bd39f5170b80286b2bbc9def073788174bb7a484becbf47d0e572a74e8f81219

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 14:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

024fa1d523f48d8cdfaf7b6edc6ee529.exe
Size

1.9MB
MD5

024fa1d523f48d8cdfaf7b6edc6ee529
SHA1

eec3fdffc944106496d5767b8c17b1fb37e5fbad
SHA256

bd39f5170b80286b2bbc9def073788174bb7a484becbf47d0e572a74e8f81219
SHA512

def4ff493f846cb04e8d783ed9ee7ef87b099b5ae52fedbf2ccfc6ac3fc6d19e2a8cd7e3ddc7626dcc3dba9d64304830e5b7fff67512e39b8a71d7d841eab1e2
SSDEEP

49152:uHnRfDawqvjdVyFM545r/m8mCA5arr9FPJ2TVXm2itrJtNam/Wcfufpz:uHxD7qvjdVyFM545r/moA5arr9Fx2TVD

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	024fa1d523f48d8cdfaf7b6edc6ee529.exe

Executes dropped EXE 2 IoCs

pid	Process
1416	taskmgr.exe
1536	relegolas.exe

Loads dropped DLL 4 IoCs

pid	Process
1416	taskmgr.exe
1416	taskmgr.exe
1536	relegolas.exe
1536	relegolas.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TaskMgr = "\"C:\\Users\\Admin\\AppData\\Roaming\\taskmgr.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TaskMgr = "\"C:\\Users\\Admin\\AppData\\Roaming\\taskmgr.exe\""	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
4712	reg.exe
2724	reg.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe
2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1416	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1416	taskmgr.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1536	relegolas.exe
1416	taskmgr.exe
1536	relegolas.exe
1536	relegolas.exe
1536	relegolas.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 1416	2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe	40
PID 2208 wrote to memory of 1416	2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe	40
PID 2208 wrote to memory of 1416	2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe	40
PID 1416 wrote to memory of 1108	1416	taskmgr.exe	39
PID 1416 wrote to memory of 1108	1416	taskmgr.exe	39
PID 1416 wrote to memory of 1108	1416	taskmgr.exe	39
PID 2208 wrote to memory of 1536	2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe	38
PID 2208 wrote to memory of 1536	2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe	38
PID 2208 wrote to memory of 1536	2208	024fa1d523f48d8cdfaf7b6edc6ee529.exe	38
PID 1108 wrote to memory of 3876	1108	cmd.exe	31
PID 1108 wrote to memory of 3876	1108	cmd.exe	31
PID 1108 wrote to memory of 3876	1108	cmd.exe	31
PID 3876 wrote to memory of 2724	3876	cmd.exe	36
PID 3876 wrote to memory of 2724	3876	cmd.exe	36
PID 3876 wrote to memory of 2724	3876	cmd.exe	36
PID 1416 wrote to memory of 952	1416	taskmgr.exe	33
PID 1416 wrote to memory of 952	1416	taskmgr.exe	33
PID 1416 wrote to memory of 952	1416	taskmgr.exe	33
PID 952 wrote to memory of 1480	952	cmd.exe	35
PID 952 wrote to memory of 1480	952	cmd.exe	35
PID 952 wrote to memory of 1480	952	cmd.exe	35
PID 1480 wrote to memory of 4712	1480	cmd.exe	34
PID 1480 wrote to memory of 4712	1480	cmd.exe	34
PID 1480 wrote to memory of 4712	1480	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\024fa1d523f48d8cdfaf7b6edc6ee529.exe
"C:\Users\Admin\AppData\Local\Temp\024fa1d523f48d8cdfaf7b6edc6ee529.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Roaming\relegolas.exe
  "C:\Users\Admin\AppData\Roaming\relegolas.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1536
- C:\Users\Admin\AppData\Roaming\taskmgr.exe
  "C:\Users\Admin\AppData\Roaming\taskmgr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1416

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V TaskMgr /D "\"C:\Users\Admin\AppData\Roaming\taskmgr.exe\"" /f
1⤵
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Windows\SysWOW64\reg.exe
  REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V TaskMgr /D "\"C:\Users\Admin\AppData\Roaming\taskmgr.exe\"" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:2724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c system.bat
1⤵
- Suspicious use of WriteProcessMemory
PID:952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V TaskMgr /D "\"C:\Users\Admin\AppData\Roaming\taskmgr.exe\"" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1480

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V TaskMgr /D "\"C:\Users\Admin\AppData\Roaming\taskmgr.exe\"" /f
1⤵
- Adds Run key to start application
- Modifies registry key
PID:4712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c system.bat
1⤵
- Suspicious use of WriteProcessMemory
PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\system.bat

