12782684d8480075ea8ece059fd7a364c46ab53bcf9094e44f5cfccd57d335cb

Analysis

max time kernel
90s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2024, 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c1dfafc437e8cb6b57dd0729cb39822.exe
Size

1.1MB
MD5

6c1dfafc437e8cb6b57dd0729cb39822
SHA1

92d61dc5bc58d94e3bc1d672e27bfe8133056b8a
SHA256

12782684d8480075ea8ece059fd7a364c46ab53bcf9094e44f5cfccd57d335cb
SHA512

d82a0a86d9dbe499ca3a7b62fbe447272746ae88202479b850701e01b2ea724acf6e8a35be6be04331bbdf37e2769c5d11a70cdf449a599273c533de3eee7638
SSDEEP

24576:d5nQlHDiGRXcIVofrYIfvJWPL1zY7zzXeic8DfNQKpyEeiTbZ:7IH2voT6n08TmOx/l

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4972	netsh.exe
4968	netsh.exe
2804	netsh.exe
2352	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	6c1dfafc437e8cb6b57dd0729cb39822.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 3 IoCs

pid	Process
4868	dc.exe
4568	svchost.exe
1556	dc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\System\xxx1.bak	svchost.exe
File opened for modification	C:\Windows\System\dc.exe	svchost.exe
File created	C:\Windows\System\xxx1.bak	6c1dfafc437e8cb6b57dd0729cb39822.exe
File opened for modification	C:\Windows\System\dc.exe	6c1dfafc437e8cb6b57dd0729cb39822.exe
File created	C:\Windows\System\svchost.exe	6c1dfafc437e8cb6b57dd0729cb39822.exe
File opened for modification	C:\Windows\System\svchost.exe	6c1dfafc437e8cb6b57dd0729cb39822.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3792	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4396	6c1dfafc437e8cb6b57dd0729cb39822.exe
4396	6c1dfafc437e8cb6b57dd0729cb39822.exe
4356	powershell.exe
4356	powershell.exe
2280	powershell.exe
2280	powershell.exe
2280	powershell.exe
4356	powershell.exe
4868	dc.exe
4868	dc.exe
4396	6c1dfafc437e8cb6b57dd0729cb39822.exe
4396	6c1dfafc437e8cb6b57dd0729cb39822.exe
4568	svchost.exe
4568	svchost.exe
4072	powershell.exe
4072	powershell.exe
4072	powershell.exe
3208	powershell.exe
3208	powershell.exe
3208	powershell.exe
1556	dc.exe
1556	dc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4356	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeDebugPrivilege	3208	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 4972	4396	6c1dfafc437e8cb6b57dd0729cb39822.exe	94
PID 4396 wrote to memory of 4972	4396	6c1dfafc437e8cb6b57dd0729cb39822.exe	94
PID 4396 wrote to memory of 4968	4396	6c1dfafc437e8cb6b57dd0729cb39822.exe	96
PID 4396 wrote to memory of 4968	4396	6c1dfafc437e8cb6b57dd0729cb39822.exe	96
PID 4396 wrote to memory of 4356	4396	6c1dfafc437e8cb6b57dd0729cb39822.exe	98
PID 4396 wrote to memory of 4356	4396	6c1dfafc437e8cb6b57dd0729cb39822.exe	98
PID 4396 wrote to memory of 2280	4396	6c1dfafc437e8cb6b57dd0729cb39822.exe	100
PID 4396 wrote to memory of 2280	4396	6c1dfafc437e8cb6b57dd0729cb39822.exe	100
PID 4396 wrote to memory of 4868	4396	6c1dfafc437e8cb6b57dd0729cb39822.exe	104
PID 4396 wrote to memory of 4868	4396	6c1dfafc437e8cb6b57dd0729cb39822.exe	104
PID 4396 wrote to memory of 4868	4396	6c1dfafc437e8cb6b57dd0729cb39822.exe	104
PID 4396 wrote to memory of 2900	4396	6c1dfafc437e8cb6b57dd0729cb39822.exe	105
PID 4396 wrote to memory of 2900	4396	6c1dfafc437e8cb6b57dd0729cb39822.exe	105
PID 4396 wrote to memory of 3792	4396	6c1dfafc437e8cb6b57dd0729cb39822.exe	107
PID 4396 wrote to memory of 3792	4396	6c1dfafc437e8cb6b57dd0729cb39822.exe	107
PID 4396 wrote to memory of 4568	4396	6c1dfafc437e8cb6b57dd0729cb39822.exe	109
PID 4396 wrote to memory of 4568	4396	6c1dfafc437e8cb6b57dd0729cb39822.exe	109
PID 4568 wrote to memory of 2804	4568	svchost.exe	112
PID 4568 wrote to memory of 2804	4568	svchost.exe	112
PID 4568 wrote to memory of 2352	4568	svchost.exe	114
PID 4568 wrote to memory of 2352	4568	svchost.exe	114
PID 4568 wrote to memory of 4072	4568	svchost.exe	116
PID 4568 wrote to memory of 4072	4568	svchost.exe	116
PID 4568 wrote to memory of 3208	4568	svchost.exe	119
PID 4568 wrote to memory of 3208	4568	svchost.exe	119
PID 4568 wrote to memory of 1556	4568	svchost.exe	120
PID 4568 wrote to memory of 1556	4568	svchost.exe	120
PID 4568 wrote to memory of 1556	4568	svchost.exe	120

