e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7

Analysis

max time kernel
138s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
14/11/2023, 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe
Size

208KB
MD5

0db48efce48f55d7337612906b419908
SHA1

437373019e49d916a132d53a85e9aee9fc42992e
SHA256

e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7
SHA512

6a3b8bd1bf097a064197000acd6308756d9131b3424e824565dacecaebcb350acf64f3d757c051442d25f28c61f956e7d68f5dadb87b05f13037e68cae541c6e
SSDEEP

6144:0ccNqCU8GLVlTJQZ2nrxLOEjIMiSN0PhoJ94B5tYR:nlTJQmrNOEjI1SN0Pi34LtI

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://r.dbfhdbkd.pw/gate/update.php

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe

Executes dropped EXE 1 IoCs

pid	Process
2848	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4640	schtasks.exe
724	schtasks.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1324	taskkill.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\ProgramData\{MTO6PZ75-167N-73QH-A99R682BWWT9}\e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe:Zone.Identifier	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe
File opened for modification	C:\ProgramData\{MTO6PZ75-167N-73QH-A99R682BWWT9}\e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe:Zone.Identifier	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3752	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe
3752	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe
3752	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe
3752	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe
2848	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe
2848	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1324	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3752 wrote to memory of 4284	3752	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe	87
PID 3752 wrote to memory of 4284	3752	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe	87
PID 3752 wrote to memory of 4284	3752	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe	87
PID 3752 wrote to memory of 1940	3752	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe	89
PID 3752 wrote to memory of 1940	3752	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe	89
PID 3752 wrote to memory of 1940	3752	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe	89
PID 4284 wrote to memory of 4812	4284	cmd.exe	96
PID 4284 wrote to memory of 4812	4284	cmd.exe	96
PID 4284 wrote to memory of 4812	4284	cmd.exe	96
PID 4284 wrote to memory of 1496	4284	cmd.exe	95
PID 4284 wrote to memory of 1496	4284	cmd.exe	95
PID 4284 wrote to memory of 1496	4284	cmd.exe	95
PID 1940 wrote to memory of 2008	1940	cmd.exe	93
PID 1940 wrote to memory of 2008	1940	cmd.exe	93
PID 1940 wrote to memory of 2008	1940	cmd.exe	93
PID 1940 wrote to memory of 2368	1940	cmd.exe	91
PID 1940 wrote to memory of 2368	1940	cmd.exe	91
PID 1940 wrote to memory of 2368	1940	cmd.exe	91
PID 3752 wrote to memory of 2848	3752	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe	92
PID 3752 wrote to memory of 2848	3752	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe	92
PID 3752 wrote to memory of 2848	3752	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe	92
PID 3752 wrote to memory of 2292	3752	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe	97
PID 3752 wrote to memory of 2292	3752	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe	97
PID 3752 wrote to memory of 2292	3752	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe	97
PID 3752 wrote to memory of 4188	3752	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe	100
PID 3752 wrote to memory of 4188	3752	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe	100
PID 3752 wrote to memory of 4188	3752	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe	100
PID 3752 wrote to memory of 3084	3752	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe	99
PID 3752 wrote to memory of 3084	3752	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe	99
PID 3752 wrote to memory of 3084	3752	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe	99
PID 3752 wrote to memory of 4052	3752	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe	102
PID 3752 wrote to memory of 4052	3752	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe	102
PID 3752 wrote to memory of 4052	3752	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe	102
PID 3084 wrote to memory of 4896	3084	cmd.exe	118
PID 3084 wrote to memory of 4896	3084	cmd.exe	118
PID 3084 wrote to memory of 4896	3084	cmd.exe	118
PID 3084 wrote to memory of 884	3084	cmd.exe	104
PID 3084 wrote to memory of 884	3084	cmd.exe	104
PID 3084 wrote to memory of 884	3084	cmd.exe	104
PID 4188 wrote to memory of 216	4188	cmd.exe	117
PID 4188 wrote to memory of 216	4188	cmd.exe	117
PID 4188 wrote to memory of 216	4188	cmd.exe	117
PID 4188 wrote to memory of 232	4188	cmd.exe	105
PID 4188 wrote to memory of 232	4188	cmd.exe	105
PID 4188 wrote to memory of 232	4188	cmd.exe	105
PID 2292 wrote to memory of 3816	2292	cmd.exe	116
PID 2292 wrote to memory of 3816	2292	cmd.exe	116
PID 2292 wrote to memory of 3816	2292	cmd.exe	116
PID 2292 wrote to memory of 880	2292	cmd.exe	107
PID 2292 wrote to memory of 880	2292	cmd.exe	107
PID 2292 wrote to memory of 880	2292	cmd.exe	107
PID 3752 wrote to memory of 4640	3752	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe	106
PID 3752 wrote to memory of 4640	3752	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe	106
PID 3752 wrote to memory of 4640	3752	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe	106
PID 4052 wrote to memory of 3924	4052	cmd.exe	108
PID 4052 wrote to memory of 3924	4052	cmd.exe	108
PID 4052 wrote to memory of 3924	4052	cmd.exe	108
PID 4052 wrote to memory of 1488	4052	cmd.exe	110
PID 4052 wrote to memory of 1488	4052	cmd.exe	110
PID 4052 wrote to memory of 1488	4052	cmd.exe	110
PID 3752 wrote to memory of 724	3752	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe	114
PID 3752 wrote to memory of 724	3752	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe	114
PID 3752 wrote to memory of 724	3752	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe	114
PID 3752 wrote to memory of 5084	3752	e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe	111

