Analysis
-
max time kernel
89s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
05/05/2023, 01:26
Static task
static1
Behavioral task
behavioral1
Sample
35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe
Resource
win10v2004-20230221-en
General
-
Target
35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe
-
Size
899KB
-
MD5
c011326ff5f864290617144c3dddcc88
-
SHA1
257d10e95aeec5d8c63e4d1369c5cbf244568bf7
-
SHA256
35bc2054162c7288b55caecc386d129b5b03e2a97985f659913338195be78491
-
SHA512
894e43a4265c396b0721ea3fb99991047cc33aa36fc9f2f8fb47c5f66813a8226589b8ed045a1edc2279654cf3b933f413a434cf42f1fcd11f52ff3d6bd2a07a
-
SSDEEP
12288:qeU8P7AlfzNA1Na+tIHBvD0hECB8dIxZZeyAnE/sTZ32jQnQeH//WmrHcjhS:q8Cf0a+6ghEC7XV+8Qnjf/WmTGhS
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe -
Executes dropped EXE 1 IoCs
pid Process 3792 microsafte.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2080 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2324 timeout.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 4620 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 4620 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 4620 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 4620 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 4620 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 4620 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 4620 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 4620 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 4620 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 4620 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 4620 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 4620 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 4620 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 4620 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 4620 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 4620 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 4620 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 4620 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 4620 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 4620 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 4620 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 4620 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 4620 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4620 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe Token: SeDebugPrivilege 3792 microsafte.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4620 wrote to memory of 924 4620 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 90 PID 4620 wrote to memory of 924 4620 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 90 PID 4620 wrote to memory of 924 4620 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 90 PID 4620 wrote to memory of 3404 4620 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 92 PID 4620 wrote to memory of 3404 4620 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 92 PID 4620 wrote to memory of 3404 4620 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 92 PID 3404 wrote to memory of 2324 3404 cmd.exe 95 PID 3404 wrote to memory of 2324 3404 cmd.exe 95 PID 3404 wrote to memory of 2324 3404 cmd.exe 95 PID 924 wrote to memory of 2080 924 cmd.exe 94 PID 924 wrote to memory of 2080 924 cmd.exe 94 PID 924 wrote to memory of 2080 924 cmd.exe 94 PID 3404 wrote to memory of 3792 3404 cmd.exe 96 PID 3404 wrote to memory of 3792 3404 cmd.exe 96 PID 3404 wrote to memory of 3792 3404 cmd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe"C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /ru system /rl highest /tn 35BC2054162C7288B55CAECC386D129B5B03E2A97985F /tr '"C:\Users\Admin\AppData\Roaming\microsafte.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /ru system /rl highest /tn 35BC2054162C7288B55CAECC386D129B5B03E2A97985F /tr '"C:\Users\Admin\AppData\Roaming\microsafte.exe"'3⤵
- Creates scheduled task(s)
PID:2080
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE0A1.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2324
-
-
C:\Users\Admin\AppData\Roaming\microsafte.exe"C:\Users\Admin\AppData\Roaming\microsafte.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3792
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
154B
MD51f20853892eca7672700b4cd711f51a0
SHA10fa6cc3193eed0309420b599a693ddcf059cdb04
SHA2562bef5ded7df5b5adc68ce46e54ba4b667c0859dc763ee2a098408a50073a6df7
SHA512501e2302f69490145a7287765e81ece2bc057e262e7cbb9c79a66f86ca24004a130d2043722794ef8d48bcf1421555937b1e0617d3e0d0b119a3898954ff0cc1
-
Filesize
899KB
MD5c011326ff5f864290617144c3dddcc88
SHA1257d10e95aeec5d8c63e4d1369c5cbf244568bf7
SHA25635bc2054162c7288b55caecc386d129b5b03e2a97985f659913338195be78491
SHA512894e43a4265c396b0721ea3fb99991047cc33aa36fc9f2f8fb47c5f66813a8226589b8ed045a1edc2279654cf3b933f413a434cf42f1fcd11f52ff3d6bd2a07a
-
Filesize
899KB
MD5c011326ff5f864290617144c3dddcc88
SHA1257d10e95aeec5d8c63e4d1369c5cbf244568bf7
SHA25635bc2054162c7288b55caecc386d129b5b03e2a97985f659913338195be78491
SHA512894e43a4265c396b0721ea3fb99991047cc33aa36fc9f2f8fb47c5f66813a8226589b8ed045a1edc2279654cf3b933f413a434cf42f1fcd11f52ff3d6bd2a07a