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6c1dfafc437e8cb6b57dd0729cb39822.exe
"C:\Users\Admin\AppData\Local\Temp\6c1dfafc437e8cb6b57dd0729cb39822.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
  2⤵
  - Modifies Windows Firewall
  PID:4972
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
  2⤵
  - Modifies Windows Firewall
  PID:4968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2280
- C:\Windows\System\dc.exe
  "C:\Windows\System\dc.exe" /D
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4868
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /delete /TN "Timer"
  2⤵
  PID:2900
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
  2⤵
  - Creates scheduled task(s)
  PID:3792
- C:\Windows\System\svchost.exe
  "C:\Windows\System\svchost.exe" formal
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:2804
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:2352
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4072
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3208
- - C:\Windows\System\dc.exe
    "C:\Windows\System\dc.exe" /D
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
08cbb2e458889d02af1cca58b6f1b519

SHA1
14ef2e4a4053acd192fdfb7352b6f5dfcea4a46e

SHA256
bbb7ad4ee5117c78c45e1599ad151786a97879292d2d2d975b312d45d3fb1bc7

SHA512
91ec820019b3c21122b560b590bbce789c1584716dfbe3f8ac570635dd2be00a342fb85eef6e95a421beace0a486b7eaad1ac15326b87e73deac6504bd3f0af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x50q5uem.lzg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjgrflv

Filesize
108KB

MD5
07232b64be72593980cd952e8f85017e

SHA1
61dba57cc51f4501ace3520e2cf559d8e42e04d7

SHA256
ef342bcc3c938c2fa9b38bc84019d8dce94d018372f7d9c29a8ee7ff3f0fc3a8

SHA512
d5417f270e14fe3437c0d017e037117001377379475531b70f9d6840548dd830117fbf62c152c9af09f586bdf944edac330bc560cca4fa45105269319e7158cb

Download Submit
C:\Windows\System\dc.exe

Filesize
503KB

MD5
876971173e79228898c5e40090e95486

SHA1
97408d6495255d813937f9fc530414a9a07e4683

SHA256
10533820fca51cddcdb968565440b8675b87d810f982bd05d3ee8b91969237ea

SHA512
12bfaae3000d90fc70748dd286b34ef9aa7c91ecf3cf60ccc0bd4254957e1f00037af2ac4acf8c0d7c4fd43480f05e9005cde736a74e7b4004e19d9700599ca7

Download Submit
C:\Windows\System\dc.exe

Filesize
505KB

MD5
fc529ccea1de3f99794239d0f916ab61

SHA1
5d497c880d2fbb9057c4e16d30fb641e234d0f49

SHA256
ce4958675422c6c3582bedfaf7aaef4f0cb69b6cd1db4fba63a0eb6d206c012e

SHA512
24b97f2c9bc318f9152b65890c94161dd5f473c50fe2db06c723405f737d5ed49bbce1f8608344307aa594a257581d8a7772aa1e1a7d597bf8da97f2e3fc2957

Download Submit
C:\Windows\System\dc.exe

Filesize
196KB

MD5
6b00ea2b23f7031bf2e84ae454bf89a0

SHA1
d4f0b9b9b244d9c0b684dde2fc96c7bf65de657c

SHA256
a3d859daebee38fb6f9711cf123bf1cf7bc4a86ba50d41fadd1276c70a80b52f

SHA512
f82c981b4bf4255c712e3506333d6ca3777c357c3b163cca2ad29a8fe28f0039b1e711442041b612eaea6ee13042c131ca8e3102b70fcb8886b329d70fe6f400

Download Submit
C:\Windows\System\dc.exe

Filesize
763KB

MD5
0a50081a6cd37aea0945c91de91c5d97

SHA1
755309c6d9fa4cd13b6c867cde01cc1e0d415d00

SHA256
6606d759667fbdfaa46241db7ffb4839d2c47b88a20120446f41e916cad77d0b

SHA512
f0a4e9a3dc065df2182527b17077c822d4535db86bf61f5ee795ee469b15159560a8e81e60d3037f3de1bb38e92f0fc8a422c2656882650d699e2b96948f9846

