e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe
Size

1.6MB
MD5

034bfaec248c788bac7ac64c3ff8b7f2
SHA1

cfb0d32b4df8c1426e4efc11b797df2dd55730bb
SHA256

e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43
SHA512

6f1b40d32253cb6b28706b8aab414bddd75a56b37aef058d6e0d334dfed358478e16668359b493a425919c6ada3d4f1f4929e3775c636453d6483c529221d159
SSDEEP

24576:ZrVGNek6mpi8UljolHKOpIR+s6yR1nLX49b2yKCB3JurSnhG9h8K:DiiPMqOIR/rRX49S65pG31

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1272 set thread context of 1776	1272	e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2504	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1272	e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe
3964	powershell.exe
3964	powershell.exe
2144	powershell.exe
2144	powershell.exe
2144	powershell.exe
3964	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1272	e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	1776	RegSvcs.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 2144	1272	e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe	93
PID 1272 wrote to memory of 2144	1272	e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe	93
PID 1272 wrote to memory of 3964	1272	e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe	94
PID 1272 wrote to memory of 3964	1272	e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe	94
PID 1272 wrote to memory of 2504	1272	e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe	96
PID 1272 wrote to memory of 2504	1272	e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe	96
PID 1272 wrote to memory of 1776	1272	e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe	99
PID 1272 wrote to memory of 1776	1272	e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe	99
PID 1272 wrote to memory of 1776	1272	e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe	99
PID 1272 wrote to memory of 1776	1272	e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe	99
PID 1272 wrote to memory of 1776	1272	e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe	99
PID 1272 wrote to memory of 1776	1272	e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe
"C:\Users\Admin\AppData\Local\Temp\e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\jjbGqIOxgszK.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3964
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jjbGqIOxgszK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9E15.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2504
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a43e653ffb5ab07940f4bdd9cc8fade4

SHA1
af43d04e3427f111b22dc891c5c7ee8a10ac4123

SHA256
c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

SHA512
62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tkzhc0vh.51w.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9E15.tmp

Filesize
1KB

MD5
bac69aecaaabe04b8f1915d6162e08f8

SHA1
260894b05b4aa64dbb208437fcec893e39e82eb7

SHA256
b7a0b0d08601b8b3d454b2c9f2f262cfa10b15834ceb21560bee33f4a6cace36

SHA512
efc1ac5ef708b84c2bda377413ecea431c24fff8f4461c8a9a7b43235202e433fdaa08b929a886df634ca7753d344162e8b334725514d529161cb249a7a5447a

Download Submit
memory/1272-3-0x0000000003720000-0x000000000373A000-memory.dmp

Filesize
104KB

Download
memory/1272-5-0x000000001C7B0000-0x000000001C7C2000-memory.dmp

Filesize
72KB

Download
memory/1272-6-0x000000001C7C0000-0x000000001C7D0000-memory.dmp

Filesize
64KB

Download
memory/1272-7-0x000000001F530000-0x000000001F64A000-memory.dmp

Filesize
1.1MB

Download
memory/1272-4-0x00007FFBE9B80000-0x00007FFBEA641000-memory.dmp

Filesize
10.8MB

Download
memory/1272-0-0x0000000000A00000-0x0000000000B9C000-memory.dmp

Filesize
1.6MB

Download
memory/1272-2-0x0000000001550000-0x0000000001560000-memory.dmp

Filesize
64KB

Download
memory/1272-33-0x00007FFBE9B80000-0x00007FFBEA641000-memory.dmp

Filesize
10.8MB

Download
memory/1272-1-0x00007FFBE9B80000-0x00007FFBEA641000-memory.dmp

Filesize
10.8MB

Download
memory/1272-29-0x0000000001550000-0x0000000001560000-memory.dmp

Filesize
64KB

Download
memory/1776-28-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/1776-77-0x00000269EC870000-0x00000269EC97F000-memory.dmp

