Analysis
-
max time kernel
119s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
25/07/2023, 04:04
Static task
static1
General
-
Target
2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe
-
Size
3.0MB
-
MD5
e1f944688e00a6753e1dfa4e5d8a7670
-
SHA1
bc4ac9ef640a74fcf240f14def4948ec6e9346c4
-
SHA256
2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9
-
SHA512
a469ee8b8771b47ef185bacc7853fdf253533725da9e0f19543e5c38a273a344658808de6e10d2802b2548284778575d9a2b60b611a58e292d1a2f0132e04dc6
-
SSDEEP
24576:V5KrtzH/iYOdy9HQUtiImGqPPUPJp6XdCGQV3JfIR:CrxH/iYV9VeGqPPsT6UvrQR
Malware Config
Extracted
darkcloud
https://api.telegram.org/bot6398598832:AAHm_-Bk4WvgvnFiJw5HCNBQ9z3BfEFNArM/sendMessage?chat_id=5713547588
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe Key value queried \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe -
Executes dropped EXE 3 IoCs
pid Process 1892 chrome.exe 1540 chrome.exe 3064 svchost.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1012 set thread context of 1580 1012 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe 97 PID 1892 set thread context of 1540 1892 chrome.exe 107 PID 1580 set thread context of 4284 1580 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe 119 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 64 schtasks.exe 2872 schtasks.exe 4708 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1580 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe 1580 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe 4012 powershell.exe 4012 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1580 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe Token: SeDebugPrivilege 4012 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4284 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 1012 wrote to memory of 1580 1012 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe 97 PID 1012 wrote to memory of 1580 1012 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe 97 PID 1012 wrote to memory of 1580 1012 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe 97 PID 1012 wrote to memory of 1580 1012 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe 97 PID 1012 wrote to memory of 1580 1012 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe 97 PID 1012 wrote to memory of 1580 1012 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe 97 PID 1012 wrote to memory of 1580 1012 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe 97 PID 1012 wrote to memory of 1580 1012 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe 97 PID 1012 wrote to memory of 1892 1012 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe 98 PID 1012 wrote to memory of 1892 1012 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe 98 PID 1012 wrote to memory of 1892 1012 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe 98 PID 1012 wrote to memory of 4816 1012 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe 99 PID 1012 wrote to memory of 4816 1012 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe 99 PID 1012 wrote to memory of 4816 1012 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe 99 PID 1012 wrote to memory of 2496 1012 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe 101 PID 1012 wrote to memory of 2496 1012 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe 101 PID 1012 wrote to memory of 2496 1012 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe 101 PID 2496 wrote to memory of 64 2496 cmd.exe 103 PID 2496 wrote to memory of 64 2496 cmd.exe 103 PID 2496 wrote to memory of 64 2496 cmd.exe 103 PID 1012 wrote to memory of 4700 1012 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe 104 PID 1012 wrote to memory of 4700 1012 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe 104 PID 1012 wrote to memory of 4700 1012 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe 104 PID 1892 wrote to memory of 1540 1892 chrome.exe 107 PID 1892 wrote to memory of 1540 1892 chrome.exe 107 PID 1892 wrote to memory of 1540 1892 chrome.exe 107 PID 1892 wrote to memory of 1540 1892 chrome.exe 107 PID 1892 wrote to memory of 1540 1892 chrome.exe 107 PID 1892 wrote to memory of 1540 1892 chrome.exe 107 PID 1892 wrote to memory of 1540 1892 chrome.exe 107 PID 1892 wrote to memory of 1540 1892 chrome.exe 107 PID 1892 wrote to memory of 4928 1892 chrome.exe 108 PID 1892 wrote to memory of 4928 1892 chrome.exe 108 PID 1892 wrote to memory of 4928 1892 chrome.exe 108 PID 1892 wrote to memory of 4836 1892 chrome.exe 110 PID 1892 wrote to memory of 4836 1892 chrome.exe 110 PID 1892 wrote to memory of 4836 1892 chrome.exe 110 PID 4836 wrote to memory of 2872 4836 cmd.exe 112 PID 4836 wrote to memory of 2872 4836 cmd.exe 112 PID 4836 wrote to memory of 2872 4836 cmd.exe 112 PID 1892 wrote to memory of 4140 1892 chrome.exe 113 PID 1892 wrote to memory of 4140 1892 chrome.exe 113 PID 1892 wrote to memory of 4140 1892 chrome.exe 113 PID 1580 wrote to memory of 4012 1580 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe 115 PID 1580 wrote to memory of 4012 1580 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe 115 PID 1580 wrote to memory of 4012 1580 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe 115 PID 1580 wrote to memory of 4708 1580 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe 116 PID 1580 wrote to memory of 4708 1580 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe 116 PID 1580 wrote to memory of 4708 1580 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe 116 PID 1580 wrote to memory of 4284 1580 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe 119 PID 1580 wrote to memory of 4284 1580 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe 119 PID 1580 wrote to memory of 4284 1580 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe 119 PID 1580 wrote to memory of 4284 1580 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe 119 PID 1580 wrote to memory of 4284 1580 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe 119 PID 1580 wrote to memory of 4284 1580 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe 119 PID 1580 wrote to memory of 4284 1580 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe 119 PID 1580 wrote to memory of 4284 1580 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe"C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe"C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GLqLto.