Filesize
149B

MD5
cd7606f9e6ad92796bd6ec9ae6c360ba

SHA1
5ef75e1c15e91f0f736591ace33048f2fbfc5196

SHA256
b51926f04965d585adf2eea81e9a68820846fd06c98b6f433928cb3a69a49000

SHA512
29b776fbde646e92366d9f341cb46af517a31919c4e829d88bb2d946999df19b4ec383ff7d422fb51553d14ce1271a0a44d852191be6f68fc91c59b2cd0542db

Download Submit
C:\Users\Admin\AppData\Roaming\ntcheck.dll

Filesize
148KB

MD5
41675636ee4d4d1531a39ba710719c65

SHA1
258607af796845ea1b5a15074ec0c38c002900c5

SHA256
b4950228a35421b9b8d498cc90dc558ffee2a3f63f75c6b135bfc8ed12c49d37

SHA512
97eb37f52d18bac9e492ab85c781af84659bd6aa3dc6f97d9d9cf1907025430816f082913b9ac0d627183e14779a0176d324cdd39ff068f899003efd268f49d3

Download Submit
C:\Users\Admin\AppData\Roaming\ntcheck.dll

Filesize
128KB

MD5
bbe8549c182d177476eecd57d4dc7839

SHA1
5e8213a296cdb8f006b9535d62926d5005471a15

SHA256
045ede33ea0be2ef14b1cc0886c94d92d529e77229048d524e57b81bfadd32ec

SHA512
f54dd4c23051f32a09980442b01e30443e7d46d13cd156c71a7c4ec804ab282369550e38c3d65bf36a4041009414ddbb950239256a8a9ccfcc17743c249c7c27

Download Submit
C:\Users\Admin\AppData\Roaming\ntcheck.dll

Filesize
195KB

MD5
ff85ecd2df6cbf65169218e5f96adcb2

SHA1
2aceb7144ee14eb78f0ed4165f0f6d19dcea96e6

SHA256
ceee147d8f2accd76e6716bde42635b1bf9f238eca90dd219eb6b9a16e84d1b9

SHA512
0ed50bf1bdb48174fbb860d8a8b7e8cd34e42ce0c1753e32db6ad0de17099965c6323389bf102b48cf3455fce683b9ec81e065cf22cc667683e88135dbda4398

Download Submit
C:\Users\Admin\AppData\Roaming\ntcheck.dll

Filesize
145KB

MD5
146bd45fa1c9230a4bca6409009aeaf4

SHA1
410cc76e12e3b22936e9a820a15b4dfe1dc87633

SHA256
88258e5552de39960df0e62d5e0d83d1c6d0575e100c651bd86b4230f9d1c340

SHA512
00111041b30ee7c2f97a740cfda300b8426bf5d3598513661c49b8300953a15c3c7fe5813d54b3d3100a756f8ad30fc4a7beadef496015ee2685b5588ce7a333

Download Submit
C:\Users\Admin\AppData\Roaming\ntcheck.dll

Filesize
57KB

MD5
0f017165f2b4d303a73156255f64908c

SHA1
b95e7dc48cd13de1dbf2b8e855bf24ff057fce17

SHA256
945c9e23823fc23257e3b0ab70381647dfcab9e6d588a12774f7681c5f9555fa

SHA512
aa91a1c9e242813f2514b5c676d240d65374d4d023ba2ca079639038b95943438bbbfbcbe9630e0f5a4c3adab05559a249b86c8b0edd7ed140876eaadcb5f7bc

Download Submit
C:\Users\Admin\AppData\Roaming\relegolas.exe

Filesize
115KB

MD5
bb7d65c3ef525dffd575e99909e5702c

SHA1
989016e30a315079e8af461cfff1b539653f5376

SHA256
1b4f14a1cef5e6a9f0a3966ab17366e2df7d0950b741ecb62d6efcd484062a08

SHA512
8fca64eb4a61663d6ef651d636a2112bc27e3ac4d2efa6f92651c5d5af5fd7cec509dd826c5a435a7011c9e61d871b120167fb97f873fb87bbb1cf6536c7d71c

Download Submit
C:\Users\Admin\AppData\Roaming\relegolas.exe

Filesize
160KB

MD5
93d5d7f8bb20cd7136234d0c4e0d7604

SHA1
e87114ebdb5cee471b987b22a453c4021b6998fc

SHA256
1c84e3fe90ab3d03b57a8239469f6ce605ed863f045853e30b0fe2221976f758

SHA512
19f2219268fdc38d60ce66ea100a105df95f196b7173569d64aca96afbad3dbde6d697dc526be50f3844df95d3be5d1ee446e92ef3888b91429913b9feb53688

Download Submit
C:\Users\Admin\AppData\Roaming\relegolas.exe

Filesize
9KB

MD5
c7623b1efe491f3a76cfd7e46d46bd47

SHA1
cfa828431b366b3c751487e06d8dc711561e76d2

SHA256
9be1c898501b3470e4f217d016ae0f8442cac5f59134cb2395ebd5deafbbf545

SHA512
d7e1c846058f26c29ed43a5a4200b6619d14f56bb0216ac99f7afb831f4da83f226f00fc805fda70b4c223888dabfa8564868de0cc40b8340b6b8837de65b1ae

Download Submit
C:\Users\Admin\AppData\Roaming\taskmgr.exe

Filesize
22KB

MD5
0e6d9437b881039844e40a4bc2b88c38

SHA1
0759780741fe14e6cb1d2fbd42683d9938c312ce

SHA256
bc02172ccf701e309ef453420f529dd1d35dd9984168fbc6dc827ba3da9e99c3

SHA512
9d0101f0c28059399f925f03b488092f7ddbd535d4b3f441d22620c475620da12f44c45d863e58dc2afab9b738a3e712ad0ea707ed424ed81db4b03d86a2b341

Download Submit
C:\Users\Admin\AppData\Roaming\taskmgr.exe

Filesize
34KB

MD5
072dbc15998f5bba034cc9881e0c3410

SHA1
d6815a26aa66764634af4412c3ceeb900510364c

SHA256
9a520a1be50b8bdef4f5a584a5fd4b8938ad9b31fe3dd81ef65417f65070c56a

SHA512
eb966df7a0d175fb16d11424c22a326f2cb0af1199a1720e610a705d16001a72e957065b9fce9f956c404d46ccc68e28562f2c4b83aae7490ba9bef6f9862947

Download Submit
C:\Users\Admin\AppData\Roaming\taskmgr.exe

Filesize
162KB

MD5
3ff2cb740746f766f257f7fe40182d61

SHA1
2d3351b75d0ea4bf18a3a1115d9c5a7debb26dca

SHA256
80d583a97e001c9a906b22765fbd5cded18fb9dfbc8249f8ddea219692c1b7fa

SHA512
191aa22273509670b6bcc8504707f6ab41efe71002df52e27281c5705de5ba7eefa4df5a003be3d3182822105e2c69fd69f90c9bffb8f03da85a5942335c34ee

Download Submit
memory/1416-43-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/1416-51-0x0000000000A60000-0x0000000000AD6000-memory.dmp

Filesize
472KB

Download
memory/1416-67-0x0000000000A60000-0x0000000000AD6000-memory.dmp

Filesize
472KB

Download
memory/1416-66-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1416-13-0x0000000000A60000-0x0000000000AD6000-memory.dmp

Filesize
472KB

Download
memory/1416-65-0x0000000000A60000-0x0000000000AD6000-memory.dmp

Filesize
472KB

Download
memory/1416-40-0x0000000000A60000-0x0000000000AD6000-memory.dmp

Filesize
472KB

Download
memory/1416-39-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1416-42-0x0000000000A60000-0x0000000000AD6000-memory.dmp

Filesize
472KB

Download
memory/1416-41-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1416-64-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1416-45-0x0000000000A60000-0x0000000000AD6000-memory.dmp

Filesize
472KB

Download
memory/1416-44-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1416-47-0x0000000000A60000-0x0000000000AD6000-memory.dmp

Filesize
472KB

Download
memory/1416-46-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1416-48-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1416-49-0x0000000000A60000-0x0000000000AD6000-memory.dmp

Filesize
472KB

Download
memory/1416-16-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/1416-50-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1416-52-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1416-53-0x0000000000A60000-0x0000000000AD6000-memory.dmp

Filesize
472KB

Download
memory/1416-55-0x0000000000A60000-0x0000000000AD6000-memory.dmp

Filesize
472KB

Download
memory/1416-54-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1416-57-0x0000000000A60000-0x0000000000AD6000-memory.dmp

Filesize
472KB

Download
memory/1416-56-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1416-59-0x0000000000A60000-0x0000000000AD6000-memory.dmp

Filesize
472KB

Download
memory/1416-58-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1416-61-0x0000000000A60000-0x0000000000AD6000-memory.dmp

Filesize
472KB

Download
memory/1416-60-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1416-62-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1416-63-0x0000000000A60000-0x0000000000AD6000-memory.dmp

Filesize
472KB

Download
memory/1536-38-0x0000000004B00000-0x0000000004B76000-memory.dmp

Filesize
472KB

Download
memory/1536-37-0x0000000004B00000-0x0000000004B76000-memory.dmp

Filesize
472KB

Download
memory/2208-0-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/2208-28-0x0000000000400000-0x00000000005EC000-memory.dmp

Filesize
1.9MB

Download