Analysis
-
max time kernel
298s -
max time network
300s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
23/12/2023, 12:58
Behavioral task
behavioral1
Sample
cp.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
cp.exe
Resource
win10v2004-20231215-en
General
-
Target
cp.exe
-
Size
5.5MB
-
MD5
2d58310bb545d2d9b3b562dcd27d8755
-
SHA1
b00111934a023577c823eb80115df75e8ee6b94c
-
SHA256
ca1fb3d8a70ec2e8baf3e420426c8c5db796df0799c4f94c03f7330c3c4d3cfe
-
SHA512
0147f1652cd806b62029d5dcd890b9a508bb01b36926f413b752b2356da8e19407044a5e2d03eb3c53e868a3546328bac4eabe9beb1c17fcfd742cdbd8b8d59a
-
SSDEEP
98304:zl95YReQ2RgCafgakYfmZiWrwpdXGSZqdNKQeLWk7/xMmsG9AJeHu:zl95nQ6g3k4WrwpdXWwlTpMd7P
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation cp.exe Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation XRJNZC.exe -
Executes dropped EXE 6 IoCs
pid Process 2056 XRJNZC.exe 3816 XRJNZC.exe 4540 XRJNZC.exe 4072 XRJNZC.exe 1832 XRJNZC.exe 3136 XRJNZC.exe -
resource yara_rule behavioral2/memory/1480-0-0x0000000000200000-0x0000000000C70000-memory.dmp vmprotect behavioral2/memory/1480-5-0x0000000000200000-0x0000000000C70000-memory.dmp vmprotect behavioral2/files/0x0008000000023228-15.dat vmprotect behavioral2/files/0x0008000000023228-14.dat vmprotect behavioral2/memory/2056-16-0x00000000005B0000-0x0000000001020000-memory.dmp vmprotect behavioral2/memory/2056-21-0x00000000005B0000-0x0000000001020000-memory.dmp vmprotect behavioral2/files/0x0008000000023228-23.dat vmprotect behavioral2/memory/3816-24-0x00000000005B0000-0x0000000001020000-memory.dmp vmprotect behavioral2/memory/3816-29-0x00000000005B0000-0x0000000001020000-memory.dmp vmprotect behavioral2/files/0x0008000000023228-31.dat vmprotect behavioral2/memory/4540-32-0x00000000005B0000-0x0000000001020000-memory.dmp vmprotect behavioral2/memory/4540-37-0x00000000005B0000-0x0000000001020000-memory.dmp vmprotect behavioral2/files/0x0008000000023228-39.dat vmprotect behavioral2/memory/4072-40-0x00000000005B0000-0x0000000001020000-memory.dmp vmprotect behavioral2/memory/4072-45-0x00000000005B0000-0x0000000001020000-memory.dmp vmprotect behavioral2/files/0x0008000000023228-47.dat vmprotect behavioral2/memory/1832-48-0x00000000005B0000-0x0000000001020000-memory.dmp vmprotect behavioral2/memory/1832-53-0x00000000005B0000-0x0000000001020000-memory.dmp vmprotect behavioral2/files/0x0008000000023228-55.dat vmprotect behavioral2/memory/3136-56-0x00000000005B0000-0x0000000001020000-memory.dmp vmprotect behavioral2/memory/3136-61-0x00000000005B0000-0x0000000001020000-memory.dmp vmprotect -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1184 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1904 timeout.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1480 wrote to memory of 3232 1480 cp.exe 48 PID 1480 wrote to memory of 3232 1480 cp.exe 48 PID 1480 wrote to memory of 3232 1480 cp.exe 48 PID 3232 wrote to memory of 1904 3232 cmd.exe 49 PID 3232 wrote to memory of 1904 3232 cmd.exe 49 PID 3232 wrote to memory of 1904 3232 cmd.exe 49 PID 3232 wrote to memory of 2056 3232 cmd.exe 95 PID 3232 wrote to memory of 2056 3232 cmd.exe 95 PID 3232 wrote to memory of 2056 3232 cmd.exe 95 PID 2056 wrote to memory of 1184 2056 XRJNZC.exe 97 PID 2056 wrote to memory of 1184 2056 XRJNZC.exe 97 PID 2056 wrote to memory of 1184 2056 XRJNZC.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\cp.exe"C:\Users\Admin\AppData\Local\Temp\cp.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s154.0.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:1904
