Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
21-09-2023 15:31
General
-
Target
a7c35885be384a405f6445fafc337c30ab7fd0c136c9dcf6448cc2f1abffb7e4.exe
-
Size
2.0MB
-
MD5
0ed8fdc29c44611041afeda7e0440382
-
SHA1
b6a8b1670c5b5ba5c76433628b3e2bd9ae01efc2
-
SHA256
a7c35885be384a405f6445fafc337c30ab7fd0c136c9dcf6448cc2f1abffb7e4
-
SHA512
3667a54ea18a0bc3eb2c990386860b3af5825b08b495fc07e6db88345bab4e94f10754e5e495e2ce467f631504a5827444a1312cba3447ead85289ef634e030d
-
SSDEEP
49152:11EY449YgiTNVV31KuZT8BYyaCgE/JOsgF1miMUYl+t6nAfsBJqWsaFKOg+c60Cd:11EYX9ETr51KuZTIYy/jhOZF8UYl+t6
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7c35885be384a405f6445fafc337c30ab7fd0c136c9dcf6448cc2f1abffb7e4.exe"C:\Users\Admin\AppData\Local\Temp\a7c35885be384a405f6445fafc337c30ab7fd0c136c9dcf6448cc2f1abffb7e4.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c C:\Windows\system32\expand.exe *.cab /f:* .\2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\expand.exeC:\Windows\system32\expand.exe *.cab /f:* .\3⤵
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c schtasks /create /xml ASOS.xml /ru "system" /tn ASOS12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /xml ASOS.xml /ru "system" /tn ASOS13⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "3⤵
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c schtasks /run /tn ASOS12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /run /tn ASOS13⤵
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c schtasks /delete /f /tn ASOS12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /delete /f /tn ASOS13⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD51e0a7a18e5b56a214e6e7d12cb3ad4e5
SHA1c4b398349ecc922f6c00c6d964314f062fa433ac
SHA256916d3994d20accca26c4546e1f581937cbcce6f7de8d99e17947c6f2802e4498
SHA512f007eff4f8a5b808df2869ce6f8f2fba38fa2299ea0861bcee480559a53dfa59a06838b5d9d4cb4a15cc75543c29cb26c7d13d1d11a2cc10b57520a282a4cf5c