C:\Users\Admin\AppData\Local\Temp\e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe
"C:\Users\Admin\AppData\Local\Temp\e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe"
1⤵
- Checks computer location settings
- Checks processor information in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3752
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\ProgramData\{MTO6PZ75-167N-73QH-A99R682BWWT9}" /P "%USERNAME%:R"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4284
- - C:\Windows\SysWOW64\cacls.exe
    CACLS "C:\ProgramData\{MTO6PZ75-167N-73QH-A99R682BWWT9}" /P "Admin:R"
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4812
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\ProgramData\{MTO6PZ75-167N-73QH-A99R682BWWT9}\e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe" /P "%USERNAME%:R"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\SysWOW64\cacls.exe
    CACLS "C:\ProgramData\{MTO6PZ75-167N-73QH-A99R682BWWT9}\e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe" /P "Admin:R"
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2008
- C:\ProgramData\{MTO6PZ75-167N-73QH-A99R682BWWT9}\e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe
  "C:\ProgramData\{MTO6PZ75-167N-73QH-A99R682BWWT9}\e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2848
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\ProgramData\{KPSKADO7-X4SS-J4J1-K9L95AUAOZH0}\DCF33DNMOKUF.ps1" /P "%USERNAME%:R"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\SysWOW64\cacls.exe
    CACLS "C:\ProgramData\{KPSKADO7-X4SS-J4J1-K9L95AUAOZH0}\DCF33DNMOKUF.ps1" /P "Admin:R"
    3⤵
    PID:880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3816
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\ProgramData\{KPSKADO7-X4SS-J4J1-K9L95AUAOZH0}\X4SS1DJRFL8X.cmd" /P "%USERNAME%:R"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3084
- - C:\Windows\SysWOW64\cacls.exe
    CACLS "C:\ProgramData\{KPSKADO7-X4SS-J4J1-K9L95AUAOZH0}\X4SS1DJRFL8X.cmd" /P "Admin:R"
    3⤵
    PID:884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4896
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\ProgramData\{KPSKADO7-X4SS-J4J1-K9L95AUAOZH0}\RPAXHLQN3VBV.vbs" /P "%USERNAME%:R"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Windows\SysWOW64\cacls.exe
    CACLS "C:\ProgramData\{KPSKADO7-X4SS-J4J1-K9L95AUAOZH0}\RPAXHLQN3VBV.vbs" /P "Admin:R"
    3⤵
    PID:232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:216
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\ProgramData\{KPSKADO7-X4SS-J4J1-K9L95AUAOZH0}" /P "%USERNAME%:R"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3924
- - C:\Windows\SysWOW64\cacls.exe
    CACLS "C:\ProgramData\{KPSKADO7-X4SS-J4J1-K9L95AUAOZH0}" /P "Admin:R"
    3⤵
    PID:1488
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 30 /TN "FC2WI4VCO344GC" /TR "C:\ProgramData\{KPSKADO7-X4SS-J4J1-K9L95AUAOZH0}\RPAXHLQN3VBV.vbs" /F
  2⤵
  - Creates scheduled task(s)
  PID:4640
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe /f & erase g,\Admin\AppData\Local\Temp\e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe & exit
  2⤵
  PID:5084
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1324
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 15 /TN "LCZOWROQDA84NCYD90" /TR "C:\ProgramData\{MTO6PZ75-167N-73QH-A99R682BWWT9}\e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe" /F
  2⤵
  - Creates scheduled task(s)
  PID:724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{KPSKADO7-X4SS-J4J1-K9L95AUAOZH0}\DCF33DNMOKUF.ps1

