191ee8fddb80707e4bdb4f13979d521aca69e521aafd0b18736506c789ae2553

Analysis

max time kernel
298s
max time network
254s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
20-11-2023 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

191ee8fddb80707e4bdb4f13979d521aca69e521aafd0b18736506c789ae2553.exe
Size

327KB
MD5

0ee8066c8d05d53e5c1e93eaac264542
SHA1

bb9ae1109a0d02bd01ad2c29806add30fa01a247
SHA256

191ee8fddb80707e4bdb4f13979d521aca69e521aafd0b18736506c789ae2553
SHA512

3a87db3b6c853cfc07fe085cff60107e7e9e70b34b269027053777be3932c7eda22c83c13f61a7337de3862929482460ea49ea3a0b7588c799c842463a8efd81
SSDEEP

6144:+eTSPhzEBrFDC9/9gh92fZjWHcLdP/ljevLjQGWxylRYLDODv9QJ:zeBEBrFm9/9xZjWwdP/lyTj5WxyOgi

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3688	GeforceUpdater.exe
2492	GeforceUpdater.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org
4	api.ipify.org
5	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5080	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2644	timeout.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
528	191ee8fddb80707e4bdb4f13979d521aca69e521aafd0b18736506c789ae2553.exe
528	191ee8fddb80707e4bdb4f13979d521aca69e521aafd0b18736506c789ae2553.exe
3688	GeforceUpdater.exe
3688	GeforceUpdater.exe
2492	GeforceUpdater.exe
2492	GeforceUpdater.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	528	191ee8fddb80707e4bdb4f13979d521aca69e521aafd0b18736506c789ae2553.exe
Token: SeDebugPrivilege	3688	GeforceUpdater.exe
Token: SeDebugPrivilege	2492	GeforceUpdater.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 528 wrote to memory of 3948	528	191ee8fddb80707e4bdb4f13979d521aca69e521aafd0b18736506c789ae2553.exe	70
PID 528 wrote to memory of 3948	528	191ee8fddb80707e4bdb4f13979d521aca69e521aafd0b18736506c789ae2553.exe	70
PID 3948 wrote to memory of 2644	3948	cmd.exe	72
PID 3948 wrote to memory of 2644	3948	cmd.exe	72
PID 3948 wrote to memory of 3688	3948	cmd.exe	73
PID 3948 wrote to memory of 3688	3948	cmd.exe	73
PID 3688 wrote to memory of 3240	3688	GeforceUpdater.exe	74
PID 3688 wrote to memory of 3240	3688	GeforceUpdater.exe	74
PID 3240 wrote to memory of 5080	3240	cmd.exe	76
PID 3240 wrote to memory of 5080	3240	cmd.exe	76

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\191ee8fddb80707e4bdb4f13979d521aca69e521aafd0b18736506c789ae2553.exe
"C:\Users\Admin\AppData\Local\Temp\191ee8fddb80707e4bdb4f13979d521aca69e521aafd0b18736506c789ae2553.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9C4F.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2644
- - C:\ProgramData\AdobeReader\GeforceUpdater.exe
    "C:\ProgramData\AdobeReader\GeforceUpdater.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3688
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "MicrosoftEdgeUpdateTaskMachineCoreCor" /tr "C:\ProgramData\AdobeReader\GeforceUpdater.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3240
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "MicrosoftEdgeUpdateTaskMachineCoreCor" /tr "C:\ProgramData\AdobeReader\GeforceUpdater.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:5080

C:\ProgramData\AdobeReader\GeforceUpdater.exe
C:\ProgramData\AdobeReader\GeforceUpdater.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AdobeReader\GeforceUpdater.exe

Filesize
327KB

MD5
0ee8066c8d05d53e5c1e93eaac264542

SHA1
bb9ae1109a0d02bd01ad2c29806add30fa01a247

SHA256
191ee8fddb80707e4bdb4f13979d521aca69e521aafd0b18736506c789ae2553

SHA512
3a87db3b6c853cfc07fe085cff60107e7e9e70b34b269027053777be3932c7eda22c83c13f61a7337de3862929482460ea49ea3a0b7588c799c842463a8efd81