Filesize
1.1MB

Download
memory/1776-2295-0x00000269ECA50000-0x00000269ECA60000-memory.dmp

Filesize
64KB

Download
memory/1776-2294-0x00007FFBE9B80000-0x00007FFBEA641000-memory.dmp

Filesize
10.8MB

Download
memory/1776-31-0x00000269EC870000-0x00000269EC982000-memory.dmp

Filesize
1.1MB

Download
memory/1776-2292-0x00000269ECA60000-0x00000269ECAFE000-memory.dmp

Filesize
632KB

Download
memory/1776-34-0x00000269EC870000-0x00000269EC97F000-memory.dmp

Filesize
1.1MB

Download
memory/1776-2293-0x00000269EC020000-0x00000269EC06C000-memory.dmp

Filesize
304KB

Download
memory/1776-44-0x00000269EC870000-0x00000269EC97F000-memory.dmp

Filesize
1.1MB

Download
memory/1776-45-0x00007FFBE9B80000-0x00007FFBEA641000-memory.dmp

Filesize
10.8MB

Download
memory/1776-48-0x00000269EC870000-0x00000269EC97F000-memory.dmp

Filesize
1.1MB

Download
memory/1776-47-0x00000269ECA50000-0x00000269ECA60000-memory.dmp

Filesize
64KB

Download
memory/1776-50-0x00000269EC870000-0x00000269EC97F000-memory.dmp

Filesize
1.1MB

Download
memory/1776-52-0x00000269EC870000-0x00000269EC97F000-memory.dmp

Filesize
1.1MB

Download
memory/1776-54-0x00000269EC870000-0x00000269EC97F000-memory.dmp

Filesize
1.1MB

Download
memory/1776-56-0x00000269EC870000-0x00000269EC97F000-memory.dmp

Filesize
1.1MB

Download
memory/1776-58-0x00000269EC870000-0x00000269EC97F000-memory.dmp

Filesize
1.1MB

Download
memory/1776-60-0x00000269EC870000-0x00000269EC97F000-memory.dmp

Filesize
1.1MB

Download
memory/1776-62-0x00000269EC870000-0x00000269EC97F000-memory.dmp

Filesize
1.1MB

Download
memory/1776-64-0x00000269EC870000-0x00000269EC97F000-memory.dmp

Filesize
1.1MB

Download
memory/1776-66-0x00000269EC870000-0x00000269EC97F000-memory.dmp

Filesize
1.1MB

Download
memory/1776-68-0x00000269EC870000-0x00000269EC97F000-memory.dmp

Filesize
1.1MB

Download
memory/1776-72-0x00000269EC870000-0x00000269EC97F000-memory.dmp

Filesize
1.1MB

Download
memory/1776-99-0x00000269EC870000-0x00000269EC97F000-memory.dmp

Filesize
1.1MB

Download
memory/1776-75-0x00000269EC870000-0x00000269EC97F000-memory.dmp

Filesize
1.1MB

Download
memory/1776-101-0x00000269EC870000-0x00000269EC97F000-memory.dmp

Filesize
1.1MB

Download
memory/1776-79-0x00000269EC870000-0x00000269EC97F000-memory.dmp

Filesize
1.1MB

Download
memory/1776-83-0x00000269EC870000-0x00000269EC97F000-memory.dmp

Filesize
1.1MB

Download
memory/1776-81-0x00000269EC870000-0x00000269EC97F000-memory.dmp

Filesize
1.1MB

Download
memory/1776-85-0x00000269EC870000-0x00000269EC97F000-memory.dmp

Filesize
1.1MB

Download
memory/1776-87-0x00000269EC870000-0x00000269EC97F000-memory.dmp

Filesize
1.1MB

Download
memory/1776-105-0x00000269EC870000-0x00000269EC97F000-memory.dmp

Filesize
1.1MB

Download
memory/1776-107-0x00000269EC870000-0x00000269EC97F000-memory.dmp

Filesize
1.1MB

Download
memory/1776-89-0x00000269EC870000-0x00000269EC97F000-memory.dmp

Filesize
1.1MB

Download
memory/1776-95-0x00000269EC870000-0x00000269EC97F000-memory.dmp

Filesize
1.1MB

Download
memory/1776-109-0x00000269EC870000-0x00000269EC97F000-memory.dmp

Filesize
1.1MB

Download
memory/1776-97-0x00000269EC870000-0x00000269EC97F000-memory.dmp

Filesize
1.1MB

Download
memory/1776-103-0x00000269EC870000-0x00000269EC97F000-memory.dmp

Filesize
1.1MB

Download
memory/1776-113-0x00000269EC870000-0x00000269EC97F000-memory.dmp

Filesize
1.1MB

Download
memory/1776-111-0x00000269EC870000-0x00000269EC97F000-memory.dmp

Filesize
1.1MB

Download
memory/2144-27-0x000001707B840000-0x000001707B850000-memory.dmp

Filesize
64KB

Download
memory/2144-73-0x00007FFBE9B80000-0x00007FFBEA641000-memory.dmp

Filesize
10.8MB

Download
memory/2144-26-0x000001707B840000-0x000001707B850000-memory.dmp

Filesize
64KB

Download
memory/2144-32-0x00007FFBE9B80000-0x00007FFBEA641000-memory.dmp

Filesize
10.8MB

Download
memory/3964-94-0x00007FFBE9B80000-0x00007FFBEA641000-memory.dmp

Filesize
10.8MB

Download
memory/3964-13-0x00007FFBE9B80000-0x00007FFBEA641000-memory.dmp

Filesize
10.8MB

Download
memory/3964-14-0x00000288FA680000-0x00000288FA690000-memory.dmp

Filesize
64KB

Download
memory/3964-15-0x00000288FA680000-0x00000288FA690000-memory.dmp

Filesize
64KB

Download
memory/3964-22-0x00000288FA870000-0x00000288FA892000-memory.dmp

Filesize
136KB

Download