Filesize
464B

MD5
35d39eb52799304417d6eb373186bdf3

SHA1
5bb8ccef229c4d14282170fca7aa8342c3e19191

SHA256
6d107f42ff87222ac4161fd4c0af608235035f99b2f78377c380bffe892cfd21

SHA512
25666afacb083990e4c219daba33499d61c2ab843e14bed276fce911b713990633689938465eb05216bfdf87816a254c4b81d5939c87d40c73420b761cc35545

Download Submit
C:\ProgramData\{KPSKADO7-X4SS-J4J1-K9L95AUAOZH0}\RPAXHLQN3VBV.vbs

Filesize
130B

MD5
0e567e1b6602b53e18e48a32d66d476d

SHA1
9478469102b67697ec7f04ce37f6d5ad1adc6f02

SHA256
e643410d340900591816ad7e5faf9bed32ad3fd0acce7a0699b67ed38c5536a8

SHA512
f7b429c654156384b5023ce5782bef5c0232ab081e354d1f3779e3384dd4f0423fa01b2561a0b2d615a8debbab01d396d93ee7b64a9de7335d7b6dd0cbb1746a

Download Submit
C:\ProgramData\{KPSKADO7-X4SS-J4J1-K9L95AUAOZH0}\X4SS1DJRFL8X.cmd

Filesize
144B

MD5
34b17351b15774974c4c8a611fe7e709

SHA1
3e2ebfc726688ad059f4402fd8b500e813be9b1e

SHA256
4660c46deef7aeb543d5fd701cf30c20597f0371bc795ffb8ec2329ee905806d

SHA512
9ac64cb0ae35c1893eb2a25e1fa3dccf1c77c4bd8d71cdbe3b36aca04b6acab278c152a963d73c693090ae012a1f08cf60dcdd4da1205cb4819976c9289843d0

Download Submit
C:\ProgramData\{MTO6PZ75-167N-73QH-A99R682BWWT9}\e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe

Filesize
208KB

MD5
0db48efce48f55d7337612906b419908

SHA1
437373019e49d916a132d53a85e9aee9fc42992e

SHA256
e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7

SHA512
6a3b8bd1bf097a064197000acd6308756d9131b3424e824565dacecaebcb350acf64f3d757c051442d25f28c61f956e7d68f5dadb87b05f13037e68cae541c6e

Download Submit
C:\ProgramData\{MTO6PZ75-167N-73QH-A99R682BWWT9}\e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7.exe

Filesize
208KB

MD5
0db48efce48f55d7337612906b419908

SHA1
437373019e49d916a132d53a85e9aee9fc42992e

SHA256
e2127d2e0a399c731054672bdc57cccc70ff11db384b525acc02e4a090c60cc7

SHA512
6a3b8bd1bf097a064197000acd6308756d9131b3424e824565dacecaebcb350acf64f3d757c051442d25f28c61f956e7d68f5dadb87b05f13037e68cae541c6e

Download Submit