Download Submit
C:\ProgramData\AdobeReader\GeforceUpdater.exe

Filesize
327KB

MD5
0ee8066c8d05d53e5c1e93eaac264542

SHA1
bb9ae1109a0d02bd01ad2c29806add30fa01a247

SHA256
191ee8fddb80707e4bdb4f13979d521aca69e521aafd0b18736506c789ae2553

SHA512
3a87db3b6c853cfc07fe085cff60107e7e9e70b34b269027053777be3932c7eda22c83c13f61a7337de3862929482460ea49ea3a0b7588c799c842463a8efd81

Download Submit
C:\ProgramData\AdobeReader\GeforceUpdater.exe

Filesize
327KB

MD5
0ee8066c8d05d53e5c1e93eaac264542

SHA1
bb9ae1109a0d02bd01ad2c29806add30fa01a247

SHA256
191ee8fddb80707e4bdb4f13979d521aca69e521aafd0b18736506c789ae2553

SHA512
3a87db3b6c853cfc07fe085cff60107e7e9e70b34b269027053777be3932c7eda22c83c13f61a7337de3862929482460ea49ea3a0b7588c799c842463a8efd81

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9C4F.tmp.bat

Filesize
154B

MD5
9c15a091911c17f4cd1f6d0227ae2b4e

SHA1
80dee0197af1586af9d10cd11b00243335efc7d1

SHA256
28f98dfc445de0c80f6dbf7c4752eca55d6d1a1721ffadce0b3865d8fa9935f1

SHA512
ddc5c4edda6902b07cb9da66cfb36fddbd300ea1c4ce5bec559f29fd2a783097603bfcaf02aa9644fd5ee2d57d1698c564e213c7dbde1940eb2a97007a9a7b31

