124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17-03-2023 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe
Size

245KB
MD5

e538f67d529d672c55304f3c9ad05392
SHA1

f7ff40a1901d51dd6222b420bbece575b46b2cd2
SHA256

124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf
SHA512

22344125223dcc5d66a5d0a6b860e547b408123d75e3d8f698fa45b9ea33e7a736ccaa7ae4e32a0989a9d0637db16443502e7bd56beb8093bb6c09a0289361c6
SSDEEP

3072:eTIu4ZQ8M2A1vA7m5+C6ZoEHBAnpK37nXz8o1008Q75wPsoB74tyJhvSK/KkMc/X:LHA1vweOR8CTwPnLKkM/u

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exetaskshostw.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	taskshostw.exe

Drops startup file 1 IoCs

Processes:

taskshostw.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskshostw.exe taskshostw.exe
Executes dropped EXE 4 IoCs

Processes:

taskshostw.exetaskshostw.exetaskshostw.exetaskshostw.exe

pid process

1664 taskshostw.exe
4176 taskshostw.exe
4160 taskshostw.exe
4872 taskshostw.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1844 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

340 timeout.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

4752 powershell.exe
4752 powershell.exe
1556 powershell.exe
1556 powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskshostw.exe	taskshostw.exe

pid	process
1664	taskshostw.exe
4176	taskshostw.exe
4160	taskshostw.exe
4872	taskshostw.exe

pid	process
1844	schtasks.exe

pid	process
340	timeout.exe

pid	process
4752	powershell.exe
4752	powershell.exe
1556	powershell.exe
1556	powershell.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exevssvc.exepowershell.exepowershell.exetaskshostw.exetaskshostw.exetaskshostw.exetaskshostw.exe

description	pid	process
Token: SeDebugPrivilege	2112	124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe
Token: SeBackupPrivilege	4340	vssvc.exe
Token: SeRestorePrivilege	4340	vssvc.exe
Token: SeAuditPrivilege	4340	vssvc.exe
Token: SeDebugPrivilege	4752	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	1664	taskshostw.exe
Token: SeDebugPrivilege	1664	taskshostw.exe
Token: SeDebugPrivilege	4176	taskshostw.exe
Token: SeDebugPrivilege	4160	taskshostw.exe
Token: SeDebugPrivilege	4872	taskshostw.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.execmd.exetaskshostw.exe

description	pid	process	target process
PID 2112 wrote to memory of 4752	2112	124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe	powershell.exe
PID 2112 wrote to memory of 4752	2112	124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe	powershell.exe
PID 2112 wrote to memory of 1556	2112	124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe	powershell.exe
PID 2112 wrote to memory of 1556	2112	124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe	powershell.exe
PID 2112 wrote to memory of 3220	2112	124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe	cmd.exe
PID 2112 wrote to memory of 3220	2112	124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe	cmd.exe
PID 3220 wrote to memory of 340	3220	cmd.exe	timeout.exe
PID 3220 wrote to memory of 340	3220	cmd.exe	timeout.exe
PID 1664 wrote to memory of 1844	1664	taskshostw.exe	schtasks.exe
PID 1664 wrote to memory of 1844	1664	taskshostw.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe
"C:\Users\Admin\AppData\Local\Temp\124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\taskshostw.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskshostw.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9C93.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:3220

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:340

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4340

C:\Users\Admin\AppData\Local\Temp\taskshostw.exe
C:\Users\Admin\AppData\Local\Temp\taskshostw.exe
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "taskshostw" /tr "C:\Users\Admin\AppData\Roaming\taskshostw.exe"
2⤵
- Creates scheduled task(s)
PID:1844

C:\Users\Admin\AppData\Roaming\taskshostw.exe
C:\Users\Admin\AppData\Roaming\taskshostw.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4176

C:\Users\Admin\AppData\Roaming\taskshostw.exe
C:\Users\Admin\AppData\Roaming\taskshostw.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Users\Admin\AppData\Roaming\taskshostw.exe
C:\Users\Admin\AppData\Roaming\taskshostw.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\taskshostw.exe.log

Filesize
1KB

MD5
c952c967a6c1013f7155cc3efed8cd03

SHA1
dc5bbab6c51387ee4d9863415a196e297457d045

SHA256
f825024aeb196af7aa49d77dccfae841aa55f9fef1c1f6f8f1e0c61032f8be12

SHA512
8126ef222f9ed0f332f56b8754ed24845fc03fadcbe61bf6d82e07da81b143e120ce82be14e59dc98b460e399563e8461bf0925089a71008af58b3acd6d6afef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gzlmdrtn.wu0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskshostw.exe

