5151d9be1858521ad1539b519263c452d71dd626d0801ce72d349a42161b695e

Analysis

max time kernel
60s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2023, 06:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

m2017249.exe
Size

968KB
MD5

8ce9f6c4cde0cc4c45f0f43ed0745368
SHA1

fc6a14a688eb00a110370330cc804b6131fd4683
SHA256

5151d9be1858521ad1539b519263c452d71dd626d0801ce72d349a42161b695e
SHA512

0266252b44c97080f48f541ea672019eeab03855ce2f4d9b08f0ceb8ab14e07714f56f520d8fa21b9ca274ebff471fe1927793426a341ec5cea3454f5d4525ae
SSDEEP

12288:6tLTyenMEh/rI+Ea4seWbh1/PjsrCe3NsGTzbEr6JeUc/X016JNHJPXFk2LxvTr2:6tieMEe+HeWXjsldP3

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	m2017249.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 7 IoCs

pid	Process
1940	oneetx.exe
4916	oneetx.exe
4028	oneetx.exe
4648	oneetx.exe
3920	oneetx.exe
752	oneetx.exe
3712	oneetx.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4364 set thread context of 3636	4364	m2017249.exe	83
PID 1940 set thread context of 4648	1940	oneetx.exe	90
PID 3920 set thread context of 3712	3920	oneetx.exe	107

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2384	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4364	m2017249.exe
Token: SeDebugPrivilege	1940	oneetx.exe
Token: SeDebugPrivilege	3920	oneetx.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3636	m2017249.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 3636	4364	m2017249.exe	83
PID 4364 wrote to memory of 3636	4364	m2017249.exe	83
PID 4364 wrote to memory of 3636	4364	m2017249.exe	83
PID 4364 wrote to memory of 3636	4364	m2017249.exe	83
PID 4364 wrote to memory of 3636	4364	m2017249.exe	83
PID 4364 wrote to memory of 3636	4364	m2017249.exe	83
PID 4364 wrote to memory of 3636	4364	m2017249.exe	83
PID 4364 wrote to memory of 3636	4364	m2017249.exe	83
PID 4364 wrote to memory of 3636	4364	m2017249.exe	83
PID 4364 wrote to memory of 3636	4364	m2017249.exe	83
PID 3636 wrote to memory of 1940	3636	m2017249.exe	84
PID 3636 wrote to memory of 1940	3636	m2017249.exe	84
PID 3636 wrote to memory of 1940	3636	m2017249.exe	84
PID 1940 wrote to memory of 4916	1940	oneetx.exe	85
PID 1940 wrote to memory of 4916	1940	oneetx.exe	85
PID 1940 wrote to memory of 4916	1940	oneetx.exe	85
PID 1940 wrote to memory of 4916	1940	oneetx.exe	85
PID 1940 wrote to memory of 4028	1940	oneetx.exe	86
PID 1940 wrote to memory of 4028	1940	oneetx.exe	86
PID 1940 wrote to memory of 4028	1940	oneetx.exe	86
PID 1940 wrote to memory of 4028	1940	oneetx.exe	86
PID 1940 wrote to memory of 4648	1940	oneetx.exe	90
PID 1940 wrote to memory of 4648	1940	oneetx.exe	90
PID 1940 wrote to memory of 4648	1940	oneetx.exe	90
PID 1940 wrote to memory of 4648	1940	oneetx.exe	90
PID 1940 wrote to memory of 4648	1940	oneetx.exe	90
PID 1940 wrote to memory of 4648	1940	oneetx.exe	90
PID 1940 wrote to memory of 4648	1940	oneetx.exe	90
PID 1940 wrote to memory of 4648	1940	oneetx.exe	90
PID 1940 wrote to memory of 4648	1940	oneetx.exe	90
PID 1940 wrote to memory of 4648	1940	oneetx.exe	90
PID 4648 wrote to memory of 2384	4648	oneetx.exe	92
PID 4648 wrote to memory of 2384	4648	oneetx.exe	92
PID 4648 wrote to memory of 2384	4648	oneetx.exe	92
PID 4648 wrote to memory of 1784	4648	oneetx.exe	94
PID 4648 wrote to memory of 1784	4648	oneetx.exe	94
PID 4648 wrote to memory of 1784	4648	oneetx.exe	94
PID 1784 wrote to memory of 5012	1784	cmd.exe	96
PID 1784 wrote to memory of 5012	1784	cmd.exe	96
PID 1784 wrote to memory of 5012	1784	cmd.exe	96
PID 1784 wrote to memory of 2636	1784	cmd.exe	97
PID 1784 wrote to memory of 2636	1784	cmd.exe	97
PID 1784 wrote to memory of 2636	1784	cmd.exe	97
PID 1784 wrote to memory of 4824	1784	cmd.exe	98
PID 1784 wrote to memory of 4824	1784	cmd.exe	98
PID 1784 wrote to memory of 4824	1784	cmd.exe	98
PID 1784 wrote to memory of 2828	1784	cmd.exe	99
PID 1784 wrote to memory of 2828	1784	cmd.exe	99
PID 1784 wrote to memory of 2828	1784	cmd.exe	99
PID 1784 wrote to memory of 1296	1784	cmd.exe	100
PID 1784 wrote to memory of 1296	1784	cmd.exe	100
PID 1784 wrote to memory of 1296	1784	cmd.exe	100
PID 1784 wrote to memory of 3656	1784	cmd.exe	101
PID 1784 wrote to memory of 3656	1784	cmd.exe	101
PID 1784 wrote to memory of 3656	1784	cmd.exe	101
PID 3920 wrote to memory of 752	3920	oneetx.exe	106
PID 3920 wrote to memory of 752	3920	oneetx.exe	106
PID 3920 wrote to memory of 752	3920	oneetx.exe	106
PID 3920 wrote to memory of 752	3920	oneetx.exe	106
PID 3920 wrote to memory of 3712	3920	oneetx.exe	107
PID 3920 wrote to memory of 3712	3920	oneetx.exe	107
PID 3920 wrote to memory of 3712	3920	oneetx.exe	107
PID 3920 wrote to memory of 3712	3920	oneetx.exe	107
PID 3920 wrote to memory of 3712	3920	oneetx.exe	107

C:\Users\Admin\AppData\Local\Temp\m2017249.exe
"C:\Users\Admin\AppData\Local\Temp\m2017249.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Users\Admin\AppData\Local\Temp\m2017249.exe
  C:\Users\Admin\AppData\Local\Temp\m2017249.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
      C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
      4⤵
      Executes dropped EXE
      PID:4916
  - - C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
      C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
      4⤵
      Executes dropped EXE
      PID:4028
  - - C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
      C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4648
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:2384
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1784
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:5012
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        6⤵
        
        PID:2636
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        6⤵
        
        PID:4824
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:2828
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\c3912af058" /P "Admin:N"
        6⤵
        
        PID:1296
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\c3912af058" /P "Admin:R" /E
        6⤵
        
        PID:3656

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  2⤵
  - Executes dropped EXE
  PID:752
- C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  2⤵
  - Executes dropped EXE
  PID:3712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oneetx.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
968KB

MD5
8ce9f6c4cde0cc4c45f0f43ed0745368

SHA1
fc6a14a688eb00a110370330cc804b6131fd4683

SHA256
5151d9be1858521ad1539b519263c452d71dd626d0801ce72d349a42161b695e

SHA512
0266252b44c97080f48f541ea672019eeab03855ce2f4d9b08f0ceb8ab14e07714f56f520d8fa21b9ca274ebff471fe1927793426a341ec5cea3454f5d4525ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
968KB

MD5
8ce9f6c4cde0cc4c45f0f43ed0745368

SHA1
fc6a14a688eb00a110370330cc804b6131fd4683

SHA256
5151d9be1858521ad1539b519263c452d71dd626d0801ce72d349a42161b695e

SHA512
0266252b44c97080f48f541ea672019eeab03855ce2f4d9b08f0ceb8ab14e07714f56f520d8fa21b9ca274ebff471fe1927793426a341ec5cea3454f5d4525ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
968KB

