Analysis
-
max time kernel
148s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
06/01/2024, 10:21
Static task
static1
Behavioral task
behavioral1
Sample
abb84f7bbcc5585765153cd445c8c07d.exe
Resource
win7-20231215-en
General
-
Target
abb84f7bbcc5585765153cd445c8c07d.exe
-
Size
1.1MB
-
MD5
abb84f7bbcc5585765153cd445c8c07d
-
SHA1
69707e556ebd88aec6414c0c5a481b235ad2eead
-
SHA256
149e9d049c83abff4843e0fab7f6cde552aef61e32a53d61e76f6c5adc3db25f
-
SHA512
12752cdde51c29b3fb4afc16405881681f06e3f4abc8b4912c35f366af6d2bc84ae321110a6ee11f1b8d0ab557975c9892ca0977b149c59f24735c0076d33a38
-
SSDEEP
12288:TGPoV34JStlA/afwCtrduIyCuUy21lbyOuJOmBws5o8pewY3:T0uqipuIySjQes5oSel
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation abb84f7bbcc5585765153cd445c8c07d.exe -
Executes dropped EXE 2 IoCs
pid Process 1244 Tayz Woofer.exe 3832 SecurityHealthService.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DHCP Service = "C:\\Program Files\\DHCP Service\\dhcpsvc.exe" SecurityHealthService.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SecurityHealthService.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\DHCP Service\dhcpsvc.exe SecurityHealthService.exe File opened for modification C:\Program Files\DHCP Service\dhcpsvc.exe SecurityHealthService.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4860 schtasks.exe 4108 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3832 SecurityHealthService.exe 3832 SecurityHealthService.exe 3832 SecurityHealthService.exe 3832 SecurityHealthService.exe 3832 SecurityHealthService.exe 3832 SecurityHealthService.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3832 SecurityHealthService.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3832 SecurityHealthService.exe Token: SeDebugPrivilege 3832 SecurityHealthService.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2364 wrote to memory of 1244 2364 abb84f7bbcc5585765153cd445c8c07d.exe 95 PID 2364 wrote to memory of 1244 2364 abb84f7bbcc5585765153cd445c8c07d.exe 95 PID 2364 wrote to memory of 3832 2364 abb84f7bbcc5585765153cd445c8c07d.exe 97 PID 2364 wrote to memory of 3832 2364 abb84f7bbcc5585765153cd445c8c07d.exe 97 PID 3832 wrote to memory of 4860 3832 SecurityHealthService.exe 107 PID 3832 wrote to memory of 4860 3832 SecurityHealthService.exe 107 PID 3832 wrote to memory of 4108 3832 SecurityHealthService.exe 109 PID 3832 wrote to memory of 4108 3832 SecurityHealthService.exe 109 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\abb84f7bbcc5585765153cd445c8c07d.exe"C:\Users\Admin\AppData\Local\Temp\abb84f7bbcc5585765153cd445c8c07d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\Tayz Woofer.exe"C:\Users\Admin\AppData\Local\Temp\Tayz Woofer.exe"2⤵
- Executes dropped EXE
PID:1244
-
-
C:\Users\Admin\AppData\Local\Temp\SecurityHealthService.exe"C:\Users\Admin\AppData\Local\Temp\SecurityHealthService.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /create /f /tn "DHCP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8812.tmp"3⤵
- Creates scheduled task(s)
PID:4860
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /create /f /tn "DHCP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8F56.tmp"3⤵
- Creates scheduled task(s)
PID:4108
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
533KB
MD5a632a39ffdce2f2de984c6992d188986
SHA17a1bb8fea06c819b7e575f9ef431af09151837eb
SHA2566800905847788c228e211fd1086dad6a20aa745d1351c0bd43d5f89aa58b1c9e
SHA512a7a6f0bc2448f3222652882893c9b14e21f073dce0dc0509c534bd0e1219a8860278be485a1b41333f7b9dc969431aacd54701f4ca7eb9d615ffdf192452244b
-
Filesize
567KB
MD58a172477569fd0f1b554ecaa42a59d9d
SHA158adf1c1f27215d13e280364c15008df293d90fb
SHA256391915fb3b7aa3df83c7d95c0867e3d24ee8906e657344666bbd87ea4e61a82a
SHA5128aae52a6af70795cc938a7ad107bfa2ab383ea2f8f86777ac2084eba0bbac6175bbe432569a8706541122b9dc417748f5fe54e829ddd77be0b7a6b5c26999a85
-
Filesize
1KB
MD503622b0c91662ec4ada74d25f655232f
SHA17272a7d3acd8726fa58987ad322fa06ce7a23208
SHA25668a618959190a38c260d20dde35209ed7c8f8ef336c8f6af4abdf416ea2e8b67
SHA5126d6ddb25cf1a0793bcea2ce25e866db318400eef864c1608441c529ab094be604c9e98264219c933a2187ec63abc77124edddeb324744999872d150ce7e73dd2
-
Filesize
1KB
MD5a1e72d32044df2250a28d62375b19f15
SHA1f82e0131f1a1fcbf825544cd2cc25e28174c47ee
SHA256b3e2fff6289e337bc83c056904dad620e5edc7f28ac3690ab4900f3ec90df799
SHA512df04c1f421c3d2ed3c928e388aa068be0c3b1bd16348f2692a63c641ec6cd3b103525a8e39298566a395f863fc23a3e29cf2ae50f3e68b5ffba981241587a88b