Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2023 18:41
Behavioral task
behavioral1
Sample
7a40ca48bc128c6eeff29d4a8cac46fa.exe
Resource
win7-20231215-en
General
-
Target
7a40ca48bc128c6eeff29d4a8cac46fa.exe
-
Size
111KB
-
MD5
7a40ca48bc128c6eeff29d4a8cac46fa
-
SHA1
fa00aac627e3ebd38a724398264c81f2e5922063
-
SHA256
e5b1c4c0553a9de4a7e5cea6bff98ffdb51ca04e3a9d1fce807621ac2bb74895
-
SHA512
46be169801f7e49acc6fed273cd7649cc4b7cd486b5885574e187395702c95cb53b8fd848d36af587554653913609ff3ad26837be91505540623a45084fc3a23
-
SSDEEP
3072:XbiZnYUuQaS+T8sERvc7LLqRI5LUluqb4qOhQW0zCrAZu6gO:uBYUuQaS+T8sERvc7yIalBbpn
Malware Config
Extracted
toxiceye
https://api.telegram.org/bot1929200100:AAFApHmZ6GD9WbEolE1gi0bnOTW4ipj-SSA/sendMessage?chat_id=1917426247
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation 7a40ca48bc128c6eeff29d4a8cac46fa.exe Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation Alien.exe -
Executes dropped EXE 1 IoCs
pid Process 380 Alien.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1544 schtasks.exe 928 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1680 timeout.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 4952 tasklist.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 380 Alien.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe 380 Alien.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3772 7a40ca48bc128c6eeff29d4a8cac46fa.exe Token: SeDebugPrivilege 4952 tasklist.exe Token: SeDebugPrivilege 380 Alien.exe Token: SeDebugPrivilege 380 Alien.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 380 Alien.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3772 wrote to memory of 928 3772 7a40ca48bc128c6eeff29d4a8cac46fa.exe 94 PID 3772 wrote to memory of 928 3772 7a40ca48bc128c6eeff29d4a8cac46fa.exe 94 PID 3772 wrote to memory of 3704 3772 7a40ca48bc128c6eeff29d4a8cac46fa.exe 97 PID 3772 wrote to memory of 3704 3772 7a40ca48bc128c6eeff29d4a8cac46fa.exe 97 PID 3704 wrote to memory of 4952 3704 cmd.exe 99 PID 3704 wrote to memory of 4952 3704 cmd.exe 99 PID 3704 wrote to memory of 4340 3704 cmd.exe 100 PID 3704 wrote to memory of 4340 3704 cmd.exe 100 PID 3704 wrote to memory of 1680 3704 cmd.exe 101 PID 3704 wrote to memory of 1680 3704 cmd.exe 101 PID 3704 wrote to memory of 380 3704 cmd.exe 103 PID 3704 wrote to memory of 380 3704 cmd.exe 103 PID 380 wrote to memory of 1544 380 Alien.exe 105 PID 380 wrote to memory of 1544 380 Alien.exe 105 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a40ca48bc128c6eeff29d4a8cac46fa.exe"C:\Users\Admin\AppData\Local\Temp\7a40ca48bc128c6eeff29d4a8cac46fa.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Alien\Alien.exe"2⤵
- Creates scheduled task(s)
PID:928
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp7417.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp7417.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 3772"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4952
-
-
C:\Windows\system32\find.exefind ":"3⤵PID:4340
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak3⤵
- Delays execution with timeout.exe
PID:1680
-
-
C:\Users\Alien\Alien.exe"Alien.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Alien\Alien.exe"4⤵
- Creates scheduled task(s)
PID:1544
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
208B
MD563ae0611a6aa5d42097c192c54e53f1a
SHA129c2770aac23ffcba4075e978be60f65a9555eca
SHA256a0568fe66549ffe4825acf615782111e5d136c9cf8dbe9fcb59541c5a01fc3d4
SHA512c67da1794e5694f40ab2163c9281c63369a72b5de5d4252879bc1d981da5c4ee30e15c8f84607d69b98fdafdc82e3217d388895c851533abd98d8d818a5957fc
-
Filesize
111KB
MD57a40ca48bc128c6eeff29d4a8cac46fa
SHA1fa00aac627e3ebd38a724398264c81f2e5922063
SHA256e5b1c4c0553a9de4a7e5cea6bff98ffdb51ca04e3a9d1fce807621ac2bb74895
SHA51246be169801f7e49acc6fed273cd7649cc4b7cd486b5885574e187395702c95cb53b8fd848d36af587554653913609ff3ad26837be91505540623a45084fc3a23