6ad9ac5ab7a0071a789065d1fe2fde732d88be8faaf4e875e3097157bee34d38

Analysis

max time kernel
148s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2023 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

322KB
MD5

a4212217a2e90127cf2870215d72edf5
SHA1

2fc4ad01c10a37cc88e0c7ac02fed8734c0aa6e7
SHA256

6ad9ac5ab7a0071a789065d1fe2fde732d88be8faaf4e875e3097157bee34d38
SHA512

21c11298113f5a95dc675cfa6c935ba6be26a83f19c34c5e85ede2540fe611f6138200c2376caa00ce301d5b540d1df4339a457ff3963beb5899d8854208cd01
SSDEEP

6144:jSt2tu6b3Ulc6Bxz/Bn8ETaWASeIN8Sez8cihLtKb4XM1gvKUdFebAXmCEctjlLK:O36b3wcYxTBVcSeIWSeYXBKb48MJnBdK

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	GeforceUpdater.exe

Executes dropped EXE 1 IoCs

pid	Process
2596	GeforceUpdater.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	api.ipify.org
18	api.ipify.org
19	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3732	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3888	timeout.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4380	tmp.exe
4380	tmp.exe
2596	GeforceUpdater.exe
2596	GeforceUpdater.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4380	tmp.exe
Token: SeDebugPrivilege	2596	GeforceUpdater.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4380 wrote to memory of 4352	4380	tmp.exe	83
PID 4380 wrote to memory of 4352	4380	tmp.exe	83
PID 4352 wrote to memory of 3888	4352	cmd.exe	86
PID 4352 wrote to memory of 3888	4352	cmd.exe	86
PID 4352 wrote to memory of 2596	4352	cmd.exe	89
PID 4352 wrote to memory of 2596	4352	cmd.exe	89
PID 2596 wrote to memory of 3616	2596	GeforceUpdater.exe	92
PID 2596 wrote to memory of 3616	2596	GeforceUpdater.exe	92
PID 3616 wrote to memory of 3732	3616	cmd.exe	95
PID 3616 wrote to memory of 3732	3616	cmd.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA2E7.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3888
- - C:\ProgramData\AdobeReader\GeforceUpdater.exe
    "C:\ProgramData\AdobeReader\GeforceUpdater.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "MicrosoftEdgeUpdateTaskMachineCoreCor" /tr "C:\ProgramData\AdobeReader\GeforceUpdater.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3616
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "MicrosoftEdgeUpdateTaskMachineCoreCor" /tr "C:\ProgramData\AdobeReader\GeforceUpdater.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:3732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AdobeReader\GeforceUpdater.exe

Filesize
322KB

MD5
a4212217a2e90127cf2870215d72edf5

SHA1
2fc4ad01c10a37cc88e0c7ac02fed8734c0aa6e7

SHA256
6ad9ac5ab7a0071a789065d1fe2fde732d88be8faaf4e875e3097157bee34d38

SHA512
21c11298113f5a95dc675cfa6c935ba6be26a83f19c34c5e85ede2540fe611f6138200c2376caa00ce301d5b540d1df4339a457ff3963beb5899d8854208cd01

Download Submit
C:\ProgramData\AdobeReader\GeforceUpdater.exe

Filesize
322KB

MD5
a4212217a2e90127cf2870215d72edf5

SHA1
2fc4ad01c10a37cc88e0c7ac02fed8734c0aa6e7

SHA256
6ad9ac5ab7a0071a789065d1fe2fde732d88be8faaf4e875e3097157bee34d38

SHA512
21c11298113f5a95dc675cfa6c935ba6be26a83f19c34c5e85ede2540fe611f6138200c2376caa00ce301d5b540d1df4339a457ff3963beb5899d8854208cd01

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA2E7.tmp.bat

Filesize
154B

MD5
edbf1d97b9b09b36d5c61a846624dd59

SHA1
5bea6718e1b5cfe35d2187d5d08690708f96158e

SHA256
1084249908e44a95e80a44ef85d796f3e815bf142d83bd4eefd9853fcacf0533

SHA512
c87f6d7cab8f3216b6cf5c9bccaf9f11b3e02b34eceba5fa28f61f571295520c145b6f56324b4b6fb07a151def134ccdfc647a46ab0009c1bb9e36bffa8129cd

