Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2023 07:10
Static task
static1
Behavioral task
behavioral1
Sample
mx5YxLHScoqMImo.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
mx5YxLHScoqMImo.exe
Resource
win10v2004-20231127-en
General
-
Target
mx5YxLHScoqMImo.exe
-
Size
1.9MB
-
MD5
4e4c867be87859bce4c0ca42afed00d8
-
SHA1
186ccbb0eb39426dc0439c7dd388930dec0ebf2f
-
SHA256
d9426f66ba3dbff178904ff41cbddf65618a0b7b776b460c5b4af3f3f78ab970
-
SHA512
39ca9e1845f4958370999fa28f635637b0ffe0b25ab047a6921245037de2dcd0e2313e3bd7f21b9cff8c28209737e43dd50b4a47618f81de812da8d2667a7610
-
SSDEEP
49152:nGpbwGhL9CgTtXcF8cpaR9MM2Tx2v8ZqgpKVad+WjGAmUjgwRl:nGpbwGpZTJc2cpW9Mjx2vGqgpz+WjGAj
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mx5YxLHScoqMImo.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation mx5YxLHScoqMImo.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MSBuild.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\firefox\\firefox.exe" MSBuild.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 255 api.ipify.org 254 api.ipify.org -
Suspicious use of SetThreadContext 3 IoCs
Processes:
mx5YxLHScoqMImo.exeMSBuild.exeMSBuild.exedescription pid process target process PID 4120 set thread context of 3516 4120 mx5YxLHScoqMImo.exe MSBuild.exe PID 3516 set thread context of 1708 3516 MSBuild.exe MSBuild.exe PID 1708 set thread context of 1432 1708 MSBuild.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1044 1432 WerFault.exe MSBuild.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3820 schtasks.exe 1784 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
mx5YxLHScoqMImo.exepowershell.exepowershell.exeMSBuild.exepid process 4120 mx5YxLHScoqMImo.exe 4120 mx5YxLHScoqMImo.exe 4516 powershell.exe 4516 powershell.exe 4516 powershell.exe 4076 powershell.exe 4076 powershell.exe 4076 powershell.exe 1432 MSBuild.exe 1432 MSBuild.exe 1432 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exemx5YxLHScoqMImo.exepowershell.exeMSBuild.exesvchost.exedescription pid process Token: SeDebugPrivilege 4516 powershell.exe Token: SeDebugPrivilege 4120 mx5YxLHScoqMImo.exe Token: SeDebugPrivilege 4076 powershell.exe Token: SeDebugPrivilege 1432 MSBuild.exe Token: SeManageVolumePrivilege 1716 svchost.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
mx5YxLHScoqMImo.exeMSBuild.exeMSBuild.exedescription pid process target process PID 4120 wrote to memory of 4516 4120 mx5YxLHScoqMImo.exe powershell.exe PID 4120 wrote to memory of 4516 4120 mx5YxLHScoqMImo.exe powershell.exe PID 4120 wrote to memory of 4516 4120 mx5YxLHScoqMImo.exe powershell.exe PID 4120 wrote to memory of 3820 4120 mx5YxLHScoqMImo.exe schtasks.exe PID 4120 wrote to memory of 3820 4120 mx5YxLHScoqMImo.exe schtasks.exe PID 4120 wrote to memory of 3820 4120 mx5YxLHScoqMImo.exe schtasks.exe PID 4120 wrote to memory of 2124 4120 mx5YxLHScoqMImo.exe MSBuild.exe PID 4120 wrote to memory of 2124 4120 mx5YxLHScoqMImo.exe MSBuild.exe PID 4120 wrote to memory of 2124 4120 mx5YxLHScoqMImo.exe MSBuild.exe PID 4120 wrote to memory of 3516 4120 mx5YxLHScoqMImo.exe MSBuild.exe PID 4120 wrote to memory of 3516 4120 mx5YxLHScoqMImo.exe MSBuild.exe PID 4120 wrote to memory of 3516 4120 mx5YxLHScoqMImo.exe MSBuild.exe PID 4120 wrote to memory of 3516 4120 mx5YxLHScoqMImo.exe MSBuild.exe PID 4120 wrote to memory of 3516 4120 mx5YxLHScoqMImo.exe MSBuild.exe PID 4120 wrote to memory of 3516 4120 mx5YxLHScoqMImo.exe MSBuild.exe PID 4120 wrote to memory of 3516 4120 mx5YxLHScoqMImo.exe MSBuild.exe PID 4120 wrote to memory of 3516 4120 mx5YxLHScoqMImo.exe MSBuild.exe PID 3516 wrote to memory of 4076 3516 MSBuild.exe