ac94101c9d78aded5c0ce3207fb99bb4cb7083ec635b6fe7ed26b9414930d7ae

Analysis

max time kernel
251s
max time network
319s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
17/11/2023, 21:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Deskcal.exe
Size

112.2MB
MD5

172512286dad8fe2bd42e97e311ea5e1
SHA1

306c1cf5cccd2ebc6033989f5814ff585c66a8bb
SHA256

22d1842cfcc3c3cde6e76fe1dbe239265c73d3fc941f051587e83dfecdf033ad
SHA512

14338a20605b8ec6f14794c1a879713519f02b03cdfbbdeb0652256e32cef37296462978b5ebab756b8c5df831e6b96a4f7d55f4a73fa3af0a42c10713ade7cc
SSDEEP

1572864:pXuw/tQGyC/gnDDkYom3d9I4PEg5n8VKSJ8mfc3aLkCEP/KZ3UK3+jibSP1WsXCw:9uw/K3X8t7c3aLIKOos7

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	Deskcal.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	Deskcal.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1456	Deskcal.exe
1456	Deskcal.exe
4304	Deskcal.exe
4304	Deskcal.exe
3520	Deskcal.exe
3520	Deskcal.exe
3520	Deskcal.exe
3520	Deskcal.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 4624	2984	Deskcal.exe	95
PID 2984 wrote to memory of 1456	2984	Deskcal.exe	96
PID 2984 wrote to memory of 1456	2984	Deskcal.exe	96
PID 2984 wrote to memory of 1456	2984	Deskcal.exe	96
PID 2984 wrote to memory of 4304	2984	Deskcal.exe	99
PID 2984 wrote to memory of 4304	2984	Deskcal.exe	99
PID 2984 wrote to memory of 4304	2984	Deskcal.exe	99
PID 2984 wrote to memory of 3520	2984	Deskcal.exe	113
PID 2984 wrote to memory of 3520	2984	Deskcal.exe	113
PID 2984 wrote to memory of 3520	2984	Deskcal.exe	113

C:\Users\Admin\AppData\Local\Temp\Deskcal.exe
"C:\Users\Admin\AppData\Local\Temp\Deskcal.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\AppData\Local\Temp\Deskcal.exe
  "C:\Users\Admin\AppData\Local\Temp\Deskcal.exe" --type=gpu-process --field-trial-handle=1604,11693601763809569449,10864411140637675254,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1592 /prefetch:2
  2⤵
  PID:4624
- C:\Users\Admin\AppData\Local\Temp\Deskcal.exe
  "C:\Users\Admin\AppData\Local\Temp\Deskcal.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1604,11693601763809569449,10864411140637675254,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1456
- C:\Users\Admin\AppData\Local\Temp\Deskcal.exe
  "C:\Users\Admin\AppData\Local\Temp\Deskcal.exe" --type=renderer --field-trial-handle=1604,11693601763809569449,10864411140637675254,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2372 /prefetch:1
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:4304
- C:\Users\Admin\AppData\Local\Temp\Deskcal.exe
  "C:\Users\Admin\AppData\Local\Temp\Deskcal.exe" --type=gpu-process --field-trial-handle=1604,11693601763809569449,10864411140637675254,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2364 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Deskcal\Network Persistent State

Filesize
822B

MD5
39c7a5dac216a12036eaaef8cd9665ed

SHA1
825dee25f7a8b3bd2509c1666251563910f8c12c

SHA256
82fe26c37863ee4bbbac1a2f62fe042f4f3cb6781b254e007c87b0264997a4a1

SHA512
8b3fc0c98cf5bfa553f1c22f75c973738219fd2bece8ed4e0e5a8a311f4b81187a84ee1b026baaafa601bc44742fada06eb2a468503039decb0e16cf7a11c17e

Download Submit
C:\Users\Admin\AppData\Roaming\Deskcal\Network Persistent State~RFe5c39a5.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit