Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2024, 05:50
Static task
static1
Behavioral task
behavioral1
Sample
69a54a68512b406bb10f4ee129efb0a0.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
69a54a68512b406bb10f4ee129efb0a0.exe
Resource
win10v2004-20231215-en
General
-
Target
69a54a68512b406bb10f4ee129efb0a0.exe
-
Size
1.0MB
-
MD5
69a54a68512b406bb10f4ee129efb0a0
-
SHA1
e9b60b8eae1d28b90f4b8c60e862d8a979640533
-
SHA256
80b29c7ba8d66770d736268a9c1c145cb9e947bbba564953a63818f4b75057df
-
SHA512
0d6a836ba5613aff5f08c5776b345b036e4f95b3db6dbeb03e84e3366d807ad7762d5a4c2919ca14b0d80e061b42bbfc90c055c3b4815f7fa042a80f866beb1b
-
SSDEEP
24576:KlgFu58LljQYSa+Ze0Q7Jw1NCY+masfXfNMsgVIt:igFu5c7gZCVmVfXlMs2It
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation 69a54a68512b406bb10f4ee129efb0a0.exe -
Executes dropped EXE 3 IoCs
pid Process 3060 ƳƕƏƄȜ.exe 4980 vbc.exe 548 OWNBall07.5.exe -
resource yara_rule behavioral2/files/0x0007000000023208-30.dat upx behavioral2/files/0x0007000000023208-37.dat upx behavioral2/memory/548-39-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/files/0x0007000000023208-35.dat upx behavioral2/memory/548-48-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/548-50-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/548-51-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/548-53-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/548-55-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/548-57-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/548-59-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/548-61-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/548-63-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/548-65-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/548-67-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/548-69-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/548-71-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/548-73-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/548-75-0x0000000000400000-0x00000000004C1000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Essentials = "C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe" ƳƕƏƄȜ.exe -
AutoIT Executable 15 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/548-48-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral2/memory/548-50-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral2/memory/548-51-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral2/memory/548-53-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral2/memory/548-55-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral2/memory/548-57-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral2/memory/548-59-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral2/memory/548-61-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral2/memory/548-63-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral2/memory/548-65-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral2/memory/548-67-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral2/memory/548-69-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral2/memory/548-71-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral2/memory/548-73-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral2/memory/548-75-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4160 set thread context of 4980 4160 69a54a68512b406bb10f4ee129efb0a0.exe 92 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 548 OWNBall07.5.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 4160 69a54a68512b406bb10f4ee129efb0a0.exe Token: SeIncreaseQuotaPrivilege 4980 vbc.exe Token: SeSecurityPrivilege 4980 vbc.exe Token: SeTakeOwnershipPrivilege 4980 vbc.exe Token: SeLoadDriverPrivilege 4980 vbc.exe Token: SeSystemProfilePrivilege 4980 vbc.exe Token: SeSystemtimePrivilege 4980 vbc.exe Token: SeProfSingleProcessPrivilege 4980 vbc.exe Token: SeIncBasePriorityPrivilege 4980 vbc.exe Token: SeCreatePagefilePrivilege 4980 vbc.exe Token: SeBackupPrivilege 4980 vbc.exe Token: SeRestorePrivilege 4980 vbc.exe Token: SeShutdownPrivilege 4980 vbc.exe Token: SeDebugPrivilege 4980 vbc.exe Token: SeSystemEnvironmentPrivilege 4980 vbc.exe Token: SeChangeNotifyPrivilege 4980 vbc.exe Token: SeRemoteShutdownPrivilege 4980 vbc.exe Token: SeUndockPrivilege 4980 vbc.exe Token: SeManageVolumePrivilege 4980 vbc.exe Token: SeImpersonatePrivilege 4980 vbc.exe Token: SeCreateGlobalPrivilege 4980 vbc.exe Token: 33 4980 vbc.exe Token: 34 4980 vbc.exe Token: 35 4980 vbc.exe Token: 36 4980 vbc.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe 548 OWNBall07.5.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4980 vbc.