Filesize
245KB

MD5
e538f67d529d672c55304f3c9ad05392

SHA1
f7ff40a1901d51dd6222b420bbece575b46b2cd2

SHA256
124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf

SHA512
22344125223dcc5d66a5d0a6b860e547b408123d75e3d8f698fa45b9ea33e7a736ccaa7ae4e32a0989a9d0637db16443502e7bd56beb8093bb6c09a0289361c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskshostw.exe

Filesize
245KB

MD5
e538f67d529d672c55304f3c9ad05392

SHA1
f7ff40a1901d51dd6222b420bbece575b46b2cd2

SHA256
124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf

SHA512
22344125223dcc5d66a5d0a6b860e547b408123d75e3d8f698fa45b9ea33e7a736ccaa7ae4e32a0989a9d0637db16443502e7bd56beb8093bb6c09a0289361c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9C93.tmp.bat

Filesize
216B

MD5
2052a1cdd652fa25177f7c41907c291a

SHA1
8159803678f2182792c58c799f1342c2a3f8239c

SHA256
04980596eda42833aef5c30bfed3261b4cc9309dafe609621ff166aa2211f3b1

SHA512
46fd59ed2b30d2afc86edb4d7a3effd320266923b452be42f55d6c92b9b883825f7755e6f324b72ed700ee63a05a05da9287d29350caa1f7275c670346a5401f

Download Submit
C:\Users\Admin\AppData\Roaming\taskshostw.exe

Filesize
245KB

MD5
e538f67d529d672c55304f3c9ad05392

SHA1
f7ff40a1901d51dd6222b420bbece575b46b2cd2

SHA256
124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf

SHA512
22344125223dcc5d66a5d0a6b860e547b408123d75e3d8f698fa45b9ea33e7a736ccaa7ae4e32a0989a9d0637db16443502e7bd56beb8093bb6c09a0289361c6

Download Submit
C:\Users\Admin\AppData\Roaming\taskshostw.exe

Filesize
245KB

MD5
e538f67d529d672c55304f3c9ad05392

SHA1
f7ff40a1901d51dd6222b420bbece575b46b2cd2

SHA256
124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf

SHA512
22344125223dcc5d66a5d0a6b860e547b408123d75e3d8f698fa45b9ea33e7a736ccaa7ae4e32a0989a9d0637db16443502e7bd56beb8093bb6c09a0289361c6

Download Submit
C:\Users\Admin\AppData\Roaming\taskshostw.exe

Filesize
245KB

MD5
e538f67d529d672c55304f3c9ad05392

SHA1
f7ff40a1901d51dd6222b420bbece575b46b2cd2

SHA256
124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf

SHA512
22344125223dcc5d66a5d0a6b860e547b408123d75e3d8f698fa45b9ea33e7a736ccaa7ae4e32a0989a9d0637db16443502e7bd56beb8093bb6c09a0289361c6

Download Submit
C:\Users\Admin\AppData\Roaming\taskshostw.exe

Filesize
245KB

MD5
e538f67d529d672c55304f3c9ad05392

SHA1
f7ff40a1901d51dd6222b420bbece575b46b2cd2

SHA256
124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf

SHA512
22344125223dcc5d66a5d0a6b860e547b408123d75e3d8f698fa45b9ea33e7a736ccaa7ae4e32a0989a9d0637db16443502e7bd56beb8093bb6c09a0289361c6

Download Submit
memory/1664-169-0x000000001DAA0000-0x000000001DAB0000-memory.dmp

Filesize
64KB

Download
memory/2112-133-0x0000000000950000-0x0000000000994000-memory.dmp

Filesize
272KB

Download
memory/4752-146-0x000002B9F49B0000-0x000002B9F49C0000-memory.dmp

Filesize
64KB

Download
memory/4752-144-0x000002B9F49B0000-0x000002B9F49C0000-memory.dmp

Filesize
64KB

Download
memory/4752-145-0x000002B9F49B0000-0x000002B9F49C0000-memory.dmp

Filesize
64KB

Download
memory/4752-134-0x000002B9F48D0000-0x000002B9F48F2000-memory.dmp

Filesize
136KB

Download