b06a7de629b646ca4ed7199e522f38db50607784335ba7d7fc716077491532bf

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10/01/2024, 23:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51f087b4613d27433d8cfcb125ae49d9.exe
Size

344KB
MD5

51f087b4613d27433d8cfcb125ae49d9
SHA1

56c07063e8453f0b2a36ec6b36570ba3afe103d4
SHA256

b06a7de629b646ca4ed7199e522f38db50607784335ba7d7fc716077491532bf
SHA512

cadb48749602dab3b377949f885d6db1da37926777da1cc14ddb8558379151cfa32d6052ae0e2699a339b87470c54c97b7ab32f2bf303afda8b6a29013069038
SSDEEP

6144:7AjK6l+wlbl3nrZ3ySYi7yjb3TgR4e9Rud3KRmY3PbJQX9zfAxkFfiSCRZRmF9:826l+EbNnrxySYiWgHjRmYfsiSKmF9

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1932	taskenv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysclean = "C:\\ProgramData\\TSBKFJQM\\taskenv.exe"	taskenv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysclean = "C:\\ProgramData\\TSBKFJQM\\taskenv.exe"	51f087b4613d27433d8cfcb125ae49d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysclean = "C:\\ProgramData\\TSBKFJQM\\taskenv.exe"	51f087b4613d27433d8cfcb125ae49d9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysclean = "C:\\ProgramData\\TSBKFJQM\\taskenv.exe"	taskenv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskenv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	taskenv.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1932	taskenv.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1476	51f087b4613d27433d8cfcb125ae49d9.exe
1932	taskenv.exe
1932	taskenv.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 1932	1476	51f087b4613d27433d8cfcb125ae49d9.exe	20
PID 1476 wrote to memory of 1932	1476	51f087b4613d27433d8cfcb125ae49d9.exe	20
PID 1476 wrote to memory of 1932	1476	51f087b4613d27433d8cfcb125ae49d9.exe	20

C:\Users\Admin\AppData\Local\Temp\51f087b4613d27433d8cfcb125ae49d9.exe
"C:\Users\Admin\AppData\Local\Temp\51f087b4613d27433d8cfcb125ae49d9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1476
- C:\ProgramData\TSBKFJQM\taskenv.exe
  C:\ProgramData\TSBKFJQM\taskenv.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks processor information in registry
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TSBKFJQM\system.zip

Filesize
206B

MD5
cd4db47ad48facebe2385f585753ffbe

SHA1
996d2630928b30f492230e1977c72e06261d7c7d

SHA256
62481d06c721fafd2d574f759f8dcb67196a4d13cdfef52f2bba7bed5fae8f40

SHA512
5041c4e377d353bc0651eb2d753f16d76a10ec6a0b69e57c4e9150bf476cfcbfa02d87559d8ee8d32d0665202e66b40969c65fb73dbf0d201c852b28ef7fc09f

Download Submit
C:\ProgramData\TSBKFJQM\taskenv.exe

Filesize
212KB

MD5
f651d06be4944c711446cf90e86de649

SHA1
559f62b351e408e1fe60362dd3ebc7f8e0de85e5

SHA256
f20c2c3c39420a9d03a33f231ef414df6a05c2dd2b5eab945c2f5cb89670d3c5

SHA512
37ea39a89d32e3f635dc936a22af05829794f49c22a4b74d4365d41fd49d51f9848d5288e08c3e701e6598c3056cb510bdb31cc8789fae64f64bca3123af35ac

Download Submit
C:\ProgramData\TSBKFJQM\taskenv.exe

Filesize
175KB

MD5
635590626b8f424568693e042f66f317

SHA1
c748ae064b22b3dab110922ed940403e1db2d2a3

SHA256
a534b133fcaeddb66edcf8184f8d30a27a28f383d4655fc83ddd2c636989da6b

SHA512
0f7dfdb255a6b72c84afab4fd7aaf970d98a75af0642aa2d4bf83247399b7fa12e4d94a4ca0aebc85ccc6f8823f5c63d52855306e0daee161b59d6e8b7f55815

Download Submit
C:\ProgramData\TSBKFJQM\win01102024233940960.sys

Filesize
6KB

MD5
5414ad5544cb94e62868d1bd7063c690

SHA1
44b02adf5b729011930433defded25f8bbda0ee5

SHA256
e4b80f5e53b991a64823770c88085c4554648989f56f68dbcd5775dbe5744dd7

SHA512
dd355d3293d2fb6099fca8a74721339835681e4c84c501090bca3b62eccf8b143a50e73d8f4bee99645e0140cc961bd5723d58b03aead2fd81139c4b2f11c517

Download Submit
memory/1476-0-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads