Analysis
-
max time kernel
142s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
15-01-2024 12:10
General
-
Target
file.exe
-
Size
9.4MB
-
MD5
db3edf03a8a2c8e96fe2d2deaaec76ff
-
SHA1
2d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1
-
SHA256
a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60
-
SHA512
121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135
-
SSDEEP
98304:kT2OhoLUWeKqyubAguIYylB9RK0RU4lFp887VO0J/yLaeWwGvJldmxe:VOE/IYypvU4loRpK
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /TN "Timer"2⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM2⤵
- Creates scheduled task(s)
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD567e8893616f805af2411e2f4a1411b2a
SHA139bf1e1a0ddf46ce7c136972120f512d92827dcd
SHA256ca0dfe104c1bf27f7e01999fcdabc16c6400c3da937c832c26bdbca322381d31
SHA512164e911a9935e75c8be1a6ec3d31199a16ba2a1064da6c09d771b2a38dd7fddd142301ef55d67d90f306d3a454a1ce7b72e129ea42e44500b9b8c623a8d98b4d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.2MB
MD5a2e21f7c020d0a025942f35136323780
SHA11ec9a4089e75fe214f4c477414c2858f65c3fdd3
SHA256ca1f8042d35976fd49c180079d2a31afb4053472df831e2c0c4870fcfd35dbb0
SHA512fb57613c330494503acf3b755750efb95273a209f6a9b2368b1b67f4078463dbc25043154d62eac5d96a92eeed335ca6834c8ca22fccc3af3d1eb9e8f0bb96c3
-
Filesize
836KB
MD54458d0c15800e8d28dac208213375adb
SHA116db65e3a998553fd0b4451da29d1056100f4f7f
SHA2560571a1dffee01a985645a8af33a1c2576e4f0e45b412e78c87a01a01101b07f4
SHA512b7c6d030fffac21c632fb96d215c37ec9664cdf27a0de914052a0ac860ff94728843335d7e098d5d6e5bc089aed41fb15b5b36d4a03e3cbe5ee874928d162e1a
-
Filesize
770KB
MD51d2a7606d922d3004e336736ad592e60
SHA1275beee048aa113c750f0a55829d681e07c83bb1
SHA256049d57fa40f9f2047339d75b9746d608fc18443b8061ec2cf38bff01a15875b0
SHA512acfb966368a8868d6b005feb2f1ac20dabc7f58ac68ef6ea03f433e1be752c06cf14e06a01591cf9767808734e0e0a8879fca87bee60eaa3baebd1fba45ee1ca
-
Filesize
10.4MB
-
Filesize
7.1MB
-
Filesize
10.4MB
-
Filesize
10.4MB
-
Filesize
10.4MB
-
Filesize
10.4MB
-
Filesize
10.4MB
-
Filesize
10.4MB
-
Filesize
10.4MB
-
Filesize
10.4MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
136KB