00deb73a1738a3b3bfd9504b70775d668581f504481c7f37c20831504f9b77aa

Analysis

max time kernel
149s
max time network
394s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

сентябрь 2023(570)/057e86a5c22e1d0cc4a2c0e189fb5f118859a2554afcb111ebc280af9dc05c75.exe
Size

609KB
MD5

725cf8ad8ed8f096e03cd373c8abde91
SHA1

c8fa598234529b94280bdb8fceeeeafe326f9575
SHA256

057e86a5c22e1d0cc4a2c0e189fb5f118859a2554afcb111ebc280af9dc05c75
SHA512

52bed1b613f897e6354b1c05d55880400937f288c8a7e32a3d4c15ce58e1efe25f7889114ccaf46626141491b862cfbb6f896c49ae200e686c70797617a07f8a
SSDEEP

12288:ICn9t5725IAGZ64fzBt3hQJ0FyqNI6EO96f4zU2c1MlBBW75NJiaxmwS:ICEQk4VzQJvqNI6vMwzU0XBfaxM

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	057e86a5c22e1d0cc4a2c0e189fb5f118859a2554afcb111ebc280af9dc05c75.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3988	3644	WerFault.exe	59

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5092	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3644	057e86a5c22e1d0cc4a2c0e189fb5f118859a2554afcb111ebc280af9dc05c75.exe
3644	057e86a5c22e1d0cc4a2c0e189fb5f118859a2554afcb111ebc280af9dc05c75.exe
3772	powershell.exe
3772	powershell.exe
3772	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3644	057e86a5c22e1d0cc4a2c0e189fb5f118859a2554afcb111ebc280af9dc05c75.exe
Token: SeDebugPrivilege	3772	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3644 wrote to memory of 3772	3644	057e86a5c22e1d0cc4a2c0e189fb5f118859a2554afcb111ebc280af9dc05c75.exe	92
PID 3644 wrote to memory of 3772	3644	057e86a5c22e1d0cc4a2c0e189fb5f118859a2554afcb111ebc280af9dc05c75.exe	92
PID 3644 wrote to memory of 3772	3644	057e86a5c22e1d0cc4a2c0e189fb5f118859a2554afcb111ebc280af9dc05c75.exe	92
PID 3644 wrote to memory of 5092	3644	057e86a5c22e1d0cc4a2c0e189fb5f118859a2554afcb111ebc280af9dc05c75.exe	94
PID 3644 wrote to memory of 5092	3644	057e86a5c22e1d0cc4a2c0e189fb5f118859a2554afcb111ebc280af9dc05c75.exe	94
PID 3644 wrote to memory of 5092	3644	057e86a5c22e1d0cc4a2c0e189fb5f118859a2554afcb111ebc280af9dc05c75.exe	94

C:\Users\Admin\AppData\Local\Temp\сентябрь 2023(570)\057e86a5c22e1d0cc4a2c0e189fb5f118859a2554afcb111ebc280af9dc05c75.exe
"C:\Users\Admin\AppData\Local\Temp\сентябрь 2023(570)\057e86a5c22e1d0cc4a2c0e189fb5f118859a2554afcb111ebc280af9dc05c75.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\OsKZUclncCXlX.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3772
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OsKZUclncCXlX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD7CE.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:5092
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 1720
  2⤵
  - Program crash
  PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3644 -ip 3644
1⤵
PID:4600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iax5ywdx.vst.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD7CE.tmp

Filesize
1KB

MD5
6725a369927e839255e9f5daac3353cf

SHA1
6a72192f6590bfd2b981826856757db499bac2d3

SHA256
7674bc207561b148d526a3bde2001081c542172807bef07929c16b8b08fd8c46

SHA512
f12964a1379bb49a79367b89c99225a9e4bad38870bc46431e81c1b21c4e30df54a5f446a4a4f197e94c6ffb7c11b2511ac002d0223ee276564c4be7708f9817

Download Submit
memory/3644-6-0x00000000053D0000-0x000000000546C000-memory.dmp

Filesize
624KB

Download
memory/3644-3-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/3644-4-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download
memory/3644-5-0x00000000051F0000-0x00000000051FA000-memory.dmp

Filesize
40KB

Download
memory/3644-2-0x00000000057D0000-0x0000000005D74000-memory.dmp

Filesize
5.6MB

Download
memory/3644-7-0x0000000005580000-0x0000000005590000-memory.dmp

Filesize
64KB

Download
memory/3644-8-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/3644-9-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download
memory/3644-10-0x00000000057A0000-0x00000000057AC000-memory.dmp

Filesize
48KB

Download
memory/3644-11-0x0000000007110000-0x000000000718C000-memory.dmp

Filesize
496KB

Download
memory/3644-37-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/3644-0-0x00000000006C0000-0x000000000075E000-memory.dmp

Filesize
632KB

Download
memory/3644-1-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/3772-24-0x00000000056D0000-0x0000000005736000-memory.dmp

Filesize
408KB

Download
memory/3772-51-0x00000000064A0000-0x00000000064BE000-memory.dmp

Filesize
120KB

Download
memory/3772-21-0x0000000004FC0000-0x00000000055E8000-memory.dmp

Filesize
6.2MB

Download
memory/3772-22-0x0000000004F40000-0x0000000004F62000-memory.dmp

Filesize
136KB

Download
memory/3772-23-0x0000000005660000-0x00000000056C6000-memory.dmp

Filesize
408KB

Download
memory/3772-18-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/3772-17-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/3772-34-0x0000000005980000-0x0000000005CD4000-memory.dmp

Filesize
3.3MB

Download
memory/3772-35-0x0000000005F00000-0x0000000005F1E000-memory.dmp

Filesize
120KB

Download
memory/3772-36-0x0000000005F50000-0x0000000005F9C000-memory.dmp

Filesize
304KB

Download
memory/3772-16-0x0000000004950000-0x0000000004986000-memory.dmp

Filesize
216KB

Download
memory/3772-38-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/3772-40-0x00000000064D0000-0x0000000006502000-memory.dmp

Filesize
200KB

Download
memory/3772-19-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/3772-41-0x000000006EDE0000-0x000000006EE2C000-memory.dmp

Filesize
304KB

Download
memory/3772-39-0x000000007F050000-0x000000007F060000-memory.dmp

Filesize
64KB

Download
memory/3772-52-0x0000000007100000-0x00000000071A3000-memory.dmp

Filesize
652KB

Download
memory/3772-54-0x0000000007210000-0x000000000722A000-memory.dmp

Filesize
104KB

Download
memory/3772-53-0x0000000007850000-0x0000000007ECA000-memory.dmp

Filesize
6.5MB

Download
memory/3772-55-0x0000000007280000-0x000000000728A000-memory.dmp

Filesize
40KB

Download
memory/3772-56-0x0000000007490000-0x0000000007526000-memory.dmp

Filesize
600KB

Download
memory/3772-57-0x0000000007410000-0x0000000007421000-memory.dmp

Filesize
68KB

Download
memory/3772-58-0x0000000007440000-0x000000000744E000-memory.dmp

Filesize
56KB

Download
memory/3772-59-0x0000000007450000-0x0000000007464000-memory.dmp

Filesize
80KB

Download
memory/3772-61-0x0000000007530000-0x0000000007538000-memory.dmp

Filesize
32KB

Download
memory/3772-60-0x0000000007550000-0x000000000756A000-memory.dmp

Filesize
104KB

Download
memory/3772-64-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download