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4012
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GLqLto" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8DC4.tmp"3⤵
- Creates scheduled task(s)
PID:4708
-
-
C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe"C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:4284
-
-
-
C:\Users\Admin\AppData\Local\Temp\chrome.exe"C:\Users\Admin\AppData\Local\Temp\chrome.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Users\Admin\AppData\Local\Temp\chrome.exe"C:\Users\Admin\AppData\Local\Temp\chrome.exe"3⤵
- Executes dropped EXE
PID:1540
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"3⤵PID:4928
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f3⤵
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f4⤵
- Creates scheduled task(s)
PID:2872
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\chrome.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"3⤵PID:4140
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\chrome"2⤵PID:4816
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\chrome\chrome.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\chrome\chrome.exe'" /f3⤵
- Creates scheduled task(s)
PID:64
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe" "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"2⤵PID:4700
-
-
C:\Users\Admin\AppData\Roaming\svchost\svchost.exeC:\Users\Admin\AppData\Roaming\svchost\svchost.exe1⤵
- Executes dropped EXE
PID:3064 -
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"2⤵PID:4604
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"2⤵PID:1968
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe.log
Filesize520B
MD503febbff58da1d3318c31657d89c8542
SHA1c9e017bd9d0a4fe533795b227c855935d86c2092
SHA2565164770a37b199a79ccd23b399bb3309228973d9f74c589bc2623dc613b37ac4
SHA5123750c372bbca1892e9c1b34681d592c693e725a8b149c3d6938079cd467628cec42c4293b0d886b57a786abf45f5e7229247b3445001774e3e793ff5a3accfa3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.0MB
MD5b3d8ceb7e2bfbe5f089d81312632b27f
SHA14cb60364f395dac0fe6b56d3130a9d4ff39d0fc6
SHA256cf00a8bab3af58f4e0809febf8707b6b4c4e67f46140cd273d468425d012c54f
SHA5129e5be6621a4820dd86e1285d0d64283c3bcb70576a1fee0e9bb21c2a4afceed8df363f8537870192397bb6897e0e8160334a01ca97d50cacff6e9d38b2ce259f
-
Filesize
2.0MB
MD5b3d8ceb7e2bfbe5f089d81312632b27f
SHA14cb60364f395dac0fe6b56d3130a9d4ff39d0fc6
SHA256cf00a8bab3af58f4e0809febf8707b6b4c4e67f46140cd273d468425d012c54f
SHA5129e5be6621a4820dd86e1285d0d64283c3bcb70576a1fee0e9bb21c2a4afceed8df363f8537870192397bb6897e0e8160334a01ca97d50cacff6e9d38b2ce259f
-
Filesize
2.0MB
MD5b3d8ceb7e2bfbe5f089d81312632b27f
SHA14cb60364f395dac0fe6b56d3130a9d4ff39d0fc6
SHA256cf00a8bab3af58f4e0809febf8707b6b4c4e67f46140cd273d468425d012c54f
SHA5129e5be6621a4820dd86e1285d0d64283c3bcb70576a1fee0e9bb21c2a4afceed8df363f8537870192397bb6897e0e8160334a01ca97d50cacff6e9d38b2ce259f
-
Filesize
2.0MB
MD5b3d8ceb7e2bfbe5f089d81312632b27f
SHA14cb60364f395dac0fe6b56d3130a9d4ff39d0fc6
SHA256cf00a8bab3af58f4e0809febf8707b6b4c4e67f46140cd273d468425d012c54f
SHA5129e5be6621a4820dd86e1285d0d64283c3bcb70576a1fee0e9bb21c2a4afceed8df363f8537870192397bb6897e0e8160334a01ca97d50cacff6e9d38b2ce259f
-
Filesize
1KB
MD542447d06b385f2b938f2a0a17309347b
SHA1a83fe35199ae6bc61ebfc0106aa92aa255f58b6b
SHA256926ef1467e1e52abc8516e5a2fab624679ded69d1cb98beacc7f1a7750c0ff70
SHA51260a8b2ab6a50dfd62b742d5057321521ca86ecfa081057b3d90abd2223ae70c8f383fe971aa4a7dd4ca0709df83ac55677917824fe9c5bac613f154953648f85
-
Filesize
3.0MB
MD5e1f944688e00a6753e1dfa4e5d8a7670
SHA1bc4ac9ef640a74fcf240f14def4948ec6e9346c4
SHA2562a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9
SHA512a469ee8b8771b47ef185bacc7853fdf253533725da9e0f19543e5c38a273a344658808de6e10d2802b2548284778575d9a2b60b611a58e292d1a2f0132e04dc6
-
Filesize
2.0MB
MD5b3d8ceb7e2bfbe5f089d81312632b27f
SHA14cb60364f395dac0fe6b56d3130a9d4ff39d0fc6
SHA256cf00a8bab3af58f4e0809febf8707b6b4c4e67f46140cd273d468425d012c54f
SHA5129e5be6621a4820dd86e1285d0d64283c3bcb70576a1fee0e9bb21c2a4afceed8df363f8537870192397bb6897e0e8160334a01ca97d50cacff6e9d38b2ce259f
-
Filesize
2.0MB
MD5b3d8ceb7e2bfbe5f089d81312632b27f
SHA14cb60364f395dac0fe6b56d3130a9d4ff39d0fc6
SHA256cf00a8bab3af58f4e0809febf8707b6b4c4e67f46140cd273d468425d012c54f
SHA5129e5be6621a4820dd86e1285d0d64283c3bcb70576a1fee0e9bb21c2a4afceed8df363f8537870192397bb6897e0e8160334a01ca97d50cacff6e9d38b2ce259f
-
Filesize
1.1MB
MD57883a9e6cdcd516f2795d49ee653ef46
SHA1e37d8d75893d357257878de40a41e98bd5761337
SHA256358df27af8cf001d3fed50e27ab9281705bc74f49c714ec30460256c81b33b1b
SHA512e484312ee326aea5f2505db6ec37aa0cc4b991b3cf20c20ce0fa303ea5c5876a821edd8581a3bfbfd638c2836f167063ae715fdf8d0fbe65cde0b12eb10ab39d