3ab1efbbb6afd2c8a9a182ce719d4198596d2ca24a3aae0c18c21e27cafd3f71

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2023, 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe
Size

8.3MB
MD5

e34a10782d9dac4b81cbc788ac151fe3
SHA1

21516e86b86b245fb6520ae16a69814bfbe9c494
SHA256

44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9
SHA512

304a811b7608bd0da73e8f75c2c1b886b0cdc656e54993daf5c00b64622e6482cc8581e80fbdf8a4d8c8dcffe6053bec6a85354ccddbf3cfc5b63570340aac1f
SSDEEP

196608:whTb9B0BPrDz4pxgZZPy5RmStgxb/z6FDiSJXqeUh4mT7:eTb9epDz4MZZ4RmxYDiScfhH

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\Geo\Nation	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.lnk	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.lnk	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe

Executes dropped EXE 2 IoCs

pid	Process
2548	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe
3304	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9 = "C:\\Users\\Admin\\AppData\\Roaming\\44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe"	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
39	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4844	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4404	powershell.exe
4404	powershell.exe
2724	powershell.exe
2724	powershell.exe
4240	powershell.exe
4240	powershell.exe
4732	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4732	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe
Token: SeDebugPrivilege	4404	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	4240	powershell.exe
Token: SeDebugPrivilege	2548	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4732	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4732 wrote to memory of 4404	4732	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe	94
PID 4732 wrote to memory of 4404	4732	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe	94
PID 4732 wrote to memory of 4404	4732	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe	94
PID 4732 wrote to memory of 2724	4732	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe	96
PID 4732 wrote to memory of 2724	4732	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe	96
PID 4732 wrote to memory of 2724	4732	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe	96
PID 4732 wrote to memory of 4240	4732	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe	98
PID 4732 wrote to memory of 4240	4732	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe	98
PID 4732 wrote to memory of 4240	4732	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe	98
PID 4732 wrote to memory of 4844	4732	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe	101
PID 4732 wrote to memory of 4844	4732	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe	101
PID 4732 wrote to memory of 4844	4732	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe	101

C:\Users\Admin\AppData\Local\Temp\44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe
"C:\Users\Admin\AppData\Local\Temp\44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4404
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4240
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9" /tr "C:\Users\Admin\AppData\Roaming\44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe"
  2⤵
  - Creates scheduled task(s)
  PID:4844

C:\Users\Admin\AppData\Roaming\44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe
C:\Users\Admin\AppData\Roaming\44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Users\Admin\AppData\Roaming\44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe
C:\Users\Admin\AppData\Roaming\44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe
1⤵
- Executes dropped EXE
PID:3304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe.log

Filesize
1KB

MD5
a9361ad30054d2f7665453449a9f03bf

SHA1
247f441df6e20cd1c128f017948d76e1bd21577a

SHA256
f85751be66e3fb20f9d61debb89a0e0d3e73e8d690b78f36b9877b9b8d5635c8

SHA512
24e171e8a44053f0579fac9cd418fcde158b21c1ee471fd75e30c90a269508a33c08b775b4ffd01363e07199fca26577667a92f38838051051e311febb98b53f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
dd2cd4dc3e964da1c4c3aafd12420cb1

SHA1
114af61d2187b7e2013895e461bac37d7c59e87b

SHA256
5600a829599a8f87b4e30da73692444dc4542adf481c847be9120fd4c923e012

SHA512
b3290b834fa6bc9c38b3c4605d50400739d96265e1b242b49b136e2d2ac6edebaa165a962414d4ac58de303e37fe4f440db98a5500c6ce6484480251fff3c7c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
75e7e58f9d6398e6c1ba53f4766dcd50

SHA1
0d1bb4beb1f5ff4b50f987f2c7742259c461099b

SHA256
970366ad71dda78c43ac766c42ecbaeed704954e88d23cf737f0bd3e3a260971

SHA512
0b29763aaca4c331ffd22b2dffabe570e43d92e40063de54fc061840ec1cfa3e0d7ff262647325330c0726396cc7474183151fdd4a53ba579bb29753395a78f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1bxc0gwt.tr0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe

Filesize
8.3MB

MD5
e34a10782d9dac4b81cbc788ac151fe3

SHA1
21516e86b86b245fb6520ae16a69814bfbe9c494

SHA256
44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9

SHA512
304a811b7608bd0da73e8f75c2c1b886b0cdc656e54993daf5c00b64622e6482cc8581e80fbdf8a4d8c8dcffe6053bec6a85354ccddbf3cfc5b63570340aac1f

Download Submit
C:\Users\Admin\AppData\Roaming\44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe

Filesize
8.3MB

MD5
e34a10782d9dac4b81cbc788ac151fe3

SHA1
21516e86b86b245fb6520ae16a69814bfbe9c494

SHA256
44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9

SHA512
304a811b7608bd0da73e8f75c2c1b886b0cdc656e54993daf5c00b64622e6482cc8581e80fbdf8a4d8c8dcffe6053bec6a85354ccddbf3cfc5b63570340aac1f

Download Submit
C:\Users\Admin\AppData\Roaming\44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe

Filesize
8.3MB

MD5
e34a10782d9dac4b81cbc788ac151fe3

SHA1
21516e86b86b245fb6520ae16a69814bfbe9c494

SHA256
44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9

SHA512
304a811b7608bd0da73e8f75c2c1b886b0cdc656e54993daf5c00b64622e6482cc8581e80fbdf8a4d8c8dcffe6053bec6a85354ccddbf3cfc5b63570340aac1f

Download Submit
C:\Users\Admin\AppData\Roaming\44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe

Filesize
8.3MB

MD5
e34a10782d9dac4b81cbc788ac151fe3

SHA1
21516e86b86b245fb6520ae16a69814bfbe9c494

SHA256
44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9

SHA512
304a811b7608bd0da73e8f75c2c1b886b0cdc656e54993daf5c00b64622e6482cc8581e80fbdf8a4d8c8dcffe6053bec6a85354ccddbf3cfc5b63570340aac1f

Download Submit
memory/2548-249-0x0000000006040000-0x0000000006050000-memory.dmp

Filesize
64KB

Download
memory/2548-248-0x0000000006040000-0x0000000006050000-memory.dmp

Filesize
64KB

Download
memory/2724-207-0x000000007F920000-0x000000007F930000-memory.dmp

Filesize
64KB

Download
memory/2724-206-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/2724-196-0x000000006FA00000-0x000000006FA4C000-memory.dmp

Filesize
304KB

Download
memory/2724-195-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/2724-194-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/4240-210-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/4240-209-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/4240-221-0x000000006FA00000-0x000000006FA4C000-memory.dmp

Filesize
304KB

Download
memory/4240-231-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/4240-232-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/4404-145-0x0000000004C30000-0x0000000005258000-memory.dmp

Filesize
6.2MB

Download
memory/4404-146-0x0000000005360000-0x0000000005382000-memory.dmp

Filesize
136KB

Download
memory/4404-173-0x000000007FCE0000-0x000000007FCF0000-memory.dmp

Filesize
64KB

Download
memory/4404-174-0x0000000007410000-0x0000000007A8A000-memory.dmp

Filesize
6.5MB

Download
memory/4404-175-0x0000000006DD0000-0x0000000006DEA000-memory.dmp

Filesize
104KB

Download
memory/4404-176-0x0000000006E40000-0x0000000006E4A000-memory.dmp

Filesize
40KB

Download
memory/4404-177-0x0000000007050000-0x00000000070E6000-memory.dmp

Filesize
600KB

Download
memory/4404-178-0x0000000007000000-0x000000000700E000-memory.dmp

Filesize
56KB

Download
memory/4404-179-0x0000000007110000-0x000000000712A000-memory.dmp

Filesize
104KB

Download
memory/4404-180-0x00000000070F0000-0x00000000070F8000-memory.dmp

Filesize
32KB

Download
memory/4404-171-0x0000000006030000-0x000000000604E000-memory.dmp

Filesize
120KB

Download
memory/4404-161-0x000000006FA00000-0x000000006FA4C000-memory.dmp

Filesize
304KB

Download
memory/4404-160-0x0000000006C80000-0x0000000006CB2000-memory.dmp

Filesize
200KB

Download
memory/4404-159-0x0000000005AD0000-0x0000000005AEE000-memory.dmp

Filesize
120KB

Download
memory/4404-158-0x00000000045F0000-0x0000000004600000-memory.dmp

Filesize
64KB

Download
memory/4404-157-0x00000000045F0000-0x0000000004600000-memory.dmp

Filesize
64KB

Download
memory/4404-152-0x0000000005400000-0x0000000005466000-memory.dmp

Filesize
408KB

Download
memory/4404-172-0x00000000045F0000-0x0000000004600000-memory.dmp

Filesize
64KB

Download
memory/4404-144-0x0000000004500000-0x0000000004536000-memory.dmp

Filesize
216KB

Download
memory/4732-243-0x000000000D530000-0x000000000D5C2000-memory.dmp

Filesize
584KB

Download
memory/4732-135-0x0000000003670000-0x0000000003678000-memory.dmp

Filesize
32KB

Download
memory/4732-142-0x0000000005CA0000-0x0000000005CB0000-memory.dmp

Filesize
64KB

Download
memory/4732-141-0x000000000A2D0000-0x000000000A36C000-memory.dmp

Filesize
624KB

Download
memory/4732-140-0x000000000A020000-0x000000000A03E000-memory.dmp

Filesize
120KB

Download
memory/4732-242-0x000000000DA40000-0x000000000DFE4000-memory.dmp

Filesize
5.6MB

Download
memory/4732-139-0x0000000009080000-0x0000000009088000-memory.dmp

Filesize
32KB

Download
memory/4732-133-0x0000000000A50000-0x0000000001296000-memory.dmp

Filesize
8.3MB

Download
memory/4732-143-0x000000000A230000-0x000000000A296000-memory.dmp

Filesize
408KB

Download
memory/4732-138-0x0000000008E40000-0x0000000008E48000-memory.dmp

Filesize
32KB

Download
memory/4732-137-0x0000000005CA0000-0x0000000005CB0000-memory.dmp

Filesize
64KB

Download
memory/4732-136-0x0000000007600000-0x0000000007676000-memory.dmp

Filesize
472KB

Download
memory/4732-244-0x000000000ADC0000-0x000000000ADCA000-memory.dmp

Filesize
40KB

Download
memory/4732-134-0x0000000005C70000-0x0000000005C8A000-memory.dmp

Filesize
104KB

Download