Download Submit
memory/2596-73-0x00007FFAE1A90000-0x00007FFAE1B92000-memory.dmp

Filesize
1.0MB

Download
memory/2596-76-0x00007FFAF0170000-0x00007FFAF0365000-memory.dmp

Filesize
2.0MB

Download
memory/2596-136-0x00000283644D0000-0x00000283644E0000-memory.dmp

Filesize
64KB

Download
memory/2596-135-0x00007FFAD2340000-0x00007FFAD2E01000-memory.dmp

Filesize
10.8MB

Download
memory/2596-134-0x000002834B830000-0x000002834B870000-memory.dmp

Filesize
256KB

Download
memory/2596-52-0x0000000000360000-0x0000000000438000-memory.dmp

Filesize
864KB

Download
memory/2596-88-0x00007FFAEFE60000-0x00007FFAEFEB5000-memory.dmp

Filesize
340KB

Download
memory/2596-87-0x00007FFAE15D0000-0x00007FFAE167A000-memory.dmp

Filesize
680KB

Download
memory/2596-85-0x00007FFAEE400000-0x00007FFAEE755000-memory.dmp

Filesize
3.3MB

Download
memory/2596-86-0x00007FFAEF6F0000-0x00007FFAEF7BD000-memory.dmp

Filesize
820KB

Download
memory/2596-84-0x00007FFAE1DD0000-0x00007FFAE1E35000-memory.dmp

Filesize
404KB

Download
memory/2596-83-0x00007FFAEFEC0000-0x00007FFAEFFEA000-memory.dmp

Filesize
1.2MB

Download
memory/2596-82-0x00007FFAEEE60000-0x00007FFAEEEFE000-memory.dmp

Filesize
632KB

Download
memory/2596-81-0x00007FFAEE2E0000-0x00007FFAEE38C000-memory.dmp

Filesize
688KB

Download
memory/2596-80-0x00007FFAEEF80000-0x00007FFAEEFAB000-memory.dmp

Filesize
172KB

Download
memory/2596-79-0x00007FFAEFCB0000-0x00007FFAEFE51000-memory.dmp

Filesize
1.6MB

Download
memory/2596-78-0x00007FFAEE060000-0x00007FFAEE0FD000-memory.dmp

Filesize
628KB

Download
memory/2596-77-0x00007FFAEDC90000-0x00007FFAEDF59000-memory.dmp

Filesize
2.8MB

Download
memory/2596-74-0x00007FFAECC60000-0x00007FFAECC9B000-memory.dmp

Filesize
236KB

Download
memory/2596-72-0x00007FFAE1A50000-0x00007FFAE1A85000-memory.dmp

Filesize
212KB

Download
memory/2596-69-0x00007FFAEE100000-0x00007FFAEE127000-memory.dmp

Filesize
156KB

Download
memory/2596-71-0x00007FFAEE390000-0x00007FFAEE3FB000-memory.dmp

Filesize
428KB

Download
memory/2596-70-0x00000283644D0000-0x00000283644E0000-memory.dmp

Filesize
64KB

Download
memory/2596-66-0x00007FFAD2340000-0x00007FFAD2E01000-memory.dmp

Filesize
10.8MB

Download
memory/2596-68-0x00007FFAD0B30000-0x00007FFAD0C7E000-memory.dmp

Filesize
1.3MB

Download
memory/2596-67-0x0000000000360000-0x0000000000438000-memory.dmp

Filesize
864KB

Download
memory/2596-65-0x00007FFAEEF80000-0x00007FFAEEFAB000-memory.dmp

Filesize
172KB

Download
memory/2596-64-0x00007FFAD2340000-0x00007FFAD2E01000-memory.dmp

Filesize
10.8MB

Download
memory/2596-63-0x00007FFAEFCB0000-0x00007FFAEFE51000-memory.dmp

Filesize
1.6MB

Download
memory/2596-62-0x00007FFAD2280000-0x00007FFAD233D000-memory.dmp

Filesize
756KB

Download
memory/2596-61-0x00007FFAEB7B0000-0x00007FFAEB7C2000-memory.dmp

Filesize
72KB

Download
memory/2596-54-0x000002834B830000-0x000002834B870000-memory.dmp

Filesize
256KB

Download
memory/2596-59-0x00007FFAE15D0000-0x00007FFAE167A000-memory.dmp

Filesize
680KB

Download
memory/2596-55-0x000002834B830000-0x000002834B870000-memory.dmp

Filesize
256KB

Download
memory/2596-60-0x00007FFAEEE60000-0x00007FFAEEEFE000-memory.dmp

Filesize
632KB

Download
memory/2596-104-0x0000000000360000-0x0000000000438000-memory.dmp

Filesize
864KB

Download