powershell.exe PID 3516 wrote to memory of 4076 3516 MSBuild.exe powershell.exe PID 3516 wrote to memory of 4076 3516 MSBuild.exe powershell.exe PID 3516 wrote to memory of 1784 3516 MSBuild.exe schtasks.exe PID 3516 wrote to memory of 1784 3516 MSBuild.exe schtasks.exe PID 3516 wrote to memory of 1784 3516 MSBuild.exe schtasks.exe PID 3516 wrote to memory of 1708 3516 MSBuild.exe MSBuild.exe PID 3516 wrote to memory of 1708 3516 MSBuild.exe MSBuild.exe PID 3516 wrote to memory of 1708 3516 MSBuild.exe MSBuild.exe PID 3516 wrote to memory of 1708 3516 MSBuild.exe MSBuild.exe PID 3516 wrote to memory of 1708 3516 MSBuild.exe MSBuild.exe PID 3516 wrote to memory of 1708 3516 MSBuild.exe MSBuild.exe PID 3516 wrote to memory of 1708 3516 MSBuild.exe MSBuild.exe PID 3516 wrote to memory of 1708 3516 MSBuild.exe MSBuild.exe PID 1708 wrote to memory of 1432 1708 MSBuild.exe MSBuild.exe PID 1708 wrote to memory of 1432 1708 MSBuild.exe MSBuild.exe PID 1708 wrote to memory of 1432 1708 MSBuild.exe MSBuild.exe PID 1708 wrote to memory of 1432 1708 MSBuild.exe MSBuild.exe PID 1708 wrote to memory of 1432 1708 MSBuild.exe MSBuild.exe PID 1708 wrote to memory of 1432 1708 MSBuild.exe MSBuild.exe PID 1708 wrote to memory of 1432 1708 MSBuild.exe MSBuild.exe PID 1708 wrote to memory of 1432 1708 MSBuild.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mx5YxLHScoqMImo.exe"C:\Users\Admin\AppData\Local\Temp\mx5YxLHScoqMImo.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LElSceeKwBDH.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4516 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LElSceeKwBDH" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDCB4.tmp"2⤵
- Creates scheduled task(s)
PID:3820 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵PID:2124
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fssBpDQ.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4076 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fssBpDQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp36EA.tmp"3⤵
- Creates scheduled task(s)
PID:1784 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1432 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 20165⤵
- Program crash
PID:1044
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1432 -ip 14321⤵PID:4704
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:1712
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1716
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD5354a9e3fba3c22f4ffe905ad5405a1f5
SHA1851e1cfaf9ef38a54e4a5b23b8d61435bc2548e9
SHA256f14cf6a85946480814ad3186832be33df65734df143369040a6317120155f790
SHA5127fdcf7583d280b1f7f46695e461f864e0b2b1d3f5ff87dcf0135263527b5f20ba548a3ee97c29028cc2817003b02ed069898a2792c742cc0865a684c9353dfe1
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
256KB
MD58fdf47e0ff70c40ed3a17014aeea4232
SHA1e6256a0159688f0560b015da4d967f41cbf8c9bd
SHA256ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82
SHA512bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be
-
Filesize
1KB
MD56b87d551316a4ee0a25957169efc10fe
SHA178fbe38fdc8574bf0e622b5e80b9cefbfa4a9e16
SHA2569c136c56c4970ca8735e5028b16974a8c4221ce4128b20d1e8a3f69010d929f4
SHA51292b4dc24dc45295604e88719fc96fb805bb00857d619b767a6e7fa651faad7cfcf559090984ba6cfb75847f18bfaf89b4ce1bfb8a3cdfbb6cca389c17b95210a
-
Filesize
1KB
MD5d089a5d7ba602d611261c88230b34faa
SHA15701c72a8c13d18bb96a5a4d35edbc22f893b372
SHA25643cf3c859400f289fc75493ded728bb3e4d4ea6f72e0f7979b38539eafd95b3d
SHA512b0cde024edec70b8cca31d21b876ee18b6b8670ddfa659fcf7f019d4aefd20151e4c2fe3abda25333dc1a399a685ebbf74642601f42923105881378497b0b749