8aec47f63039904e0e1144fb18378f2b18d5cfbf41c5dcd65bdef258323df648

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2023, 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6910969188b405exeexeexeex.exe
Size

288KB
MD5

6910969188b405b93db4b146cbd5f718
SHA1

7988974c85d5eea21207c8d6fdcb8d1aace185e5
SHA256

8aec47f63039904e0e1144fb18378f2b18d5cfbf41c5dcd65bdef258323df648
SHA512

52c99b5d7357336f1dc95caa0e67a0e8b39a4a6ab43e3a1c46ef8cab46da07f0c6cbc1fef427f3a3de3c20a95304faee1a8fcab01f7314f0a153ed6267dd6253
SSDEEP

6144:LQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:LQMyfmNFHfnWfhLZVHmOog

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation	6910969188b405exeexeexeex.exe

Executes dropped EXE 2 IoCs

pid	Process
1644	taskhostsys.exe
2912	taskhostsys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\jitc\shell\runas	6910969188b405exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\jitc\shell\runas\command\ = "\"%1\" %*"	6910969188b405exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\jitc\Content-Type = "application/x-msdownload"	6910969188b405exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\.exe\shell\runas	6910969188b405exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	6910969188b405exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\jitc\DefaultIcon	6910969188b405exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\jitc\shell\open\command\IsolatedCommand = "\"%1\" %*"	6910969188b405exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\.exe\shell\open\command	6910969188b405exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\.exe\shell	6910969188b405exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\.exe\shell\open	6910969188b405exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\jitc\shell\open\command	6910969188b405exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\.exe	6910969188b405exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\taskhostsys.exe\" /START \"%1\" %*"	6910969188b405exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\.exe\shell\runas\command	6910969188b405exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\jitc	6910969188b405exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\jitc\DefaultIcon\ = "%1"	6910969188b405exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\jitc\shell\open	6910969188b405exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	6910969188b405exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	6910969188b405exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\jitc\ = "Application"	6910969188b405exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\jitc\shell	6910969188b405exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\jitc\shell\runas\command	6910969188b405exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\.exe\Content-Type = "application/x-msdownload"	6910969188b405exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	6910969188b405exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\jitc\shell\runas\command\IsolatedCommand = "\"%1\" %*"	6910969188b405exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\.exe\DefaultIcon\ = "%1"	6910969188b405exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\jitc\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\taskhostsys.exe\" /START \"%1\" %*"	6910969188b405exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\.exe\ = "jitc"	6910969188b405exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\.exe\DefaultIcon	6910969188b405exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	6910969188b405exeexeexeex.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1644	taskhostsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 1644	2212	6910969188b405exeexeexeex.exe	83
PID 2212 wrote to memory of 1644	2212	6910969188b405exeexeexeex.exe	83
PID 2212 wrote to memory of 1644	2212	6910969188b405exeexeexeex.exe	83
PID 1644 wrote to memory of 2912	1644	taskhostsys.exe	84
PID 1644 wrote to memory of 2912	1644	taskhostsys.exe	84
PID 1644 wrote to memory of 2912	1644	taskhostsys.exe	84

C:\Users\Admin\AppData\Local\Temp\6910969188b405exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\6910969188b405exeexeexeex.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\taskhostsys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\taskhostsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\taskhostsys.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\taskhostsys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\taskhostsys.exe"
    3⤵
    - Executes dropped EXE
    PID:2912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\taskhostsys.exe

Filesize
288KB

MD5
34604b183372313ee3428cf5216a1320

SHA1
059eefa00324b0288a5b96b2305c366b5c5f9ffc

SHA256
0926b53810ef4b8d8cc624d91bfcdedafa0ac53b0f1222a1772b64954093ccea

SHA512
a80d38bf6ab9efad1667861ed78ce9dcfb403d959f9773b3871a11cdd5a32dd29a71b0378557a70af81f84ed1efbbb6ec93af298724909d750753010379d24d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\taskhostsys.exe

Filesize
288KB

MD5
34604b183372313ee3428cf5216a1320

SHA1
059eefa00324b0288a5b96b2305c366b5c5f9ffc

SHA256
0926b53810ef4b8d8cc624d91bfcdedafa0ac53b0f1222a1772b64954093ccea

SHA512
a80d38bf6ab9efad1667861ed78ce9dcfb403d959f9773b3871a11cdd5a32dd29a71b0378557a70af81f84ed1efbbb6ec93af298724909d750753010379d24d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\taskhostsys.exe

Filesize
288KB

MD5
34604b183372313ee3428cf5216a1320

SHA1
059eefa00324b0288a5b96b2305c366b5c5f9ffc

SHA256
0926b53810ef4b8d8cc624d91bfcdedafa0ac53b0f1222a1772b64954093ccea

SHA512
a80d38bf6ab9efad1667861ed78ce9dcfb403d959f9773b3871a11cdd5a32dd29a71b0378557a70af81f84ed1efbbb6ec93af298724909d750753010379d24d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\taskhostsys.exe

Filesize
288KB

MD5
34604b183372313ee3428cf5216a1320

SHA1
059eefa00324b0288a5b96b2305c366b5c5f9ffc

SHA256
0926b53810ef4b8d8cc624d91bfcdedafa0ac53b0f1222a1772b64954093ccea

SHA512
a80d38bf6ab9efad1667861ed78ce9dcfb403d959f9773b3871a11cdd5a32dd29a71b0378557a70af81f84ed1efbbb6ec93af298724909d750753010379d24d3

Download Submit