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 4160 wrote to memory of 2620 4160 69a54a68512b406bb10f4ee129efb0a0.exe 87 PID 4160 wrote to memory of 2620 4160 69a54a68512b406bb10f4ee129efb0a0.exe 87 PID 4160 wrote to memory of 2620 4160 69a54a68512b406bb10f4ee129efb0a0.exe 87 PID 2620 wrote to memory of 2532 2620 csc.exe 90 PID 2620 wrote to memory of 2532 2620 csc.exe 90 PID 2620 wrote to memory of 2532 2620 csc.exe 90 PID 4160 wrote to memory of 3060 4160 69a54a68512b406bb10f4ee129efb0a0.exe 91 PID 4160 wrote to memory of 3060 4160 69a54a68512b406bb10f4ee129efb0a0.exe 91 PID 4160 wrote to memory of 3060 4160 69a54a68512b406bb10f4ee129efb0a0.exe 91 PID 4160 wrote to memory of 4980 4160 69a54a68512b406bb10f4ee129efb0a0.exe 92 PID 4160 wrote to memory of 4980 4160 69a54a68512b406bb10f4ee129efb0a0.exe 92 PID 4160 wrote to memory of 4980 4160 69a54a68512b406bb10f4ee129efb0a0.exe 92 PID 4160 wrote to memory of 4980 4160 69a54a68512b406bb10f4ee129efb0a0.exe 92 PID 4160 wrote to memory of 4980 4160 69a54a68512b406bb10f4ee129efb0a0.exe 92 PID 4160 wrote to memory of 4980 4160 69a54a68512b406bb10f4ee129efb0a0.exe 92 PID 4160 wrote to memory of 4980 4160 69a54a68512b406bb10f4ee129efb0a0.exe 92 PID 4160 wrote to memory of 4980 4160 69a54a68512b406bb10f4ee129efb0a0.exe 92 PID 4160 wrote to memory of 4980 4160 69a54a68512b406bb10f4ee129efb0a0.exe 92 PID 4160 wrote to memory of 4980 4160 69a54a68512b406bb10f4ee129efb0a0.exe 92 PID 4160 wrote to memory of 4980 4160 69a54a68512b406bb10f4ee129efb0a0.exe 92 PID 4160 wrote to memory of 4980 4160 69a54a68512b406bb10f4ee129efb0a0.exe 92 PID 4160 wrote to memory of 4980 4160 69a54a68512b406bb10f4ee129efb0a0.exe 92 PID 4160 wrote to memory of 4980 4160 69a54a68512b406bb10f4ee129efb0a0.exe 92 PID 4160 wrote to memory of 548 4160 69a54a68512b406bb10f4ee129efb0a0.exe 93 PID 4160 wrote to memory of 548 4160 69a54a68512b406bb10f4ee129efb0a0.exe 93 PID 4160 wrote to memory of 548 4160 69a54a68512b406bb10f4ee129efb0a0.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe"C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4jxwvv0c.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES692B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC692A.tmp"3⤵PID:2532
-
-
-
C:\Users\Admin\AppData\Local\Temp\ƳƕƏƄȜ.exe"C:\Users\Admin\AppData\Local\Temp\ƳƕƏƄȜ.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3060
-
-
C:\Users\Admin\AppData\Local\Temp\vbc.exeC:\Users\Admin\AppData\Local\Temp\vbc.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4980
-
-
C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe"C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:548
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
215KB
MD5140b803258b99fbca65c7b53eac293a9
SHA14d5e4977d2e4172fdc84d7097c867587c7ebc2ac
SHA2566be5cd2f2ad1149373fa258e0dda41ec229c9bf93738bbf443cc8998d7e049fe
SHA512adb95d332298fe87aab6b57aa733f6954701a6ccd5c4354033e553f047e7bdcbca82e306bed30575b4fed422f3f1d5fd8338456bc719105e0297b617b3add0a4
-
Filesize
158KB
MD58efa6f5ede96903a18dc0523984a0175
SHA170dc1afa52a42d7049ec4b7b4b6c8d229f77b081
SHA256e1d9ccab412ac2cb12ee0cb9ad876b8fc402ddfdf30143e27ff1ce3013e16020
SHA5129569dd021a826ac611b5c2564e0f96bc3f98098e806938ad4221449578a046cd521187dcd604d351e079fe3dc63acbe2c200fdcf15d61f4065a2d3cbf6fc725d
-
Filesize
248KB
MD53810438caa24ade28b6a997c3e768a4a
SHA1229d27515421dd270bb562c8edc65b40812ccf48
SHA256ea836626b803640aa0eb813040f4880d075ba77e38f92d2009e5e109e375ea0a
SHA51270130ffcc326d49169baf80640e75b3d0d5aa4381bf66f1f52e005f39bd9d3b4d3adb89e29e3dfbe665dded8e1e0dcb2c2ab529b3bc9df66426fc2b71616f5d2
-
Filesize
1KB
MD51de1f6498e67a0a66fe8c822babe6106
SHA1a1b5d2ad0df40b8b67bb7a088e58091bd68c711e
SHA256c0f178b69a450268b4414fee38fb724a8cab206acd9f9e70e1a18fe74cf6715c
SHA51261fc957f85083451ed8df88caab5a0c07262692ce9091abf89ff39710f3f0a2f04ebbd3fd66cf5fb0bb26a942baecc0056a95deade9a1464aa23d0e9531bfc1c
-
Filesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0
-
Filesize
4KB
MD57a2f72f37f477545307762f6d11273c0
SHA1ffb4821621df853d8fa41b08648d0f0c648ef558
SHA25606e6da1d819eb732fd880a4bd582fc97cfdeaa40dbcc4e569e5af4952771a00f
SHA512af88afa5480b786fb765e836aed3ebddec138de701aad314f4832f27d185dec09447ac6bbf43a6a15cc3bfc8c7200b330647478d91fa4394d5c7d1792591263a
-
Filesize
1KB
MD5ff633b592af11cb80f35b58901a1ec2d
SHA1fb2e0a6beae8b9cd23102aabed44778e4f5eecf5
SHA256e41802aa34ef5aae074052f7c774792cdedcd2d64cb3fed158a3a1c5554005ef
SHA5123d4a1695af31238236a7211ce4df66b904fac151f9076972fc9e17a7b538abcaed96dc0def4e20b4d2bb9eb14ab50545bb7aa5f971c8cacf1d6243a66cc9b5c4
-
Filesize
263B
MD5b2912fc010d5c5fd0e6df63667aecc8d
SHA12481efa02d421543f908cd85031dea5c0949267e
SHA256ec4886c588c2b3da16674faaa8e1efaecbdf0ce25b2531435aaf8b76e43cabca
SHA512d5bf248de81683183ac551c000b1a0afd0ca8d05b08465e9eb85e408cb99683aef6b6258b7332ec80e4cd1353c671ec6e87a3dae83500668d3d8212431b48d4b
-
Filesize
636B
MD5cabe319c211b0235717de2ce3fa02ce0
SHA1d7e876e7b1a3d957e91bd927756f782704258247
SHA25681cda2f92eaab8bce309a65f24e1e0a5fe753e352f5f3de122c15dbd1fce4c7e
SHA5120f6a8cc6dea5fc33389a2323c0ee43334fd73e91424dcded01d5feb700d3fc112996f9511a914552e942de7c5541d2e011aee3ae1c30b580060af4b8b5421cc6