Analysis
-
max time kernel
73s -
max time network
84s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05/05/2023, 01:27
Static task
static1
Behavioral task
behavioral1
Sample
35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe
Resource
win10v2004-20230220-en
General
-
Target
35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe
-
Size
899KB
-
MD5
c011326ff5f864290617144c3dddcc88
-
SHA1
257d10e95aeec5d8c63e4d1369c5cbf244568bf7
-
SHA256
35bc2054162c7288b55caecc386d129b5b03e2a97985f659913338195be78491
-
SHA512
894e43a4265c396b0721ea3fb99991047cc33aa36fc9f2f8fb47c5f66813a8226589b8ed045a1edc2279654cf3b933f413a434cf42f1fcd11f52ff3d6bd2a07a
-
SSDEEP
12288:qeU8P7AlfzNA1Na+tIHBvD0hECB8dIxZZeyAnE/sTZ32jQnQeH//WmrHcjhS:q8Cf0a+6ghEC7XV+8Qnjf/WmTGhS
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe -
Executes dropped EXE 1 IoCs
pid Process 2840 microsafte.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3804 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1384 timeout.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 5060 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 5060 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 5060 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 5060 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 5060 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 5060 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 5060 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 5060 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 5060 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 5060 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 5060 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 5060 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 5060 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 5060 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 5060 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 5060 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 5060 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 5060 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 5060 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 5060 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 5060 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 5060 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 5060 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5060 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe Token: SeDebugPrivilege 2840 microsafte.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 5060 wrote to memory of 1780 5060 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 87 PID 5060 wrote to memory of 1780 5060 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 87 PID 5060 wrote to memory of 1780 5060 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 87 PID 5060 wrote to memory of 4716 5060 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 88 PID 5060 wrote to memory of 4716 5060 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 88 PID 5060 wrote to memory of 4716 5060 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 88 PID 4716 wrote to memory of 1384 4716 cmd.exe 91 PID 4716 wrote to memory of 1384 4716 cmd.exe 91 PID 4716 wrote to memory of 1384 4716 cmd.exe 91 PID 1780 wrote to memory of 3804 1780 cmd.exe 92 PID 1780 wrote to memory of 3804 1780 cmd.exe 92 PID 1780 wrote to memory of 3804 1780 cmd.exe 92 PID 4716 wrote to memory of 2840 4716 cmd.exe 93 PID 4716 wrote to memory of 2840 4716 cmd.exe 93 PID 4716 wrote to memory of 2840 4716 cmd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe"C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /ru system /rl highest /tn 35BC2054162C7288B55CAECC386D129B5B03E2A97985F /tr '"C:\Users\Admin\AppData\Roaming\microsafte.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /ru system /rl highest /tn 35BC2054162C7288B55CAECC386D129B5B03E2A97985F /tr '"C:\Users\Admin\AppData\Roaming\microsafte.exe"'3⤵
- Creates scheduled task(s)
PID:3804
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFFF0.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:1384
-
-
C:\Users\Admin\AppData\Roaming\microsafte.exe"C:\Users\Admin\AppData\Roaming\microsafte.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
154B
MD5d26694bfd15acd5775c29d189045bbe6
SHA1893b7defce5fe3988a4e8bf8a5d8e679b3edc5a6
SHA2565e11081c672842b0a1906b6f060d98af815894bfc4fd163cbef736b76a5df590
SHA5122b935482cfc469727d4446f6045c4d9d8ed08060f885a3d46ddfb0051e544f26ea5b1a695b5f05104249209c7c9d75ac9d5c47398b26f45e151c5548b6a8a873
-
Filesize
899KB
MD5c011326ff5f864290617144c3dddcc88
SHA1257d10e95aeec5d8c63e4d1369c5cbf244568bf7
SHA25635bc2054162c7288b55caecc386d129b5b03e2a97985f659913338195be78491
SHA512894e43a4265c396b0721ea3fb99991047cc33aa36fc9f2f8fb47c5f66813a8226589b8ed045a1edc2279654cf3b933f413a434cf42f1fcd11f52ff3d6bd2a07a
-
Filesize
899KB
MD5c011326ff5f864290617144c3dddcc88
SHA1257d10e95aeec5d8c63e4d1369c5cbf244568bf7
SHA25635bc2054162c7288b55caecc386d129b5b03e2a97985f659913338195be78491
SHA512894e43a4265c396b0721ea3fb99991047cc33aa36fc9f2f8fb47c5f66813a8226589b8ed045a1edc2279654cf3b933f413a434cf42f1fcd11f52ff3d6bd2a07a