9594160451608088b8e987328f0b13fb77d59bc99d27c4faad97e2ad834c5a65

Analysis

max time kernel
160s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2024 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f48ff00102947acd17461bd8cbca9b71.exe
Size

857KB
MD5

f48ff00102947acd17461bd8cbca9b71
SHA1

ee356bc7752fdfe88ae3d5b1decf7e9008ca9223
SHA256

9594160451608088b8e987328f0b13fb77d59bc99d27c4faad97e2ad834c5a65
SHA512

3a9ddd74109aa17fdb2e6724817e96ad707c01f5e78804712c3201c0026f3de9fe103d3894b5682abf24110b6aeaf0ec2729d2c062eac6f6d7b2e299a1cfaa5a
SSDEEP

24576:mD3s67DbEXHWA8u5Hhfyip26+rVgINQu1I/N:4X7cXHOM+rKINQlN

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	f48ff00102947acd17461bd8cbca9b71.exe

Executes dropped EXE 2 IoCs

pid	Process
4904	Olive.pif
1488	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4484	schtasks.exe
4076	schtasks.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1424	tasklist.exe
1860	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4048	PING.EXE

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
4904	Olive.pif
4904	Olive.pif
4904	Olive.pif
4904	Olive.pif
4904	Olive.pif
4904	Olive.pif
4904	Olive.pif
4904	Olive.pif
4904	Olive.pif
4904	Olive.pif
4904	Olive.pif
4904	Olive.pif
4904	Olive.pif
4904	Olive.pif
4904	Olive.pif
4904	Olive.pif
4904	Olive.pif
4904	Olive.pif
4904	Olive.pif
4904	Olive.pif
4904	Olive.pif
4904	Olive.pif
4904	Olive.pif
4904	Olive.pif
4904	Olive.pif
4904	Olive.pif
4904	Olive.pif
4904	Olive.pif
4904	Olive.pif
4904	Olive.pif
1488	RegAsm.exe
1488	RegAsm.exe
4904	Olive.pif
4904	Olive.pif

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1424	tasklist.exe
Token: SeDebugPrivilege	1860	tasklist.exe
Token: SeBackupPrivilege	2068	vssvc.exe
Token: SeRestorePrivilege	2068	vssvc.exe
Token: SeAuditPrivilege	2068	vssvc.exe
Token: SeDebugPrivilege	1488	RegAsm.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4904	Olive.pif
4904	Olive.pif
4904	Olive.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4904	Olive.pif
4904	Olive.pif
4904	Olive.pif

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1488	RegAsm.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 1484	4416	f48ff00102947acd17461bd8cbca9b71.exe	92
PID 4416 wrote to memory of 1484	4416	f48ff00102947acd17461bd8cbca9b71.exe	92
PID 4416 wrote to memory of 1484	4416	f48ff00102947acd17461bd8cbca9b71.exe	92
PID 1484 wrote to memory of 1160	1484	cmd.exe	94
PID 1484 wrote to memory of 1160	1484	cmd.exe	94
PID 1484 wrote to memory of 1160	1484	cmd.exe	94
PID 1160 wrote to memory of 1424	1160	cmd.exe	96
PID 1160 wrote to memory of 1424	1160	cmd.exe	96
PID 1160 wrote to memory of 1424	1160	cmd.exe	96
PID 1160 wrote to memory of 1144	1160	cmd.exe	97
PID 1160 wrote to memory of 1144	1160	cmd.exe	97
PID 1160 wrote to memory of 1144	1160	cmd.exe	97
PID 1160 wrote to memory of 1860	1160	cmd.exe	99
PID 1160 wrote to memory of 1860	1160	cmd.exe	99
PID 1160 wrote to memory of 1860	1160	cmd.exe	99
PID 1160 wrote to memory of 4140	1160	cmd.exe	100
PID 1160 wrote to memory of 4140	1160	cmd.exe	100
PID 1160 wrote to memory of 4140	1160	cmd.exe	100
PID 1160 wrote to memory of 4496	1160	cmd.exe	101
PID 1160 wrote to memory of 4496	1160	cmd.exe	101
PID 1160 wrote to memory of 4496	1160	cmd.exe	101
PID 1160 wrote to memory of 2556	1160	cmd.exe	102
PID 1160 wrote to memory of 2556	1160	cmd.exe	102
PID 1160 wrote to memory of 2556	1160	cmd.exe	102
PID 1160 wrote to memory of 4888	1160	cmd.exe	103
PID 1160 wrote to memory of 4888	1160	cmd.exe	103
PID 1160 wrote to memory of 4888	1160	cmd.exe	103
PID 1160 wrote to memory of 4904	1160	cmd.exe	104
PID 1160 wrote to memory of 4904	1160	cmd.exe	104
PID 1160 wrote to memory of 4048	1160	cmd.exe	105
PID 1160 wrote to memory of 4048	1160	cmd.exe	105
PID 1160 wrote to memory of 4048	1160	cmd.exe	105
PID 4904 wrote to memory of 4484	4904	Olive.pif	106
PID 4904 wrote to memory of 4484	4904	Olive.pif	106
PID 4904 wrote to memory of 3604	4904	Olive.pif	107
PID 4904 wrote to memory of 3604	4904	Olive.pif	107
PID 3604 wrote to memory of 4076	3604	cmd.exe	109
PID 3604 wrote to memory of 4076	3604	cmd.exe	109
PID 4904 wrote to memory of 1488	4904	Olive.pif	118
PID 4904 wrote to memory of 1488	4904	Olive.pif	118
PID 4904 wrote to memory of 1488	4904	Olive.pif	118
PID 4904 wrote to memory of 1488	4904	Olive.pif	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f48ff00102947acd17461bd8cbca9b71.exe
"C:\Users\Admin\AppData\Local\Temp\f48ff00102947acd17461bd8cbca9b71.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k cmd < Maintains & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1160
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1424
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:1144
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1860
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe"
      4⤵
      PID:4140
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c mkdir 9868
      4⤵
      PID:4496
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Sold + Transfer + Restructuring + Configure + Reflection + Week 9868\Olive.pif
      4⤵
      PID:2556
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Kiss + Nine 9868\c
      4⤵
      PID:4888
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\9868\Olive.pif
      9868\Olive.pif 9868\c
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4904
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks.exe /create /tn "CloudRift" /tr "wscript 'C:\Users\Admin\AppData\Local\CloudShift Innovations\CloudRift.js'" /sc onlogon /F /RL HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:4484
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c schtasks.exe /create /tn "Cannon" /tr "wscript 'C:\Users\Admin\AppData\Local\CloudShift Innovations\CloudRift.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3604
      - C:\Windows\system32\schtasks.exe
        
