922c43a5ccbb2622ec917426a98da9289e5481ad29d5996003e8a46e6791573b

Analysis

max time kernel
92s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2024 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

1.4MB
MD5

f1152d572e1722ea2568eff98efc161f
SHA1

5c61a7c330a12a5cd8c649b8335ddae1d63d3d26
SHA256

922c43a5ccbb2622ec917426a98da9289e5481ad29d5996003e8a46e6791573b
SHA512

1f9b02f2038597aeab96eab6ec829c1f2322bfcbb5f07f854e78b14ece4427a915a35575fbed8c86982eb2b2e36507c6e950624d58e5cc50373944829c15d926
SSDEEP

24576:CYhXUX0DKyOBqg7Fx+mDSLdBJ4qyzTaPkrK/ApWmNKmGztJ0uiX19HX7Bcaxw+LP:/hHDKnl2mDo32l63/zm5Gz3F6RrB9x

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1212 created 3480	1212	Nike.pif	57

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	tmp.exe

Executes dropped EXE 2 IoCs

pid	Process
1212	Nike.pif
4196	Nike.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1212 set thread context of 4196	1212	Nike.pif	107

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
3124	tasklist.exe
4624	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2776	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1212	Nike.pif
1212	Nike.pif
1212	Nike.pif
1212	Nike.pif
1212	Nike.pif
1212	Nike.pif
1212	Nike.pif
1212	Nike.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4624	tasklist.exe
Token: SeDebugPrivilege	3124	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1212	Nike.pif
1212	Nike.pif
1212	Nike.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1212	Nike.pif
1212	Nike.pif
1212	Nike.pif

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 3748 wrote to memory of 1032	3748	tmp.exe	89
PID 3748 wrote to memory of 1032	3748	tmp.exe	89
PID 3748 wrote to memory of 1032	3748	tmp.exe	89
PID 1032 wrote to memory of 4624	1032	cmd.exe	91
PID 1032 wrote to memory of 4624	1032	cmd.exe	91
PID 1032 wrote to memory of 4624	1032	cmd.exe	91
PID 1032 wrote to memory of 1508	1032	cmd.exe	92
PID 1032 wrote to memory of 1508	1032	cmd.exe	92
PID 1032 wrote to memory of 1508	1032	cmd.exe	92
PID 1032 wrote to memory of 3124	1032	cmd.exe	94
PID 1032 wrote to memory of 3124	1032	cmd.exe	94
PID 1032 wrote to memory of 3124	1032	cmd.exe	94
PID 1032 wrote to memory of 4280	1032	cmd.exe	95
PID 1032 wrote to memory of 4280	1032	cmd.exe	95
PID 1032 wrote to memory of 4280	1032	cmd.exe	95
PID 1032 wrote to memory of 4412	1032	cmd.exe	96
PID 1032 wrote to memory of 4412	1032	cmd.exe	96
PID 1032 wrote to memory of 4412	1032	cmd.exe	96
PID 1032 wrote to memory of 4168	1032	cmd.exe	97
PID 1032 wrote to memory of 4168	1032	cmd.exe	97
PID 1032 wrote to memory of 4168	1032	cmd.exe	97
PID 1032 wrote to memory of 3852	1032	cmd.exe	98
PID 1032 wrote to memory of 3852	1032	cmd.exe	98
PID 1032 wrote to memory of 3852	1032	cmd.exe	98
PID 1032 wrote to memory of 1212	1032	cmd.exe	99
PID 1032 wrote to memory of 1212	1032	cmd.exe	99
PID 1032 wrote to memory of 1212	1032	cmd.exe	99
PID 1032 wrote to memory of 2776	1032	cmd.exe	100
PID 1032 wrote to memory of 2776	1032	cmd.exe	100
PID 1032 wrote to memory of 2776	1032	cmd.exe	100
PID 1212 wrote to memory of 4196	1212	Nike.pif	107
PID 1212 wrote to memory of 4196	1212	Nike.pif	107
PID 1212 wrote to memory of 4196	1212	Nike.pif	107
PID 1212 wrote to memory of 4196	1212	Nike.pif	107
PID 1212 wrote to memory of 4196	1212	Nike.pif	107

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3480
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3748
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c move Robot Robot.bat & Robot.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4624
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:1508
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3124
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:4280
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 17179
      4⤵
      PID:4412
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Simultaneously + Aimed + Nuts + Costa + Reprints + Usage 17179\Nike.pif
      4⤵
      PID:4168
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Chairman + Autos + Along + Salt + Auckland + Procedures + Rr + Myspace + Homeless 17179\C
      4⤵
      PID:3852
  - - C:\Users\Admin\AppData\Local\Temp\17179\Nike.pif
      17179\Nike.pif 17179\C
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1212
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2776
- C:\Users\Admin\AppData\Local\Temp\17179\Nike.pif
  C:\Users\Admin\AppData\Local\Temp\17179\Nike.pif
  2⤵
  - Executes dropped EXE
  PID:4196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\17179\C

Filesize
2.0MB

MD5
776260edea333839948e94dff8193471

SHA1
f4d9af6472f009fce6e75a6df94b8dd41355a13a

SHA256
d271b6881b95a3ba3a5064941c471ec449fadce82f0a44c4eea57517f0c8829c

SHA512
eddfb36453e04cc22e7f0692241ccf28da1c7a940fa287a0e2e76deb595476bca736293565108d976c6348153e92c646d10d73a4947c19f14b03db6ecf6cae27

Download Submit
C:\Users\Admin\AppData\Local\Temp\17179\Nike.pif

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aimed

Filesize
28KB

MD5
294caec6c8e8a3ba924d85cfb03cdd5d

SHA1
7950a476591ef67df1ceae43ad6770a64eae575c

SHA256
44e7541df7fa961fa91dcf6879d1c9effe7176dfc52d3cec5e9b298326044744

SHA512
84979937faf1487993e480997a70aed7b6d7f6abf4df5dc309362c46f5b1b46bc6a6c8a7d3e3ded9d90e57b16bb4ccb81a4851051d635562dbd8f9304c6840ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Along

Filesize
212KB

MD5
0d0cb77f4037204ecf5a08dbed31fb8d

SHA1
cbbf7e53413e79b4c015eec3945f97d5d517d0ab

SHA256
d6e0c9b6d3c7517c486ff403ee4bda18690bcc70a5fca409f7dc6bc4d1b5151b

SHA512
b826a50628a91d902b2e6f3b440c3276f41af3fda65666a66bc44f719d9f444e394ec4daec2733f066ab254b8a79784a7304d5d92a0f8e7d3704b4d4b89b65e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Auckland

Filesize
221KB

MD5
ef1fe3579b6c5a3e3ac63b20192cf20f

SHA1
99cf9ec694398df314b3177b1e3f6e8eb091beb2

SHA256
9090a740e65fefcb74a4601709725dbd2a42baaeb7aa88063e6c3dc6350434e3

SHA512
daf112fd6c19bdf1159586b0f311c5aac9187bacfb6c84f1aa157415873375f2f7d8a9b12c09529cc47a82af0ed92f928fb1f3c93edfb53468c335980bbc39fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autos

Filesize
247KB

MD5
7598d1ce385e1a947021a6b7bac87524

SHA1
eb9d248767e0815a8df4c854c6dd98a3de014d55

SHA256
7d039737feb5a3c2781835772882867a5a13afdbdd806738e659e4931c01ef2b

SHA512
80f9dd2fd71a2084517a496791c029414b9be6861201b4f9e6f23d929a8eaed8733d69cf9086e3c209c9d1d395d8a432085d72b4e1f1736f37e0b99ce63dade3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chairman

Filesize
211KB

MD5
db6613a611d0c422c9e41cce76db9a76

SHA1
4534eb2299aaa712bc92bcc8c931b441514e42a9

SHA256
6bb84b76a30a2914fe7f254b4985efec0404787d76009de12a46b6323a3f9ea1

SHA512
dc8242bf6de2db01c68df8fa905079b78b7e42f23f79172fa72402a06d8bd70371dd5462dcdbae260905418d3e3e2c39f0b194e13ccb2cc97a65adc5c1b25f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costa

Filesize
94KB

MD5
14749928713caef324211c842448093f

SHA1
9cd06359d60978ae9a2398a3c9577be9c2af89d8

SHA256
22db23707586e405e5bbb292d41596e308eaa89eb0f2713909cd26625c36fb77

SHA512
200e84b1756fbc76a5474c1c71fe381ef4f45bad65f530b5b569d40e5dae881fab2406846163a40f6c76284b0d5b253893a7f3dd9a6ab074e31e9f5b411bc2df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Homeless

Filesize
129KB

MD5
1eafe64d3ddec055f737f16a8db756f1

SHA1
b2a21f317aef16bd701a58e80d93ab40d72bfc9c

SHA256
44d768eaff95597141b0ddcaeb5e539e8a9149858fa445e645118e96614f14aa

SHA512
e67bef14ec424c23eeb7703653ac507a48670dea184c8106dd9038aa532dd306201ecdad1328a6068b25e4bd100c5972cfc98902c86d4aa07f01d77996f530b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Myspace

Filesize
279KB

MD5
45108f1b179ba7bd675906cc128b06b3

SHA1
402e4283c1072d809980946eb865369c21618d33

SHA256
4c139ebf8c2cce2d49b0a5eb1cd81232704c306c9d9deb8cf04c5ab8548d1c1c

SHA512
2b0269f3f03bc8b6ca516f233fd3c04f88f09b5eeb5647b1c1a41ea19dd57f89e7f445f633b0add5ee813688b43d8219d2a04c6cde84ed415ea68d3628838eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nuts