MD5
8ce9f6c4cde0cc4c45f0f43ed0745368

SHA1
fc6a14a688eb00a110370330cc804b6131fd4683

SHA256
5151d9be1858521ad1539b519263c452d71dd626d0801ce72d349a42161b695e

SHA512
0266252b44c97080f48f541ea672019eeab03855ce2f4d9b08f0ceb8ab14e07714f56f520d8fa21b9ca274ebff471fe1927793426a341ec5cea3454f5d4525ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
968KB

MD5
8ce9f6c4cde0cc4c45f0f43ed0745368

SHA1
fc6a14a688eb00a110370330cc804b6131fd4683

SHA256
5151d9be1858521ad1539b519263c452d71dd626d0801ce72d349a42161b695e

SHA512
0266252b44c97080f48f541ea672019eeab03855ce2f4d9b08f0ceb8ab14e07714f56f520d8fa21b9ca274ebff471fe1927793426a341ec5cea3454f5d4525ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
968KB

MD5
8ce9f6c4cde0cc4c45f0f43ed0745368

SHA1
fc6a14a688eb00a110370330cc804b6131fd4683

SHA256
5151d9be1858521ad1539b519263c452d71dd626d0801ce72d349a42161b695e

SHA512
0266252b44c97080f48f541ea672019eeab03855ce2f4d9b08f0ceb8ab14e07714f56f520d8fa21b9ca274ebff471fe1927793426a341ec5cea3454f5d4525ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
968KB

MD5
8ce9f6c4cde0cc4c45f0f43ed0745368

SHA1
fc6a14a688eb00a110370330cc804b6131fd4683

SHA256
5151d9be1858521ad1539b519263c452d71dd626d0801ce72d349a42161b695e

SHA512
0266252b44c97080f48f541ea672019eeab03855ce2f4d9b08f0ceb8ab14e07714f56f520d8fa21b9ca274ebff471fe1927793426a341ec5cea3454f5d4525ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
968KB

MD5
8ce9f6c4cde0cc4c45f0f43ed0745368

SHA1
fc6a14a688eb00a110370330cc804b6131fd4683

SHA256
5151d9be1858521ad1539b519263c452d71dd626d0801ce72d349a42161b695e

SHA512
0266252b44c97080f48f541ea672019eeab03855ce2f4d9b08f0ceb8ab14e07714f56f520d8fa21b9ca274ebff471fe1927793426a341ec5cea3454f5d4525ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
968KB

MD5
8ce9f6c4cde0cc4c45f0f43ed0745368

SHA1
fc6a14a688eb00a110370330cc804b6131fd4683

SHA256
5151d9be1858521ad1539b519263c452d71dd626d0801ce72d349a42161b695e

SHA512
0266252b44c97080f48f541ea672019eeab03855ce2f4d9b08f0ceb8ab14e07714f56f520d8fa21b9ca274ebff471fe1927793426a341ec5cea3454f5d4525ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
968KB

MD5
8ce9f6c4cde0cc4c45f0f43ed0745368

SHA1
fc6a14a688eb00a110370330cc804b6131fd4683

SHA256
5151d9be1858521ad1539b519263c452d71dd626d0801ce72d349a42161b695e

SHA512
0266252b44c97080f48f541ea672019eeab03855ce2f4d9b08f0ceb8ab14e07714f56f520d8fa21b9ca274ebff471fe1927793426a341ec5cea3454f5d4525ae

Download Submit
memory/1940-154-0x0000000007C30000-0x0000000007C40000-memory.dmp

Filesize
64KB

Download
memory/3636-139-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3636-153-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3636-138-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3636-137-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3636-135-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3712-174-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3712-173-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3712-172-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3920-168-0x0000000007650000-0x0000000007660000-memory.dmp

Filesize
64KB

Download
memory/4364-133-0x00000000002F0000-0x00000000003E8000-memory.dmp

Filesize
992KB

Download
memory/4364-134-0x0000000007130000-0x0000000007140000-memory.dmp

Filesize
64KB

Download
memory/4648-164-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4648-163-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4648-162-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4648-161-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads