Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-03-2024 20:26

General

  • Target

    @_136 @828#-138389J-SJFJDSM.exe

  • Size

    5.2MB

  • MD5

    8951c21e3a189b73a567f1078f67671d

  • SHA1

    54b99b503f8a6c70fbc0c9791a21d2705fed0a4f

  • SHA256

    955ca46af9ec9f1a8f1f51da125ed7fa05ab25ae5cdadada73feb37542626384

  • SHA512

    eb6f50bf15c7b7224df9ef7d139a7adffbf5b28e96611a4475d3b7f5ee62751d37a3ff0ca7123107196a033d73adb7aab7f2c1541b8b50fe6a546448671126cc

  • SSDEEP

    49152:5Y/zzz/zTzjzTzTzTzwrDrTrDrTrDrTrDrTrDr3CnX/fX3Xfn7X3LX/fX3Xfn7Xc:5ezzz/zTzjzTzTzTzwJv

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 4 IoCs
  • Kills process with taskkill 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\@_136 @828#-138389J-SJFJDSM.exe
    "C:\Users\Admin\AppData\Local\Temp\@_136 @828#-138389J-SJFJDSM.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4772
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F84A.tmp\F85B.bat "C:\Users\Admin\AppData\Local\Temp\@_136 @828#-138389J-SJFJDSM.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1552
      • C:\Windows\system32\cscript.exe
        cscript prompt.vbs
        3⤵
          PID:4648
        • C:\Users\Admin\AppData\Local\Temp\F84A.tmp\mbr.exe
          mbr.exe
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Writes to the Master Boot Record (MBR)
          • Suspicious use of WriteProcessMemory
          PID:2876
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\F84A.tmp\mbr.exe"
            4⤵
            • Creates scheduled task(s)
            PID:3520
        • C:\Users\Admin\AppData\Local\Temp\F84A.tmp\bytebeat.exe
          bytebeat.exe
          3⤵
          • Executes dropped EXE
          PID:2796
        • C:\Users\Admin\AppData\Local\Temp\F84A.tmp\Magix.exe
          Magix.exe
          3⤵
          • Executes dropped EXE
          PID:2852
        • C:\Windows\system32\timeout.exe
          timeout 30
          3⤵
          • Delays execution with timeout.exe
          PID:716
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im bytebeat.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4892
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im Magix.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1076
        • C:\Users\Admin\AppData\Local\Temp\F84A.tmp\bytebeat1.exe
          bytebeat1.exe
          3⤵
          • Executes dropped EXE
          PID:4064
        • C:\Users\Admin\AppData\Local\Temp\F84A.tmp\test.exe
          test.exe
          3⤵
          • Executes dropped EXE
          PID:3372
        • C:\Windows\system32\timeout.exe
          timeout 40
          3⤵
          • Delays execution with timeout.exe
          PID:3852
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im bytebeat1.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1976
        • C:\Users\Admin\AppData\Local\Temp\F84A.tmp\rgb.exe
          rgb.exe
          3⤵
          • Executes dropped EXE
          PID:1504
        • C:\Users\Admin\AppData\Local\Temp\F84A.tmp\snd.exe
          snd.exe
          3⤵
          • Executes dropped EXE
          PID:4392
        • C:\Windows\system32\timeout.exe
          timeout 50
          3⤵
          • Delays execution with timeout.exe
          PID:4884
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im rgb.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1304
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im snd.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3116
        • C:\Users\Admin\AppData\Local\Temp\F84A.tmp\gl1.exe
          gl1.exe
          3⤵
          • Executes dropped EXE
          PID:2176
        • C:\Users\Admin\AppData\Local\Temp\F84A.tmp\circle.exe
          circle.exe
          3⤵
          • Executes dropped EXE
          PID:4156
        • C:\Windows\system32\timeout.exe
          timeout 65
          3⤵
          • Delays execution with timeout.exe
          PID:3020
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x310 0x2cc
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4196
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3804 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:1772

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\F84A.tmp\F85B.bat

        Filesize

        557B

        MD5

        66f47a843ad967cd8824d29bbca65017

        SHA1

        d5a01629302123b6289a7bd677035ed5e237baaf

        SHA256

        3f2b8da496e474625ade273d664cf76b8a1b8ea2ba42e8656e92b7819793cab9

        SHA512

        1e151e4e1fb69aa7311d8b754e435972e7f6bf47fbf4ad3a06516821b5d5a698e80cb03cec022137643c4c38d09527c5adfbe3846962f71cc7797c81093f034e

      • C:\Users\Admin\AppData\Local\Temp\F84A.tmp\Magix.exe

        Filesize

        59KB

        MD5

        026992ed7c38fae57e8839a6c0d883c8

        SHA1

        9b389aa3dd774f3cfff3dcbe8ea8779ef005b31f

        SHA256

        68cb1fe2ee7c3f69fe2d508d117b502ed19337bd332e722605e491a823f89645

        SHA512

        d20fe47538b9e1fa0ccf198f5a4a31506cc59622b2492e9f64435fb06b66ccf93cde056693656da626ebf56ab434425fbf3291db979fe6c67b2a7a14649d9dc7

      • C:\Users\Admin\AppData\Local\Temp\F84A.tmp\bytebeat.exe

        Filesize

        102KB

        MD5

        445d48408fd9cb1bcadfb8243027a12b

        SHA1

        cb1382d3870a4a821ce8e731d9401f7ba0c0da40

        SHA256

        7a5b8795aed94dca80cc5e956f1b409135735637cc556c7b533acd6b2fbaee58

        SHA512

        b89d121f13a574d6b51125cb7b35ad68af22eeaa7b68b8cfbdcbdd228b941235a8a841906023274d93ee68ab64ca59251f6f7ffb2b59034616879e111359297f

      • C:\Users\Admin\AppData\Local\Temp\F84A.tmp\bytebeat.wav

        Filesize

        1.3MB

        MD5

        d6c579826cfdb4716612eefb5ee07c78

        SHA1

        a179e34b8811935942846451b98064c973c02c1a

        SHA256

        aa2e99a722498dbc75870a1abc7a351da46b1bde1b349148efb5a237312c46fd

        SHA512

        ada16dfef3f9e264108dff6ee975b79f38a38a733cff82b788897a140fa197f6816be1bea0ef425a56380d03fd6d45652ae4c8fbaef1a964bb1b7055af989c10

      • C:\Users\Admin\AppData\Local\Temp\F84A.tmp\bytebeat1.exe

        Filesize

        102KB

        MD5

        6b673ece600bcc8a665ebf251d7d926e

        SHA1

        64ef7c73a713bf3c55fb4ac4e5366a7a425f1b4e

        SHA256

        41ac58d922f32134e75e87898d2c179d478c81edaae0d9bc28e7ce7d6f422f8b

        SHA512

        feb18a1aa72de47fd67919e196abd200afdf22ad5a7e5dac20593252d8b2ca86982bb07c2fed3681ef06c9933c6d197590c1df65aa5df93cb6abafca5e53e9ff

      • C:\Users\Admin\AppData\Local\Temp\F84A.tmp\bytebeat1.wav

        Filesize

        1.3MB

        MD5

        cea9d2316f0e62a4fe233d6d9445fc53

        SHA1

        b058e7d7d96b717e6a47606eb6f632c4444ff800

        SHA256

        f61e579cdd011ea354c4d19bdfe140df9870f372ebe7b3ec747140a0771fe1a1

        SHA512

        e73aaeae358dc340c046f61dd29a629a3b2a20ebed7966a1d92da820c484154093bf42330cd0e0ad96373d2a25d1f0237abd8e34cdfd3ca9ccb3d6d310400394

      • C:\Users\Admin\AppData\Local\Temp\F84A.tmp\circle.exe

        Filesize

        12KB

        MD5

        ed169e40a69cf73fd3ac59215b24063f

        SHA1

        32d49462e74e6c08b941d8cd530a5f3c0f3b5764

        SHA256

        b8ffde2fc69292ffa1a704a1cf977eedfc86277a61d4937245d218d22674178c

        SHA512

        f949a7b9b5dae91f887e7ce9bb45f7500534873d3baab5f5c2b1c31b1e185e70278ceb9d4f03f495460e0fb96399239fa678b0b4750ee870cbaa6333ab5ebb6c

      • C:\Users\Admin\AppData\Local\Temp\F84A.tmp\gl1.exe

        Filesize

        105KB

        MD5

        ac0cdb57f020158a4f356f0f819ac9a8

        SHA1

        2fa07803943314ff4ff9a6ece448caccf327db54

        SHA256

        a47b0210f10011d86c59f19f929a860eaa2bd363ec1e01927c4edad404656b4b

        SHA512

        a12a7441a107df43682bfe581d56891910bf8906b18a4049e822828c5d6d376e32ee69fc7f983afe98e9c1067e2962fa2895b643e4699568c4e053d89ca7b1eb

      • C:\Users\Admin\AppData\Local\Temp\F84A.tmp\mbr.exe

        Filesize

        101KB

        MD5

        a15d67f06d5bb68b5a22283d84fb5077

        SHA1

        3fd6fd5f561e1a540d3d24956e1e61d6a31f0a68

        SHA256

        7d36b6c3cefa53f821f955a7a47d11db0a10d781e0ca2d2d2217feca4fc9c235

        SHA512

        6ff79aac54e27d41f3323bea8c3f305a8b64d88fe9fa11e7eb39913242b731821020de11b7c759ba8cdf0241746ffa2eb29e02eb8e523f1c06b592dbac474e2e

      • C:\Users\Admin\AppData\Local\Temp\F84A.tmp\noise.wav

        Filesize

        937KB

        MD5

        5144895869d5441a2a997bdb6d1b8576

        SHA1

        357c7710b18c60ac13538506e43c4558c1422252

        SHA256

        2cf498b82d0d0c51cf10a82e7221d24ad4afd378f31f79253261729e71e95b73

        SHA512

        1c6d6cec3c2b9666b2c673fdda49eb431d2d321d77c7ce82a8033ff05dedb30a4145deec85f56235db1ad07b3540125b8d33fafc13f9e0569e55ea49a207215f

      • C:\Users\Admin\AppData\Local\Temp\F84A.tmp\prompt.vbs

        Filesize

        234B

        MD5

        a1b56af69ace7a3738f2aeec477c4a33

        SHA1

        bfec32c379a396612d16624c8548943647d15c96

        SHA256

        3c5331020e62e93f1ea06df0f227af2a5dd2355307be8e728282e9ddf5a1962c

        SHA512

        ffaff006ca9115cb259fa92309836c08b9772f6d65907236bc210532ff4dd2b38c635175d346d6818266364f6c1e5a2109e01f841594222bac10f9f890f7c337

      • C:\Users\Admin\AppData\Local\Temp\F84A.tmp\rgb.exe

        Filesize

        105KB

        MD5

        bfc9e8ab494313d6efb67fc8942f5ee9

        SHA1

        1b42cc97803221538e020cb90517cb808cf19381

        SHA256

        33cbdb6e00f3f42f58502af8a9150604a44bb9b26825c909aa0edb5c744a1f13

        SHA512

        2d01f92397b65eade1f6140f80e2cb626b3e53b112c7e77e84ea7f6092b07c05eacb9e5e9bcb4676c8bdd10fcfba4fe297f2a01eedffffa594af87839baae030

      • C:\Users\Admin\AppData\Local\Temp\F84A.tmp\snd.exe

        Filesize

        102KB

        MD5

        7baad7b6dcd387183540a1a771e1b8d5

        SHA1

        8fb4bc170b6e3050135e0c7b651441dbe963d7fc

        SHA256

        57e598fa7a93d50258afb6e563266521ae0bd35e6f80b247eb24a31a56a32461

        SHA512

        cfb85b10af70cc053a7c31a5d64741286b64eebd8ac9f3a97e6ed9989e81c629041808ce337d7b8c590f069da9a05e38e9b8dcf89b70e561362bff010732800b

      • C:\Users\Admin\AppData\Local\Temp\F84A.tmp\test.exe

        Filesize

        74KB

        MD5

        64a69d3a6620009ebe49595a5d8d119e

        SHA1

        4d478712f6503dc7f32e600d7b5aa0118c83214d

        SHA256

        199e4e84b644b264d170b04945880f095790206c65fdfb5a88c8ab73bd29357d

        SHA512

        b2e6ace579201f74abea5d4aecf416980ab028d1876ffc57e474b2b2142489ec4589a4c151eafa4a9067b446396829a370c882b0d40ab8073ad7ff266bd6653f

      • memory/1504-68-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

      • memory/2176-84-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

      • memory/2796-44-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

      • memory/2852-49-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

      • memory/2852-47-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

      • memory/2852-45-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

      • memory/2876-43-0x0000000000400000-0x0000000000423000-memory.dmp

        Filesize

        140KB

      • memory/4064-57-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

      • memory/4156-85-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

      • memory/4392-69-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB