Resubmissions
12-04-2024 14:13
240412-rjrz5aba72 812-04-2024 14:12
240412-rh8aqaba68 712-04-2024 14:05
240412-rd9mzsea7x 812-04-2024 14:05
240412-rd82fsea7v 812-04-2024 14:05
240412-rd8exsea7t 809-04-2024 07:05
240409-hws9aacd6z 809-04-2024 07:05
240409-hwljfacd6x 809-04-2024 07:04
240409-hwbz1acd6t 809-04-2024 07:03
240409-hvcvxacd3y 815-01-2024 20:15
240115-y1q8gsfdf2 7Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
15-01-2024 20:15
General
-
Target
tmp.exe
-
Size
9.4MB
-
MD5
db3edf03a8a2c8e96fe2d2deaaec76ff
-
SHA1
2d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1
-
SHA256
a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60
-
SHA512
121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135
-
SSDEEP
98304:kT2OhoLUWeKqyubAguIYylB9RK0RU4lFp887VO0J/yLaeWwGvJldmxe:VOE/IYypvU4loRpK
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /TN "Timer"2⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM2⤵
- Creates scheduled task(s)
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD534f595487e6bfd1d11c7de88ee50356a
SHA14caad088c15766cc0fa1f42009260e9a02f953bb
SHA2560f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d
SHA51210976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4gkou3f1.g2j.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\System\svchost.exeFilesize
4.3MB
MD52a0c4744b2a4d94269b86c92684eed07
SHA1fc2628295c1b3088079d89296f77d6ca2df79fb1
SHA256528d1f180f8facc1fb98fa34f6fdcc94adbcfdcd15939f827d8b3a813ccb3610
SHA512a22e3ed7329ccbfae13f4960023197f3046f62f32ffb8a1b0456ba782f5f65d9993478548f3c099ef6663b06b2d296483788721b53b0a5828b8b23c5fe699aab
-
C:\Windows\System\svchost.exeFilesize
3.7MB
MD59eaa9be241ea3739d5113152c8e6cc30
SHA15ab4e0259b9bd044ac912085ee45dd7c491223f1
SHA2561a2aeb858e1825e80e88c07a6b69af541107b56606ab3f978ca9519b4e82a895
SHA512cacd816f5a18687545c3e2ff48879a6110001a9744f236502a3225e934b7ec84a723dcdb7357bc63cff1678b75e939c53e1c1e90ba7042b44cc9ac839b6faff9
-
C:\Windows\System\svchost.exeFilesize
4.7MB
MD515b638338ed29221ced29796347c3e99
SHA182c3c263b924e77bab38f0ed9f7217509d7d04bc
SHA256794c491eb93b9fc4a4606886718329230a433d09a2915eb093af14dc590034f8
SHA512431dad2f1f8be030ef822ad8300a4d817cad70be1773bd5cddeff5b4ba326939a8e4410726cbde29783561529f398a84268f99cc1d9f24ce8d510c523d02be15
-
memory/1192-48-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/1192-82-0x0000000180000000-0x000000018070E000-memory.dmpFilesize
7.1MB
-
memory/1192-81-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/1192-50-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/4140-28-0x000001A195AD0000-0x000001A195AE0000-memory.dmpFilesize
64KB
-
memory/4140-27-0x000001A195AD0000-0x000001A195AE0000-memory.dmpFilesize
64KB
-
memory/4140-26-0x00007FFD01480000-0x00007FFD01F41000-memory.dmpFilesize
10.8MB
-
memory/4140-35-0x00007FFD01480000-0x00007FFD01F41000-memory.dmpFilesize
10.8MB
-
memory/4292-0-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/4292-51-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/4292-38-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/4292-4-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/4292-1-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/4292-3-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/4292-2-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/4408-16-0x000002AC24C40000-0x000002AC24C50000-memory.dmpFilesize
64KB
-
memory/4408-36-0x00007FFD01480000-0x00007FFD01F41000-memory.dmpFilesize
10.8MB
-
memory/4408-29-0x000002AC24C40000-0x000002AC24C50000-memory.dmpFilesize
64KB
-
memory/4408-15-0x00007FFD01480000-0x00007FFD01F41000-memory.dmpFilesize
10.8MB
-
memory/4408-14-0x000002AC0C7B0000-0x000002AC0C7D2000-memory.dmpFilesize
136KB
-
memory/4472-66-0x00000222BF450000-0x00000222BF460000-memory.dmpFilesize
64KB
-
memory/4472-65-0x00007FFD01480000-0x00007FFD01F41000-memory.dmpFilesize
10.8MB
-
memory/4472-80-0x00007FFD01480000-0x00007FFD01F41000-memory.dmpFilesize
10.8MB
-
memory/5940-64-0x0000028E92B10000-0x0000028E92B20000-memory.dmpFilesize
64KB
-
memory/5940-62-0x0000028E92B10000-0x0000028E92B20000-memory.dmpFilesize
64KB
-
memory/5940-61-0x00007FFD01480000-0x00007FFD01F41000-memory.dmpFilesize
10.8MB
-
memory/5940-77-0x00007FFD01480000-0x00007FFD01F41000-memory.dmpFilesize
10.8MB