Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2023, 13:46
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20231215-en
General
-
Target
tmp.exe
-
Size
5.9MB
-
MD5
ff03cb1d0fddde80c681ae5fe7ea2119
-
SHA1
5f8a72a358608c1e650c4196ae3d9ffe498b1087
-
SHA256
1d29a82f343372d9ccc7ecd56d49b03b5dfcc2afb654de212c7fff5c67085f13
-
SHA512
0137c3ad8e8f5f72a4cda693b7a43e94d8941c2c2cdff79d0da5b6e310bba7edb7ea04a333fca4d233a92ede731e870a2bcee8f2663b8b69d49d95454d983902
-
SSDEEP
98304:yHZt5ZGYRjCQuTGOkb9uj5PPY3KuG7GJ9TYKdnSYL2wqcKCBYHDRJ/2LSH:Itl8TZP5oKuG7GJGKddL2wZdW1JDH
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation tmp.exe Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation XRJNZC.exe -
Executes dropped EXE 3 IoCs
pid Process 4736 XRJNZC.exe 1288 XRJNZC.exe 1796 XRJNZC.exe -
resource yara_rule behavioral2/memory/4644-2-0x0000000000C70000-0x000000000178B000-memory.dmp vmprotect behavioral2/memory/4644-6-0x0000000000C70000-0x000000000178B000-memory.dmp vmprotect behavioral2/memory/4644-13-0x0000000000C70000-0x000000000178B000-memory.dmp vmprotect behavioral2/memory/4644-21-0x0000000000C70000-0x000000000178B000-memory.dmp vmprotect behavioral2/files/0x0007000000023209-23.dat vmprotect behavioral2/files/0x0007000000023209-24.dat vmprotect behavioral2/memory/4736-33-0x0000000000400000-0x0000000000F1B000-memory.dmp vmprotect behavioral2/memory/4736-28-0x0000000000400000-0x0000000000F1B000-memory.dmp vmprotect behavioral2/memory/4736-38-0x0000000000400000-0x0000000000F1B000-memory.dmp vmprotect behavioral2/memory/4736-40-0x0000000000400000-0x0000000000F1B000-memory.dmp vmprotect behavioral2/files/0x0007000000023209-41.dat vmprotect behavioral2/memory/1288-42-0x0000000000400000-0x0000000000F1B000-memory.dmp vmprotect behavioral2/memory/1288-49-0x0000000000400000-0x0000000000F1B000-memory.dmp vmprotect behavioral2/memory/1288-54-0x0000000000400000-0x0000000000F1B000-memory.dmp vmprotect behavioral2/memory/1288-56-0x0000000000400000-0x0000000000F1B000-memory.dmp vmprotect behavioral2/files/0x0007000000023209-57.dat vmprotect behavioral2/memory/1796-58-0x0000000000400000-0x0000000000F1B000-memory.dmp vmprotect behavioral2/memory/1796-65-0x0000000000400000-0x0000000000F1B000-memory.dmp vmprotect behavioral2/memory/1796-70-0x0000000000400000-0x0000000000F1B000-memory.dmp vmprotect behavioral2/memory/1796-72-0x0000000000400000-0x0000000000F1B000-memory.dmp vmprotect -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4620 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4724 timeout.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4644 tmp.exe 4644 tmp.exe 4736 XRJNZC.exe 4736 XRJNZC.exe 1288 XRJNZC.exe 1288 XRJNZC.exe 1796 XRJNZC.exe 1796 XRJNZC.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4644 wrote to memory of 3384 4644 tmp.exe 90 PID 4644 wrote to memory of 3384 4644 tmp.exe 90 PID 4644 wrote to memory of 3384 4644 tmp.exe 90 PID 3384 wrote to memory of 4724 3384 cmd.exe 92 PID 3384 wrote to memory of 4724 3384 cmd.exe 92 PID 3384 wrote to memory of 4724 3384 cmd.exe 92 PID 3384 wrote to memory of 4736 3384 cmd.exe 95 PID 3384 wrote to memory of 4736 3384 cmd.exe 95 PID 3384 wrote to memory of 4736 3384 cmd.exe 95 PID 4736 wrote to memory of 4620 4736 XRJNZC.exe 97 PID 4736 wrote to memory of 4620 4736 XRJNZC.exe 97 PID 4736 wrote to memory of 4620 4736 XRJNZC.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s3l0.0.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:4724
-
-
C:\ProgramData\pinterests\XRJNZC.exe"C:\ProgramData\pinterests\XRJNZC.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "XRJNZC" /tr C:\ProgramData\pinterests\XRJNZC.exe /f4⤵
- Creates scheduled task(s)
PID:4620
-
-
-
-
C:\ProgramData\pinterests\XRJNZC.exeC:\ProgramData\pinterests\XRJNZC.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1288
-
C:\ProgramData\pinterests\XRJNZC.exeC:\ProgramData\pinterests\XRJNZC.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1796
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210KB
MD57144b1d844d15423fc7a123b6bda62e1
SHA1548a60041c848fc5086c2d2987ac034de4b9241a
SHA256d25dac2d29f0ac33038edba1ded1b25b4f2b3734e98a84a4a26e5a974b63744f
SHA51233c853f4c1ea1aa48db636b9f994d5cb8badbda414063c8bb3941d26fe67805a9625230710c85b4ed1d960f77a0e0b4c5b4e58836a969a2c1d606f1448db80aa
-
Filesize
358KB
MD5a470bf2832ff24b84ea77cb6b14204b2
SHA1288c07d7ddbe40f54437702ab0646df5532c8d3e
SHA256bac6d45cf5b7fb9063fe5b18b801f71d31b17a25a81140091e93879f82bdc502
SHA5126327f28d43857b5bdcae43677cb6a572ab9fedafbde8d3fb7ae0fcd768bf95bcee7f4765f97989fa45dcf4c5ed5baf67ac7c64bc3ea08567436bfdde98a21d28
-
Filesize
643KB
MD52c5c0baa6bd9ea6f8000dd65bb843886
SHA19e30af10130e67d42406221efcd5b8f5d9428515
SHA2569628c5401297e147bb23a7932de8b0e46229db71ba0fbc0e686b293a1ee4ca41
SHA512733c0958fab832139a0a864cf9f796d242282062d57fa3d59d1f359589bad789686fe6eef4e91fc129a3057538f9414e6beb46e6e6cbaec3a5e1f51c633c83c1
-
Filesize
820KB
MD57feb51455fc72384d3f3956220075b2f
SHA1661e8cb9e4cef960a475bb34cc1b057d5b977047
SHA256a6eec4c6cd83a206b012ca274d6ce442880c0000d23ce0a39b4f4b7e0706a17a
SHA512c65fc2d01ebf30a938da9be1f26d660df1ac705679292831b47eb89088a4e6db6e7571da3ac87b703895cb5c1a82114db963f63502734f8c65a4346788c5239b
-
Filesize
176B
MD5b9e7d705d0214d48ae01afdb92bf0436
SHA153f628afd3c56e982df0380a8944a306ea06efd5
SHA256c62ac393835116f03916cc8d4e6f6599d59fe6f31bda7baf9a76a29ce914fdd6
SHA5122c6d24f306ec523b25b8171edee64fc54f5a180ccda3aee7b144748a7b66e80115823e73a89b143d6fb98e54dbb461a4d880da42ba4dcacbd3aaa96fae01802c