-
-
C:\ProgramData\pinterests\XRJNZC.exe"C:\ProgramData\pinterests\XRJNZC.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "XRJNZC" /tr C:\ProgramData\pinterests\XRJNZC.exe /f4⤵
- Creates scheduled task(s)
PID:1184
-
-
-
-
C:\ProgramData\pinterests\XRJNZC.exeC:\ProgramData\pinterests\XRJNZC.exe1⤵
- Executes dropped EXE
PID:3816
-
C:\ProgramData\pinterests\XRJNZC.exeC:\ProgramData\pinterests\XRJNZC.exe1⤵
- Executes dropped EXE
PID:4540
-
C:\ProgramData\pinterests\XRJNZC.exeC:\ProgramData\pinterests\XRJNZC.exe1⤵
- Executes dropped EXE
PID:4072
-
C:\ProgramData\pinterests\XRJNZC.exeC:\ProgramData\pinterests\XRJNZC.exe1⤵
- Executes dropped EXE
PID:1832
-
C:\ProgramData\pinterests\XRJNZC.exeC:\ProgramData\pinterests\XRJNZC.exe1⤵
- Executes dropped EXE
PID:3136
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
348KB
MD58027475573cf0d5b669ee82da5ed94a0
SHA145457aff62bb358698ed73b706e454110992ce92
SHA256f7d915166d97430504adc58aad0e98b55817d07601b7ea4fb9a1569e0b25dfe1
SHA512bef6838bae06134fe629121aa223a799ba3b837cd270c70e6d85dbae6a3a4b23cb97eb96f7df086026f4bb5e5bef3e6dbf8f5020a5d81a2bb8625c022b08e561
-
Filesize
286KB
MD5c00ba6a1c746f197e2577181419087bb
SHA1acb2e2ae53b0631b09ded197dbd03cdffd375193
SHA256a11edb8468f403efc569f669c39bd9490badf9b438b8fa52f17f73731e95df9d
SHA512adef50a91606b55b88a228eb2bffacfd3128d794a1eaacc0d0921e88d5eed8b98a04fd9b24ba0bcbdf98f9908250afc226f135598c72836ecaf0bddb48da5673
-
Filesize
3.0MB
MD52ce664a8f0fdc5e69f4f5ad452771b1d
SHA18df505351da5cbbc0430d1726c31736f68581548
SHA2565d746123121dae5bd41d75e56ac14e450b8585cee0540ecd36b9f844ede18453
SHA51270e9340c0b18003c440a30041e01a82fb12207cd00263ac705252d09ee3c4e756a35a9736242f813cb0411f0ec882d4868bc9a9496026b82bf187c3a00e82b29
-
Filesize
2.0MB
MD51c5d52c406d248c773214bfd814ba8f4
SHA1c56d95697ee40a7675da31e9c4cbad9f0101eefa
SHA25657e5bebaf5a89443f060601efe9ac8232deba0bda87c11e76712825f3203c508
SHA51293cd96b0c69fcc959acf03453413a2588078152df6a98e4f3ae3494ec649a6b2c9d37910fd38141ba93274b0dcab87c013e1018921e7eabafa6181a3845c1915
-
Filesize
615KB
MD5eb604ba588c97d9e67b4e0a1b4671611
SHA1d5a9cdd2b63451a760cd4b70ec15f4825d939551
SHA25611dff5b7cc03e15b41884b4a2e496b716945a1191ddfd6a9462c2b1b0ad56256
SHA5129ea717f55c994d2d858ec75bd8d7c867d89a657c95a7cd2afacd817a6da1afc53895b082ea95e794b5e1f79342589c8d9eaa4b5e9e555c8dc50396743467d6fb
-
Filesize
3.4MB
MD5ba616edeb8b2459ffb0b6241ef90f210
SHA12fd17f95b4a3a124842953e5e61c263581d66850
SHA256ebd25ddb967dacbb1e69db2a4fb4d4137e759fe6dd3fe6a3ed6507c127680424
SHA512789c96ae2eb44345297585f6e9d990fe2ac61a2d0952ec69448e0de415da619386b761ed4de6d8c3bef6e790093e0b0218a3ee1a7b33a09cf18312114649eb6c
-
Filesize
2.9MB
MD585f3a7304da8e13d7f496d8825ff7d27
SHA196633a9db839c03e1d650ef5fbdc493811b767a9
SHA25697e1e68ffa83a51aee5d5726d649b0780b18417d1be87479a08163f1e4f7db8a
SHA512c4e10289f1e5b6d50a2a63a42ab2ebc10e3fb0ccaeab36dca87c3c5204eaee752159be8d64ffe281d48634d314e4eeaa086c7af2c9af6bdfcdbb3f2e16c4a189
-
Filesize
176B
MD5bdc923a8555ef651fb7cd28c5e1053e2
SHA17d6bfa04bd3292b0f5bd662132086a06819476a7
SHA2562b525e113980fa7e0584ef86db031fbb09c6c5ea247218f387581b683f8f81fc
SHA512f01d193edba828e053868674ed485d447246de455ff0b0a539755e8e8b066b5c15aa5e19c1359352b6db05068784bae8452068bf4eb1648139b3ff7d111b5af5