Download Submit
memory/528-0-0x0000000001050000-0x0000000001128000-memory.dmp

Filesize
864KB

Download
memory/528-3-0x000002340A9F0000-0x000002340AA30000-memory.dmp

Filesize
256KB

Download
memory/528-7-0x00007FFD1FA90000-0x00007FFD1FB2C000-memory.dmp

Filesize
624KB

Download
memory/528-8-0x00007FFD2B1C0000-0x00007FFD2B25D000-memory.dmp

Filesize
628KB

Download
memory/528-9-0x00007FFD2AF70000-0x00007FFD2AF97000-memory.dmp

Filesize
156KB

Download
memory/528-10-0x00007FFD2B270000-0x00007FFD2B3BA000-memory.dmp

Filesize
1.3MB

Download
memory/528-11-0x00007FFD27D90000-0x00007FFD27DA1000-memory.dmp

Filesize
68KB

Download
memory/528-12-0x00007FFD1EFA0000-0x00007FFD1F097000-memory.dmp

Filesize
988KB

Download
memory/528-13-0x00007FFD1F0A0000-0x00007FFD1FA8C000-memory.dmp

Filesize
9.9MB

Download
memory/528-14-0x0000000001050000-0x0000000001128000-memory.dmp

Filesize
864KB

Download
memory/528-15-0x00007FFD1EE70000-0x00007FFD1EF9C000-memory.dmp

Filesize
1.2MB

Download
memory/528-16-0x00007FFD1F0A0000-0x00007FFD1FA8C000-memory.dmp

Filesize
9.9MB

Download
memory/528-17-0x0000023423470000-0x0000023423480000-memory.dmp

Filesize
64KB

Download
memory/528-18-0x00007FFD27BD0000-0x00007FFD27BF5000-memory.dmp

Filesize
148KB

Download
memory/528-19-0x00007FFD2AFA0000-0x00007FFD2B00C000-memory.dmp

Filesize
432KB

Download
memory/528-26-0x00007FFD2B890000-0x00007FFD2BA6B000-memory.dmp

Filesize
1.9MB

Download
memory/528-27-0x00007FFD27DB0000-0x00007FFD27FF9000-memory.dmp

Filesize
2.3MB

Download
memory/528-28-0x00007FFD2B1C0000-0x00007FFD2B25D000-memory.dmp

Filesize
628KB

Download
memory/528-29-0x00007FFD2B090000-0x00007FFD2B1B5000-memory.dmp

Filesize
1.1MB

Download
memory/528-31-0x00007FFD28860000-0x00007FFD288CA000-memory.dmp

Filesize
424KB

Download
memory/528-32-0x00007FFD28E00000-0x00007FFD28EA1000-memory.dmp

Filesize
644KB

Download
memory/528-34-0x00007FFD2AF70000-0x00007FFD2AF97000-memory.dmp

Filesize
156KB

Download
memory/528-35-0x00007FFD2B270000-0x00007FFD2B3BA000-memory.dmp

Filesize
1.3MB

Download
memory/528-33-0x00007FFD29860000-0x00007FFD298B1000-memory.dmp

Filesize
324KB

Download
memory/528-37-0x00007FFD226C0000-0x00007FFD22723000-memory.dmp

Filesize
396KB

Download
memory/528-30-0x00007FFD2B500000-0x00007FFD2B7F9000-memory.dmp

Filesize
3.0MB

Download
memory/528-38-0x00007FFD1FA90000-0x00007FFD1FB2C000-memory.dmp

Filesize
624KB

Download
memory/528-39-0x00007FFD1C5C0000-0x00007FFD1C5CA000-memory.dmp

Filesize
40KB

Download
memory/528-40-0x00007FFD1F0A0000-0x00007FFD1FA8C000-memory.dmp

Filesize
9.9MB

Download
memory/528-41-0x00007FFD1EFA0000-0x00007FFD1F097000-memory.dmp

Filesize
988KB

Download
memory/528-42-0x00007FFD29710000-0x00007FFD29853000-memory.dmp

Filesize
1.3MB

Download
memory/528-44-0x00007FFD27BD0000-0x00007FFD27BF5000-memory.dmp

Filesize
148KB

Download
memory/528-45-0x00007FFD2AFA0000-0x00007FFD2B00C000-memory.dmp

Filesize
432KB

Download
memory/528-46-0x0000000001050000-0x0000000001128000-memory.dmp

Filesize
864KB

Download
memory/528-47-0x000002340A9F0000-0x000002340AA30000-memory.dmp

Filesize
256KB

Download
memory/528-43-0x00007FFD1EE70000-0x00007FFD1EF9C000-memory.dmp

Filesize
1.2MB

Download
memory/2492-920-0x00000000012D0000-0x00000000013A8000-memory.dmp

Filesize
864KB

Download
memory/2492-923-0x0000022BE2DD0000-0x0000022BE2E10000-memory.dmp

Filesize
256KB

Download
memory/2492-964-0x00007FFD1F0A0000-0x00007FFD1FA8C000-memory.dmp

Filesize
9.9MB

Download
memory/2492-962-0x00000000012D0000-0x00000000013A8000-memory.dmp

