe taskshostw.exe -
Executes dropped EXE 4 IoCs
Processes:
taskshostw.exetaskshostw.exetaskshostw.exetaskshostw.exepid process 1664 taskshostw.exe 4176 taskshostw.exe 4160 taskshostw.exe 4872 taskshostw.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 340 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 4752 powershell.exe 4752 powershell.exe 1556 powershell.exe 1556 powershell.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exevssvc.exepowershell.exepowershell.exetaskshostw.exetaskshostw.exetaskshostw.exetaskshostw.exedescription pid process Token: SeDebugPrivilege 2112 124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe Token: SeBackupPrivilege 4340 vssvc.exe Token: SeRestorePrivilege 4340 vssvc.exe Token: SeAuditPrivilege 4340 vssvc.exe Token: SeDebugPrivilege 4752 powershell.exe Token: SeDebugPrivilege 1556 powershell.exe Token: SeDebugPrivilege 1664 taskshostw.exe Token: SeDebugPrivilege 1664 taskshostw.exe Token: SeDebugPrivilege 4176 taskshostw.exe Token: SeDebugPrivilege 4160 taskshostw.exe Token: SeDebugPrivilege 4872 taskshostw.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.execmd.exetaskshostw.exedescription pid process target process PID 2112 wrote to memory of 4752 2112 124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe powershell.exe PID 2112 wrote to memory of 4752 2112 124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe powershell.exe PID 2112 wrote to memory of 1556 2112 124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe powershell.exe PID 2112 wrote to memory of 1556 2112 124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe powershell.exe PID 2112 wrote to memory of 3220 2112 124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe cmd.exe PID 2112 wrote to memory of 3220 2112 124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe cmd.exe PID 3220 wrote to memory of 340 3220 cmd.exe timeout.exe PID 3220 wrote to memory of 340 3220 cmd.exe timeout.exe PID 1664 wrote to memory of 1844 1664 taskshostw.exe schtasks.exe PID 1664 wrote to memory of 1844 1664 taskshostw.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe"C:\Users\Admin\AppData\Local\Temp\124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\taskshostw.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4752 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskshostw.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9C93.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:340
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4340
-
C:\Users\Admin\AppData\Local\Temp\taskshostw.exeC:\Users\Admin\AppData\Local\Temp\taskshostw.exe1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "taskshostw" /tr "C:\Users\Admin\AppData\Roaming\taskshostw.exe"2⤵
- Creates scheduled task(s)
PID:1844
-
C:\Users\Admin\AppData\Roaming\taskshostw.exeC:\Users\Admin\AppData\Roaming\taskshostw.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4176
-
C:\Users\Admin\AppData\Roaming\taskshostw.exeC:\Users\Admin\AppData\Roaming\taskshostw.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4160
-
C:\Users\Admin\AppData\Roaming\taskshostw.exeC:\Users\Admin\AppData\Roaming\taskshostw.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4872
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5c952c967a6c1013f7155cc3efed8cd03
SHA1dc5bbab6c51387ee4d9863415a196e297457d045
SHA256f825024aeb196af7aa49d77dccfae841aa55f9fef1c1f6f8f1e0c61032f8be12
SHA5128126ef222f9ed0f332f56b8754ed24845fc03fadcbe61bf6d82e07da81b143e120ce82be14e59dc98b460e399563e8461bf0925089a71008af58b3acd6d6afef
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
245KB
MD5e538f67d529d672c55304f3c9ad05392
SHA1f7ff40a1901d51dd6222b420bbece575b46b2cd2
SHA256124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf
SHA51222344125223dcc5d66a5d0a6b860e547b408123d75e3d8f698fa45b9ea33e7a736ccaa7ae4e32a0989a9d0637db16443502e7bd56beb8093bb6c09a0289361c6
-
Filesize
245KB
MD5e538f67d529d672c55304f3c9ad05392
SHA1f7ff40a1901d51dd6222b420bbece575b46b2cd2
SHA256124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf
SHA51222344125223dcc5d66a5d0a6b860e547b408123d75e3d8f698fa45b9ea33e7a736ccaa7ae4e32a0989a9d0637db16443502e7bd56beb8093bb6c09a0289361c6
-
Filesize
216B
MD52052a1cdd652fa25177f7c41907c291a
SHA18159803678f2182792c58c799f1342c2a3f8239c
SHA25604980596eda42833aef5c30bfed3261b4cc9309dafe609621ff166aa2211f3b1
SHA51246fd59ed2b30d2afc86edb4d7a3effd320266923b452be42f55d6c92b9b883825f7755e6f324b72ed700ee63a05a05da9287d29350caa1f7275c670346a5401f
-
Filesize
245KB
MD5e538f67d529d672c55304f3c9ad05392
SHA1f7ff40a1901d51dd6222b420bbece575b46b2cd2
SHA256124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf
SHA51222344125223dcc5d66a5d0a6b860e547b408123d75e3d8f698fa45b9ea33e7a736ccaa7ae4e32a0989a9d0637db16443502e7bd56beb8093bb6c09a0289361c6
-
Filesize
245KB
MD5e538f67d529d672c55304f3c9ad05392
SHA1f7ff40a1901d51dd6222b420bbece575b46b2cd2
SHA256124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf
SHA51222344125223dcc5d66a5d0a6b860e547b408123d75e3d8f698fa45b9ea33e7a736ccaa7ae4e32a0989a9d0637db16443502e7bd56beb8093bb6c09a0289361c6
-
Filesize
245KB
MD5e538f67d529d672c55304f3c9ad05392
SHA1f7ff40a1901d51dd6222b420bbece575b46b2cd2
SHA256124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf
SHA51222344125223dcc5d66a5d0a6b860e547b408123d75e3d8f698fa45b9ea33e7a736ccaa7ae4e32a0989a9d0637db16443502e7bd56beb8093bb6c09a0289361c6
-
Filesize
245KB
MD5e538f67d529d672c55304f3c9ad05392
SHA1f7ff40a1901d51dd6222b420bbece575b46b2cd2
SHA256124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf
SHA51222344125223dcc5d66a5d0a6b860e547b408123d75e3d8f698fa45b9ea33e7a736ccaa7ae4e32a0989a9d0637db16443502e7bd56beb8093bb6c09a0289361c6