Filesize
294KB

MD5
6250eba13a2fb0bc14e4d231975f8956

SHA1
13ae6967112d7de28e92487fadb01529dae84d6b

SHA256
815f188d75977f501075293f5c097027acc6d16c65aab16531215b928ecdc6cb

SHA512
e7637e1107a8894585b7ecfa244dd1915ce9c70018feae3901ded16d3004f91f09a557c44902de85d643228241fef29c0924bb64854500673676caac80f22c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Procedures

Filesize
271KB

MD5
378d530c8292ae16bdf437fc6ad3cccd

SHA1
f0a494a963ace8095b3c09a325939a589e15a751

SHA256
84b80735fde4b23f1ad4b5cc0604e320be1cbfb00efa1ab166889a5754069ec5

SHA512
3871039c22867e3e5713a738adaa8bb771bdf840d1eb9f0483ed6dc6fc5cede550ae4c4d8c4932e88ed26f4cafd94b223a40e9a569c5da84402dbb15087697f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reprints

Filesize
217KB

MD5
8549d92e27f42cc7c4efc1e767fce6c0

SHA1
1cf5d244c78f0e70bd3b5062c3f34ef11728c3c8

SHA256
a153e3a1a440d6bc120df050d8591251ad7e524b84f4b5c49d79a90eab886229

SHA512
5aaebc5414e4af9627fa4cc7a1d1e04e0d10708827b8fb22740d6ba5036fcd9ce0aa88dec8a92decaf5a01ad9d69d13b658a63d900d78b892c4d4a474b0bb2e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Robot

Filesize
16KB

MD5
73e4f8e2df5f641291c9e7251d134931

SHA1
a07ee85d7ae5656d334e10e7534eef16a00baefb

SHA256
1bc605b770d6e056888a37fded4e34efa7462e456aa6ac096d9a07960f3c1487

SHA512
825edeb4e973d69c7406c951a8e90f867e62c8a67eadab29ad95509cf59fc0fdf6295764405a89e226bfa2883d9029ef0b8ac7dde0c24e1d4eb32184abd74eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rr

Filesize
220KB

MD5
5ae88cb245426d371840302fc09524d3

SHA1
da44d20c2859f72406359fc3b1c57c477fc43722

SHA256
b5751288e4c9a409b59492a7813c0e150d9d139b547d835bbc34120d3eff5847

SHA512
6a00d12b4d2c539edbadda35e1c006ed31b4f55d3b4c1ec30e142d34941e678a1ff60a973ff6f777e58d5a31b80548f92a43092d2e93c93569fdfc20812529fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Salt

Filesize
291KB

MD5
e42cbe4fdf7f51216c4db5c60b054c43

SHA1
5245c2e64b46df840f4cac4726a4696747cf7a36

SHA256
f35d00e781959a7622a410a25631771c406ab966825de4cbc563459a148b683d

SHA512
53753641782ee075ac25a7b0222562a0ad9638001dc27db0a92afab6096a59e9c03210cbc5e7b899a82ec2d3fb1c11c5e0b4956f55d94df3b6e822061be34233

Download Submit
C:\Users\Admin\AppData\Local\Temp\Simultaneously

Filesize
268KB

MD5
fc88a8c580509ed23108dd3e0d06f451

SHA1
acec8710b5fcf62d72bedc84303284332fe24ccc

SHA256
6f1c91ab06cf98ef40cf4424558d78fd8db93a759296b18ada5f1f6eedd81ed6

SHA512
404a04e45ab94b5b468dea0aabd032838da6c19bd8e69dcfb43aba51afeca7ec1b2333178d3553e594f7ed875a4b07e1078b1e51e94dc587061e1bddf46f2553

Download Submit
C:\Users\Admin\AppData\Local\Temp\Usage

Filesize
24KB

MD5
08e03c17c517e38cd91a8dd5d2672ebd

SHA1
196e55e8ad1259ae529f693160e2af30de5c1832

SHA256
67e163a8bf73c0031ae05dd2b49623933c58275af2221daa76c3a45b61c64e9a

SHA512
c4c124179c5c334faf1fe400bd263caa3db0b9973243c089ee4fa7d06f68ab61ee34ccdd9deefe9d27d1a832be1462cb067baa6826d968d0e58275644e9ae9e9

Download Submit
memory/1212-37-0x00000000772F1000-0x0000000077411000-memory.dmp

Filesize
1.1MB

Download
memory/1212-39-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/4196-41-0x0000000001400000-0x0000000001543000-memory.dmp

Filesize
1.3MB

Download
memory/4196-42-0x0000000001400000-0x0000000001543000-memory.dmp

Filesize
1.3MB

Download
memory/4196-44-0x0000000001400000-0x0000000001543000-memory.dmp

Filesize
1.3MB

Download
memory/4196-45-0x0000000001400000-0x0000000001543000-memory.dmp

Filesize
1.3MB

Download
memory/4196-46-0x0000000001400000-0x0000000001543000-memory.dmp

Filesize
1.3MB

Download
memory/4196-47-0x0000000001400000-0x0000000001543000-memory.dmp

Filesize
1.3MB

Download