        schtasks.exe /create /tn "Cannon" /tr "wscript 'C:\Users\Admin\AppData\Local\CloudShift Innovations\CloudRift.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:4076
    - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\9868\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\9868\RegAsm.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1488
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 15 localhost
      4⤵
      Runs ping.exe
      PID:4048

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\9868\Olive.pif

Filesize
1.0MB

MD5
bfa84dbde0df8f1cad3e179bd46a6e34

SHA1
06ae3c38d4b2f8125656268925ebde9eca6a1f9e

SHA256
6de412b8674ffba5d78ff9d36abffbe2cf86fd08b2231592fca2fcf41f1f2314

SHA512
edd4c839437570003e1cc4a04e6cb7bf8c70c0ebdae741e69782e9bdf47c42441cd8d709170898859b94b3248cccf0e9dfa5e183c110b93ded935ce69a0ff82a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\9868\RegAsm.exe

Filesize
63KB

MD5
a4eb36bae72c5cb7392f2b85609d4a7e

SHA1
5c58053a3a18c0226b98a4ac7e7320581300b6c9

SHA256
dc45704ba97d974d157c1c4a27dba402afa595eac2468d8def2ee8d0a2ee9a81

SHA512
8ebdd20b7c1ee87aa3766d812960b0d8cfa0a6ba6e371f730e589895d202dd540eb475f69940261c1532e90d1030370e9eb5102cadbf6e546f99b350de79b95a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\9868\c

Filesize
502KB

MD5
b601297c8556e18dcb09cff5577c02d1

SHA1
644ca389b0591e21170ee2891e462d44eb52afd5

SHA256
72e72cb7783ca14aa3ec4e9b7e9a79eb8a0669c7b27ca5ef452a85c5823fe8e0

SHA512
189b00a1aea74bb13fff24e9190980e66e1eeb2b019fed34be5a1060bc5424ae689338bb47d068fa0409c5c40889119de770d31c25a30f30da3f8189e558c0f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Configure

Filesize
122KB

MD5
cb44bfe40c06621b415bc9f8d303ab69

SHA1
dad52fb68862474ee95169861f6ae78c240c75bd

SHA256
fe542b539cd0492d4e5b1a23acb91fdb0dd787f0b141040057328f62fe521ac6

SHA512
80cd711d08dafc6401cadf922dda09fb850b55f17b0f69514de7abec3b9eed8f2e215602d63f97637fe68bc9db9c9d6659f00a3dd15d6ff3adde42db572c4105

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Kiss

Filesize
450KB

MD5
a7d0568948a1f1a1ba8956cb912155b2

SHA1
63b345c9cf9ae6401693be256356bd2836428c95

SHA256
1cf9a255e918b1b9d666d056346e769b669f319cfdc796b71ac62561bd11d007

SHA512
fc7a748f0584f661e9f48bbcf8cdc10e5643ec9d13be0d7031f41d167cfe50f8e2b265fc86414ef86796174068d668c57ef5cf452bb5a086a3466319f3d5f02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Maintains

Filesize
12KB

MD5
87d218807ae95a7b05552592cbaebfe8

SHA1
08c8ef1cbeb8d326b78c9fb1e1a18b5241180650

SHA256
7b1445f9b72648472ac915e26aae0019507400af5067a41bdfb1d9c4fcd9a9e1

SHA512
39b3655abc32706e2ee582d48c254a0a0a7de34e7a7d997b6b1b5dce39bdb4792de6edfe5ce2dbc575900a111011f5ff38145811243cba3a2ae2d2f461583817

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Nine

Filesize
52KB

MD5
24a07355c277797698e51afbee36ed74

SHA1
cbf67b76c41e2d208ee874fd04507b956b4d8050

SHA256
ef50d54460ee19ba5ec677d3012aabda76ff4fb1e12a4245d37aa980592b1d87

SHA512
28986c4e68d9010de1c226ff25fdd2d9e4640519bebfdabae1efc6703d696aeb61bf5e84662076ec3432636943027a72cc8b03264bd605a89b8013eb0bb30078

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Reflection

Filesize
234KB

MD5
d0ab06e781ba44d4bd673c8268a716b9

SHA1
90140168a536e7fe25232e961f673e38553e6f15

SHA256
a63aa16f38cb47668359be4b774d9ebf5b08d7b1bdbb09e104d6de0d250cdd4a

SHA512
08cee1e4b3e47e3539afbab8cc393806da2ca21386deb380a7b5d2f6639fb80298f29a2c18d6931fece5a87a3f56c3b559c44ab423e15811afbd69f582750504

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Restructuring

Filesize
211KB

MD5
9e70f6828f507b6c6f12b51653887f66

SHA1
1a6625f1bf0bab012ecaadf4bd99531fe8ccb54e

SHA256
3c14a3923545dde896bf2b4949371228a262f824e7ad8c5329914d59cb2b06ce

SHA512
c1537c9464eef4b5c930bc6e12c9b75ef8484782157b02036ef7fad353e2c7dd26af2047b9fda595b1ca5b0312bdacfd9c840839ea7ef662f3ede165526ccdf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sold

Filesize
213KB

MD5
7ca758d842a23282b89528f6a3a023d6

SHA1
1d83cb4e6b5bc20074816da43c557a50398757d3

SHA256
4428bf92a31c3402acb545b5adc77fda40a981d2e02af8eef564da17e8a0a2ea

SHA512
445104619f4d0d0212097f74c576c964f732faf9cbd741a909b18eeff94d905461cdff4ffe99aef5f4813cf89f5a6d7bfd95df961cb863720bf52c0cf57958ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Transfer

Filesize
244KB

MD5
fa66d6c83acd423aa5aef3914d79e93f

SHA1
400aeb5603d5b0e7c5a51b289031acb9e98dd72b

SHA256
cdada94452b52ccf4d9b9818fa0c054d85ed9d815874f5be737d0fcec4dc4156

SHA512
0a24c415aace1bf7bbdbdf24341491e497370758d15aa81627f346ce9badd907e0d0a7a9ba74822cc5753e65949024feb05cdd6bd3e5bd4655fbb2ed4cae8634

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Week

Filesize
22KB

MD5
85ae7a4cc929425a9b20a976a42a9b0e

SHA1
7020e64b403bb9e11773bf2304c769f940fabf2d

SHA256
1156ceaef3d94c3a46c25508978766a6e5376c2130af0f4d2084f656f86a5a3a

SHA512
47734cf377b8bd6bd381a26e6c8159b87e412fbf18763729f07bca29606a5e08d574bf1e9a8055889aba89a8b7e43a5ac64c659a814a427bf90175ea731b159b

Download Submit
memory/1488-40-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1488-43-0x00007FFCA6460000-0x00007FFCA6F21000-memory.dmp

Filesize
10.8MB

Download
memory/1488-44-0x000001BA1E370000-0x000001BA1E380000-memory.dmp

Filesize
64KB

Download
memory/1488-45-0x00007FFCA6460000-0x00007FFCA6F21000-memory.dmp

Filesize
10.8MB

Download
memory/1488-46-0x000001BA1E370000-0x000001BA1E380000-memory.dmp

Filesize
64KB

Download
memory/4416-0-0x0000000077AA1000-0x0000000077BC1000-memory.dmp

Filesize
1.1MB

Download
memory/4904-38-0x0000024ABFC90000-0x0000024ABFC91000-memory.dmp

Filesize
4KB

Download