Analysis
-
max time kernel
42s -
max time network
44s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
-
submitted
02-07-2023 14:50
General
-
Target
Injector.exe
-
Size
288KB
-
MD5
f2920ef418cf74b3603f9729b5ed0f30
-
SHA1
ce803090d9acb75843c96be7264eea927623f0ea
-
SHA256
28ca1fb4d6dc4e583f6170ce4b873a0b9d4eaa2af0d188503bd480d270d384ac
-
SHA512
4556832f617dbf5e560a12e2061d30003e8f82b9bdb047004068f5676f64da677cb9fa108a0d4fa3cfcef727e2f58beba6e9790ca346ba2233d8ca501566e237
-
SSDEEP
6144:vTIL8ouxrGLc9v5ei1f/VlCnU17py8IeGw+VOFIInwm9FB6:vTecmc2M/UU1FlU10FA
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 11 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 4 IoCs
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Kills process with taskkill 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 18 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 41 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\csrss.exe"C:\Users\Admin\AppData\Local\Temp\csrss.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\807F.tmp\8080.tmp\8081.bat C:\Users\Admin\AppData\Local\Temp\csrss.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 8.8.8.84⤵
- Runs ping.exe
-
-
C:\Windows\system32\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\timeout.exetimeout 94⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\timeout.exetimeout 54⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\dllhost.exe"C:\Users\Admin\AppData\Local\dllhost.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "dllhost" /tr "C:\Users\Admin\AppData\Local\dllhost.exe"3⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Local\lsass.exe"C:\Users\Admin\AppData\Local\lsass.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "lsass" /tr "C:\Users\Admin\AppData\Local\lsass.exe"3⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Local\wininit.exe"C:\Users\Admin\AppData\Local\wininit.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "wininit" /tr "C:\Users\Admin\AppData\Local\wininit.exe"3⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Public\ctfmon.exe"C:\Users\Public\ctfmon.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ctfmon" /tr "C:\Users\Public\ctfmon.exe"3⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Local\winlogon.exe"C:\Users\Admin\AppData\Local\winlogon.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "winlogon" /tr "C:\Users\Admin\AppData\Local\winlogon.exe"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp808F.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\lsass.exeC:\Users\Admin\AppData\Local\lsass.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\dllhost.exeC:\Users\Admin\AppData\Local\dllhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\wininit.exeC:\Users\Admin\AppData\Local\wininit.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\winlogon.exeC:\Users\Admin\AppData\Local\winlogon.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\ctfmon.exeC:\Users\Public\ctfmon.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