memory/4380-10-0x00007FFAE15C0000-0x00007FFAE167D000-memory.dmp

Filesize
756KB

Download
memory/4380-0-0x00000000002E0000-0x00000000003B8000-memory.dmp

Filesize
864KB

Download
memory/4380-48-0x00000000002E0000-0x00000000003B8000-memory.dmp

Filesize
864KB

Download
memory/4380-12-0x00007FFAD24F0000-0x00007FFAD2FB1000-memory.dmp

Filesize
10.8MB

Download
memory/4380-46-0x00007FFAEE390000-0x00007FFAEE3FB000-memory.dmp

Filesize
428KB

Download
memory/4380-45-0x00007FFAEE100000-0x00007FFAEE127000-memory.dmp

Filesize
156KB

Download
memory/4380-44-0x00007FFAD0DA0000-0x00007FFAD0EEE000-memory.dmp

Filesize
1.3MB

Download
memory/4380-32-0x00007FFAEEE60000-0x00007FFAEEEFE000-memory.dmp

Filesize
632KB

Download
memory/4380-42-0x00007FFAE15C0000-0x00007FFAE167D000-memory.dmp

Filesize
756KB

Download
memory/4380-41-0x00007FFAE6520000-0x00007FFAE6536000-memory.dmp

Filesize
88KB

Download
memory/4380-40-0x00007FFAD24F0000-0x00007FFAD2FB1000-memory.dmp

Filesize
10.8MB

Download
memory/4380-39-0x00007FFADE120000-0x00007FFADE12A000-memory.dmp

Filesize
40KB

Download
memory/4380-37-0x00007FFAEFE60000-0x00007FFAEFEB5000-memory.dmp

Filesize
340KB

Download
memory/4380-36-0x00007FFAE1D80000-0x00007FFAE1E2A000-memory.dmp

Filesize
680KB

Download
memory/4380-35-0x00007FFAEE400000-0x00007FFAEE755000-memory.dmp

Filesize
3.3MB

Download
memory/4380-34-0x00007FFAE2580000-0x00007FFAE25E5000-memory.dmp

Filesize
404KB

Download
memory/4380-33-0x00007FFAEFEC0000-0x00007FFAEFFEA000-memory.dmp

Filesize
1.2MB

Download
memory/4380-43-0x00007FFAEEBD0000-0x00007FFAEECFA000-memory.dmp

Filesize
1.2MB

Download
memory/4380-47-0x000001D421E90000-0x000001D421ED0000-memory.dmp

Filesize
256KB

Download
memory/4380-3-0x000001D421E90000-0x000001D421ED0000-memory.dmp

Filesize
256KB

Download
memory/4380-7-0x00007FFAE1D80000-0x00007FFAE1E2A000-memory.dmp

Filesize
680KB

Download
memory/4380-8-0x00007FFAEEE60000-0x00007FFAEEEFE000-memory.dmp

Filesize
632KB

Download
memory/4380-29-0x00007FFAEEF80000-0x00007FFAEEFAB000-memory.dmp

Filesize
172KB

Download
memory/4380-28-0x00007FFAEFCB0000-0x00007FFAEFE51000-memory.dmp

Filesize
1.6MB

Download
memory/4380-31-0x00007FFAEE2E0000-0x00007FFAEE38C000-memory.dmp

Filesize
688KB

Download
memory/4380-26-0x00007FFAF0170000-0x00007FFAF0365000-memory.dmp

Filesize
2.0MB

Download
memory/4380-19-0x00007FFAEE390000-0x00007FFAEE3FB000-memory.dmp

Filesize
428KB

Download
memory/4380-18-0x000001D43A9E0000-0x000001D43A9F0000-memory.dmp

Filesize
64KB

Download
memory/4380-17-0x00007FFAEE100000-0x00007FFAEE127000-memory.dmp

Filesize
156KB

Download
memory/4380-16-0x00007FFAD24F0000-0x00007FFAD2FB1000-memory.dmp

Filesize
10.8MB

Download
memory/4380-15-0x00007FFAD0DA0000-0x00007FFAD0EEE000-memory.dmp

Filesize
1.3MB

Download
memory/4380-14-0x00000000002E0000-0x00000000003B8000-memory.dmp

Filesize
864KB

Download
memory/4380-13-0x00007FFAEEF80000-0x00007FFAEEFAB000-memory.dmp

Filesize
172KB

Download
memory/4380-2-0x000001D421E90000-0x000001D421ED0000-memory.dmp

Filesize
256KB

Download
memory/4380-11-0x00007FFAEFCB0000-0x00007FFAEFE51000-memory.dmp

Filesize
1.6MB

Download
memory/4380-27-0x00007FFAEDC90000-0x00007FFAEDF59000-memory.dmp

Filesize
2.8MB

Download
memory/4380-9-0x00007FFAEB7B0000-0x00007FFAEB7C2000-memory.dmp

Filesize
72KB

Download