Filesize
864KB

Download
memory/2492-963-0x0000022BE2DD0000-0x0000022BE2E10000-memory.dmp

Filesize
256KB

Download
memory/2492-937-0x0000022BFD010000-0x0000022BFD020000-memory.dmp

Filesize
64KB

Download
memory/2492-936-0x00007FFD1F0A0000-0x00007FFD1FA8C000-memory.dmp

Filesize
9.9MB

Download
memory/2492-934-0x00000000012D0000-0x00000000013A8000-memory.dmp

Filesize
864KB

Download
memory/3688-77-0x00007FFD27DB0000-0x00007FFD27FF9000-memory.dmp

Filesize
2.3MB

Download
memory/3688-81-0x00007FFD28860000-0x00007FFD288CA000-memory.dmp

Filesize
424KB

Download
memory/3688-65-0x00007FFD1F0A0000-0x00007FFD1FA8C000-memory.dmp

Filesize
9.9MB

Download
memory/3688-66-0x00000000012D0000-0x00000000013A8000-memory.dmp

Filesize
864KB

Download
memory/3688-68-0x00007FFD1F0A0000-0x00007FFD1FA8C000-memory.dmp

Filesize
9.9MB

Download
memory/3688-67-0x00007FFD1EE70000-0x00007FFD1EF9C000-memory.dmp

Filesize
1.2MB

Download
memory/3688-69-0x00007FFD27BD0000-0x00007FFD27BF5000-memory.dmp

Filesize
148KB

Download
memory/3688-71-0x00007FFD2AFA0000-0x00007FFD2B00C000-memory.dmp

Filesize
432KB

Download
memory/3688-70-0x0000020D41CD0000-0x0000020D41CE0000-memory.dmp

Filesize
64KB

Download
memory/3688-72-0x00007FFD22B80000-0x00007FFD22BA5000-memory.dmp

Filesize
148KB

Download
memory/3688-73-0x00007FFD1D130000-0x00007FFD1D1FC000-memory.dmp

Filesize
816KB

Download
memory/3688-74-0x00007FFD27350000-0x00007FFD27387000-memory.dmp

Filesize
220KB

Download
memory/3688-76-0x00007FFD2B890000-0x00007FFD2BA6B000-memory.dmp

Filesize
1.9MB

Download
memory/3688-52-0x00000000012D0000-0x00000000013A8000-memory.dmp

Filesize
864KB

Download
memory/3688-78-0x00007FFD2B1C0000-0x00007FFD2B25D000-memory.dmp

Filesize
628KB

Download
memory/3688-79-0x00007FFD2B090000-0x00007FFD2B1B5000-memory.dmp

Filesize
1.1MB

Download
memory/3688-80-0x00007FFD2B500000-0x00007FFD2B7F9000-memory.dmp

Filesize
3.0MB

Download
memory/3688-64-0x00007FFD1EFA0000-0x00007FFD1F097000-memory.dmp

Filesize
988KB

Download
memory/3688-82-0x00007FFD28E00000-0x00007FFD28EA1000-memory.dmp

Filesize
644KB

Download
memory/3688-83-0x00007FFD29860000-0x00007FFD298B1000-memory.dmp

Filesize
324KB

Download
memory/3688-84-0x00007FFD2AF70000-0x00007FFD2AF97000-memory.dmp

Filesize
156KB

Download
memory/3688-86-0x00007FFD2B270000-0x00007FFD2B3BA000-memory.dmp

Filesize
1.3MB

Download
memory/3688-85-0x00007FFD28D50000-0x00007FFD28DEA000-memory.dmp

Filesize
616KB

Download
memory/3688-88-0x00007FFD226C0000-0x00007FFD22723000-memory.dmp

Filesize
396KB

Download
memory/3688-105-0x00000000012D0000-0x00000000013A8000-memory.dmp

Filesize
864KB

Download
memory/3688-136-0x0000020D279C0000-0x0000020D27A00000-memory.dmp

Filesize
256KB

Download
memory/3688-63-0x00007FFD27D90000-0x00007FFD27DA1000-memory.dmp

Filesize
68KB

Download
memory/3688-62-0x00007FFD2B270000-0x00007FFD2B3BA000-memory.dmp

Filesize
1.3MB

Download
memory/3688-61-0x00007FFD2AF70000-0x00007FFD2AF97000-memory.dmp

Filesize
156KB

Download
memory/3688-60-0x00007FFD2B1C0000-0x00007FFD2B25D000-memory.dmp

Filesize
628KB

Download
memory/3688-59-0x00007FFD1FA90000-0x00007FFD1FB2C000-memory.dmp

Filesize
624KB

Download
memory/3688-55-0x0000020D279C0000-0x0000020D27A00000-memory.dmp

Filesize
256KB

Download
memory/3688-54-0x0000020D279C0000-0x0000020D27A00000-memory.dmp

Filesize
256KB

Download
memory/3688-137-0x00007FFD1F0A0000-0x00007FFD1FA8C000-memory.dmp

Filesize
9.9MB

Download
memory/3688-138-0x0000020D41CD0000-0x0000020D41CE0000-memory.dmp

Filesize
64KB

Download