112B
MD535c08e166787c0f045a3d6289a4ef450
SHA1ac10a70f11bd78b922d94023d550d3cb65842954
SHA2569bb3e63ee8a1b25a41381577784345e0f5df67cd1d8539ae182f8b2f4c2d6bf8
SHA5127ef7c3f82ce23eed00d396c16ea32e54e2cb4d1259b50201e56b0378daa97486f8eb01a4f780bee770a06dd4e92e4331e07e30dd5631b21db52428475d8f46aa
-
Filesize
45KB
MD5a92e58e8cdd59fb7a5b5d4b7273dc691
SHA120aa3581a9ae014443007267a2a1811258d4f8ee
SHA2565445e682c5aadc0bc0fcb626592848867167b33eca7c68fbb7f18169b2aaa69e
SHA5127719c32f554310aa3c64ee562f98ad442977eb3d58cc2233f69bf2b872ca427d1098c10fd818881ab45a298e3a28c5dcf779fcf4ac9bf46e4a5bc8fb0381994a
-
Filesize
45KB
MD5a92e58e8cdd59fb7a5b5d4b7273dc691
SHA120aa3581a9ae014443007267a2a1811258d4f8ee
SHA2565445e682c5aadc0bc0fcb626592848867167b33eca7c68fbb7f18169b2aaa69e
SHA5127719c32f554310aa3c64ee562f98ad442977eb3d58cc2233f69bf2b872ca427d1098c10fd818881ab45a298e3a28c5dcf779fcf4ac9bf46e4a5bc8fb0381994a
-
Filesize
45KB
MD5a92e58e8cdd59fb7a5b5d4b7273dc691
SHA120aa3581a9ae014443007267a2a1811258d4f8ee
SHA2565445e682c5aadc0bc0fcb626592848867167b33eca7c68fbb7f18169b2aaa69e
SHA5127719c32f554310aa3c64ee562f98ad442977eb3d58cc2233f69bf2b872ca427d1098c10fd818881ab45a298e3a28c5dcf779fcf4ac9bf46e4a5bc8fb0381994a
-
Filesize
160B
MD552fc7380fff6327e9f30e8e1e5eacefa
SHA1dab9348a87eb6b1a96a3d8bae612815e9ca7c034
SHA2563318e6bc4763112ce86ce1a0bdc42eac438bb095d77207e8fa3e5e44490b31e4
SHA51277139ef7b4bea4c41a8fc4da31df491b1e18a15d7f250b2b4f9cc066074cba820c22b4b627ec76f0a4da46e4774e00f2d6a9e5f4d58cdd180d702704c0b06e2f
-
Filesize
64KB
MD559b27010cb5627898bfa934d6442ac4c
SHA1d9b8fad367b16fe60e4dd9a52e1f15a47b80efd7
SHA25601cd0422ea3a7676714bf0e8cf68c611ea9a3bd6a26b02126a54dc7efb7ba753
SHA5127c8da8728fe0f340f02efc96d9c3baa8881c5199fedb4ccfdb0adc1c554efea7cc6ae5e47a84a14981087f3660ebc5249cce10acaf2c8665df0491008b29fd6f
-
Filesize
64KB
MD559b27010cb5627898bfa934d6442ac4c
SHA1d9b8fad367b16fe60e4dd9a52e1f15a47b80efd7
SHA25601cd0422ea3a7676714bf0e8cf68c611ea9a3bd6a26b02126a54dc7efb7ba753
SHA5127c8da8728fe0f340f02efc96d9c3baa8881c5199fedb4ccfdb0adc1c554efea7cc6ae5e47a84a14981087f3660ebc5249cce10acaf2c8665df0491008b29fd6f
-
Filesize
64KB
MD559b27010cb5627898bfa934d6442ac4c
SHA1d9b8fad367b16fe60e4dd9a52e1f15a47b80efd7
SHA25601cd0422ea3a7676714bf0e8cf68c611ea9a3bd6a26b02126a54dc7efb7ba753
SHA5127c8da8728fe0f340f02efc96d9c3baa8881c5199fedb4ccfdb0adc1c554efea7cc6ae5e47a84a14981087f3660ebc5249cce10acaf2c8665df0491008b29fd6f
-
Filesize
64KB
MD559b27010cb5627898bfa934d6442ac4c
SHA1d9b8fad367b16fe60e4dd9a52e1f15a47b80efd7
SHA25601cd0422ea3a7676714bf0e8cf68c611ea9a3bd6a26b02126a54dc7efb7ba753
SHA5127c8da8728fe0f340f02efc96d9c3baa8881c5199fedb4ccfdb0adc1c554efea7cc6ae5e47a84a14981087f3660ebc5249cce10acaf2c8665df0491008b29fd6f
-
Filesize
58KB
MD5bbdf0460782f4f4a2082914c5eee8938
SHA1b7ce1dd4d1cb2c576dce6d976ae20c6b391455c9
SHA256b2f2a0e633c622e5bdd4645476079119fdae7f1cf8746436a1c61376bcdb8528
SHA5126e197c13e52e2b5db11e9021f304a6c117503574917c648fcb7037363822743ebef351ef50647e57bf90b2d5b7ea8662104f1d019f09aa791bd6ac02cfa82082
-
Filesize
58KB
MD5bbdf0460782f4f4a2082914c5eee8938
SHA1b7ce1dd4d1cb2c576dce6d976ae20c6b391455c9
SHA256b2f2a0e633c622e5bdd4645476079119fdae7f1cf8746436a1c61376bcdb8528
SHA5126e197c13e52e2b5db11e9021f304a6c117503574917c648fcb7037363822743ebef351ef50647e57bf90b2d5b7ea8662104f1d019f09aa791bd6ac02cfa82082
-
Filesize
58KB
MD5bbdf0460782f4f4a2082914c5eee8938
SHA1b7ce1dd4d1cb2c576dce6d976ae20c6b391455c9
SHA256b2f2a0e633c622e5bdd4645476079119fdae7f1cf8746436a1c61376bcdb8528
SHA5126e197c13e52e2b5db11e9021f304a6c117503574917c648fcb7037363822743ebef351ef50647e57bf90b2d5b7ea8662104f1d019f09aa791bd6ac02cfa82082
-
Filesize
58KB
MD5bbdf0460782f4f4a2082914c5eee8938
SHA1b7ce1dd4d1cb2c576dce6d976ae20c6b391455c9
SHA256b2f2a0e633c622e5bdd4645476079119fdae7f1cf8746436a1c61376bcdb8528
SHA5126e197c13e52e2b5db11e9021f304a6c117503574917c648fcb7037363822743ebef351ef50647e57bf90b2d5b7ea8662104f1d019f09aa791bd6ac02cfa82082
-
Filesize
66KB
MD521ac888a0b9afb08b26e70661b98f464
SHA1b0ed1831c8976bf20735e18c86e8a7be6ad9f378
SHA25631ac27b77c0d54281f4ed4d122b66deff2fedd04f24c9c43631b7a3040e381c3
SHA5121e66c82b73dffbd64cc9b3f6600c172b0045d1dc8d5f51fc7b5878397ac848fb75bdaa15af1844dc5b2e2aec3f13287887c2ece9347a8cdd7dd08e2e2c1486aa
-
Filesize
66KB
MD521ac888a0b9afb08b26e70661b98f464
SHA1b0ed1831c8976bf20735e18c86e8a7be6ad9f378
SHA25631ac27b77c0d54281f4ed4d122b66deff2fedd04f24c9c43631b7a3040e381c3
SHA5121e66c82b73dffbd64cc9b3f6600c172b0045d1dc8d5f51fc7b5878397ac848fb75bdaa15af1844dc5b2e2aec3f13287887c2ece9347a8cdd7dd08e2e2c1486aa
-
Filesize
66KB
MD521ac888a0b9afb08b26e70661b98f464
SHA1b0ed1831c8976bf20735e18c86e8a7be6ad9f378
SHA25631ac27b77c0d54281f4ed4d122b66deff2fedd04f24c9c43631b7a3040e381c3
SHA5121e66c82b73dffbd64cc9b3f6600c172b0045d1dc8d5f51fc7b5878397ac848fb75bdaa15af1844dc5b2e2aec3f13287887c2ece9347a8cdd7dd08e2e2c1486aa
-
Filesize
66KB
MD521ac888a0b9afb08b26e70661b98f464
SHA1b0ed1831c8976bf20735e18c86e8a7be6ad9f378
SHA25631ac27b77c0d54281f4ed4d122b66deff2fedd04f24c9c43631b7a3040e381c3
SHA5121e66c82b73dffbd64cc9b3f6600c172b0045d1dc8d5f51fc7b5878397ac848fb75bdaa15af1844dc5b2e2aec3f13287887c2ece9347a8cdd7dd08e2e2c1486aa
-
Filesize
109KB
MD55145359a4097367f9d9afd24091208ae
SHA177ea09be2cbf83cf40e5c4a746f1cbdb05785686
SHA256d674f4a389393b731d930103e4115573f693e831e17973b3c3d4bd263fc93716
SHA51255beb0abe6370cefd41c267acb58e2c050b981693b4eef577c07f9707a76bb22835b1485ae26124b62e7ebf82e448a61b7962ef82a7f2c08f782126f8855c398
-
Filesize
109KB
MD55145359a4097367f9d9afd24091208ae
SHA177ea09be2cbf83cf40e5c4a746f1cbdb05785686
SHA256d674f4a389393b731d930103e4115573f693e831e17973b3c3d4bd263fc93716
SHA51255beb0abe6370cefd41c267acb58e2c050b981693b4eef577c07f9707a76bb22835b1485ae26124b62e7ebf82e448a61b7962ef82a7f2c08f782126f8855c398
-
Filesize
109KB
MD55145359a4097367f9d9afd24091208ae
SHA177ea09be2cbf83cf40e5c4a746f1cbdb05785686
SHA256d674f4a389393b731d930103e4115573f693e831e17973b3c3d4bd263fc93716
SHA51255beb0abe6370cefd41c267acb58e2c050b981693b4eef577c07f9707a76bb22835b1485ae26124b62e7ebf82e448a61b7962ef82a7f2c08f782126f8855c398
-
Filesize
109KB
MD55145359a4097367f9d9afd24091208ae
SHA177ea09be2cbf83cf40e5c4a746f1cbdb05785686
SHA256d674f4a389393b731d930103e4115573f693e831e17973b3c3d4bd263fc93716
SHA51255beb0abe6370cefd41c267acb58e2c050b981693b4eef577c07f9707a76bb22835b1485ae26124b62e7ebf82e448a61b7962ef82a7f2c08f782126f8855c398
-
Filesize
64KB
MD52946d986354c504635a4bc2543a276f4
SHA16cdf2129a845f05c5adfff70e1b8f47a1db801f7
SHA256d1342baf41a20e9f2ae8e6299834bf1c22e3d5b3b59d0a817b6a043b66c7fdee
SHA5121b771d3c69a93afeaa9762fddb09871219b8036bbc592b1abdcecfd981842cb2c7dcd34f7347620e7c52a0bc63a07bd931b1014727e00c4f0e18073fe5fea71b
-
Filesize
64KB
MD52946d986354c504635a4bc2543a276f4
SHA16cdf2129a845f05c5adfff70e1b8f47a1db801f7
SHA256d1342baf41a20e9f2ae8e6299834bf1c22e3d5b3b59d0a817b6a043b66c7fdee
SHA5121b771d3c69a93afeaa9762fddb09871219b8036bbc592b1abdcecfd981842cb2c7dcd34f7347620e7c52a0bc63a07bd931b1014727e00c4f0e18073fe5fea71b
-
Filesize
64KB
MD52946d986354c504635a4bc2543a276f4
SHA16cdf2129a845f05c5adfff70e1b8f47a1db801f7
SHA256d1342baf41a20e9f2ae8e6299834bf1c22e3d5b3b59d0a817b6a043b66c7fdee
SHA5121b771d3c69a93afeaa9762fddb09871219b8036bbc592b1abdcecfd981842cb2c7dcd34f7347620e7c52a0bc63a07bd931b1014727e00c4f0e18073fe5fea71b
-
Filesize
64KB
MD52946d986354c504635a4bc2543a276f4
SHA16cdf2129a845f05c5adfff70e1b8f47a1db801f7
SHA256d1342baf41a20e9f2ae8e6299834bf1c22e3d5b3b59d0a817b6a043b66c7fdee
SHA5121b771d3c69a93afeaa9762fddb09871219b8036bbc592b1abdcecfd981842cb2c7dcd34f7347620e7c52a0bc63a07bd931b1014727e00c4f0e18073fe5fea71b
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
128KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
80KB
-
Filesize
4.8MB
-
Filesize
64KB
-
Filesize
392KB
-
Filesize
664KB
-
Filesize
64KB
-
Filesize
296KB