Download Submit
C:\Windows\System\dc.exe

Filesize
283KB

MD5
dcb02caba636b40bf90d37f6732de87f

SHA1
79a860b242ec196892123cf0270101bb6720ebd9

SHA256
cc640e398fbd72683ca1114f4c690c7f2516f363bf62c956752ca09f9ea0f1b5

SHA512
4bbc91db94204c5cace9e29adbff5c3e2ae6c181fad7c2b20e4d383f28e92a328e9bb62ce9b6b6d6d16b63567ba6226ee7c343b4311dffc98617975ea0bd71cb

Download Submit
C:\Windows\System\svchost.exe

Filesize
1.1MB

MD5
6c1dfafc437e8cb6b57dd0729cb39822

SHA1
92d61dc5bc58d94e3bc1d672e27bfe8133056b8a

SHA256
12782684d8480075ea8ece059fd7a364c46ab53bcf9094e44f5cfccd57d335cb

SHA512
d82a0a86d9dbe499ca3a7b62fbe447272746ae88202479b850701e01b2ea724acf6e8a35be6be04331bbdf37e2769c5d11a70cdf449a599273c533de3eee7638

Download Submit
memory/2280-27-0x000001735ED70000-0x000001735ED80000-memory.dmp

Filesize
64KB

Download
memory/2280-26-0x000001735ED70000-0x000001735ED80000-memory.dmp

Filesize
64KB

Download
memory/2280-35-0x00007FFA80FD0000-0x00007FFA81A91000-memory.dmp

Filesize
10.8MB

Download
memory/2280-16-0x00007FFA80FD0000-0x00007FFA81A91000-memory.dmp

Filesize
10.8MB

Download
memory/3208-90-0x00007FFA80FD0000-0x00007FFA81A91000-memory.dmp

Filesize
10.8MB

Download
memory/3208-97-0x00007FFA80FD0000-0x00007FFA81A91000-memory.dmp

Filesize
10.8MB

Download
memory/3208-92-0x000002139B7A0000-0x000002139B7B0000-memory.dmp

Filesize
64KB

Download
memory/3208-91-0x000002139B7A0000-0x000002139B7B0000-memory.dmp

Filesize
64KB

Download
memory/4072-94-0x00007FFA80FD0000-0x00007FFA81A91000-memory.dmp

Filesize
10.8MB

Download
memory/4072-69-0x00000197E9470000-0x00000197E9480000-memory.dmp

Filesize
64KB

Download
memory/4072-68-0x00007FFA80FD0000-0x00007FFA81A91000-memory.dmp

Filesize
10.8MB

Download
memory/4072-70-0x00000197E9470000-0x00000197E9480000-memory.dmp

Filesize
64KB

Download
memory/4356-15-0x000001507FDE0000-0x000001507FDF0000-memory.dmp

Filesize
64KB

Download
memory/4356-28-0x000001507FDE0000-0x000001507FDF0000-memory.dmp

Filesize
64KB

Download
memory/4356-3-0x00007FFAA0426000-0x00007FFAA0428000-memory.dmp

Filesize
8KB

Download
memory/4356-34-0x00007FFA80FD0000-0x00007FFA81A91000-memory.dmp

Filesize
10.8MB

Download
memory/4356-9-0x00000150678C0000-0x00000150678E2000-memory.dmp

Filesize
136KB

Download
memory/4356-14-0x00007FFA80FD0000-0x00007FFA81A91000-memory.dmp

Filesize
10.8MB

Download
memory/4396-55-0x0000000140000000-0x000000014021D400-memory.dmp

Filesize
2.1MB

Download
memory/4396-0-0x0000000140000000-0x000000014021D400-memory.dmp

Filesize
2.1MB

Download
memory/4396-67-0x0000000140000000-0x000000014021D400-memory.dmp

Filesize
2.1MB

Download
memory/4396-2-0x0000000140000000-0x000000014021D400-memory.dmp

Filesize
2.1MB

Download
memory/4396-1-0x0000000140000000-0x000000014021D400-memory.dmp

Filesize
2.1MB

Download
memory/4568-66-0x0000000140000000-0x000000014021D400-memory.dmp

Filesize
2.1MB

Download
memory/4568-65-0x0000000140000000-0x000000014021D400-memory.dmp

Filesize
2.1MB

Download
memory/4568-116-0x0000000140000000-0x000000014021D400-memory.dmp

Filesize
2.1MB

Download