Overview

overview

8

Static

static

3

5c8c4357da...d2.exe

windows7-x64

7

5c8c4357da...d2.exe

windows10-2004-x64

8

Resubmissions

11/04/2024, 07:03

240411-hvc6nsec43 8

11/04/2024, 06:53

240411-hnmrjahb6x 8

11/04/2024, 06:53

240411-hnl51ahb6w 8

11/04/2024, 06:53

240411-hnljgahb6t 8

11/04/2024, 06:52

240411-hnk8pshb6s 8

07/04/2024, 08:41

240407-klez1shb5t 8

07/04/2024, 08:40

240407-kk9s1ahe89 8

07/04/2024, 08:40

240407-kk3ppahe86 8

07/04/2024, 08:40

240407-kkxhnshe82 8

07/04/2024, 08:27

240407-kcrx8agh5v 8

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/04/2024, 08:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5c8c4357da5f3293b60e805e947e25d2.exe

  • Size

    5.3MB

  • MD5

    5c8c4357da5f3293b60e805e947e25d2

  • SHA1

    428892c52f224692b3203563115278e150021560

  • SHA256

    0a8595501ceb2f0966de998f1c52f690dcb84c6e6737da8e2edd52ca5a246b02

  • SHA512

    889c2efa0a4efc8403493c83c87fc52ac31735f84f4a50576f30b05ad12a9668bc5ed06372a8af54e794731423bd9e92a80798bccee4987921ff272612e017db

  • SSDEEP

    98304:t5UNhjBIapm1m/41UX7V7pRn9FicKYVTaSVe330Gx3QtzWrTUhX/7IIYMytPvZK4:zUTjHflWISkG6d/dyJZKGqh0Ubx

Score
8/10
evasion

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\5c8c4357da5f3293b60e805e947e25d2.exe
    "C:\Users\Admin\AppData\Local\Temp\5c8c4357da5f3293b60e805e947e25d2.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2916
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2892
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2740
    • C:\Windows\SYSTEM32\schtasks.exe
      schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
      2⤵
      • Creates scheduled task(s)
      PID:4364
    • C:\Windows\System\svchost.exe
      "C:\Windows\System\svchost.exe" formal
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:4372
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4416
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1128
      • C:\Users\Admin\AppData\Local\Temp\~tlECCC.tmp
        C:\Users\Admin\AppData\Local\Temp\~tlECCC.tmp
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1972
        • C:\Windows\SYSTEM32\netsh.exe
          netsh int ipv4 set dynamicport tcp start=1025 num=64511
          4⤵
            PID:4572
          • C:\Windows\System32\netsh.exe
            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
            4⤵
            • Modifies Windows Firewall
            PID:1772
          • C:\Windows\System32\netsh.exe
            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
            4⤵
            • Modifies Windows Firewall
            PID:3736
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2384
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2520
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /delete /TN "Timer"
            4⤵
              PID:1460
            • C:\Windows\SYSTEM32\schtasks.exe
              schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
              4⤵
              • Creates scheduled task(s)
              PID:4908
            • C:\Windows\System\svchost.exe
              "C:\Windows\System\svchost.exe" formal
              4⤵
              • Executes dropped EXE
              PID:4080

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        d65ebc84c6b0b52901fb46f5e2b83ab5

        SHA1

        d036a0c3eb9e1616d0f7f5ca41171060c13a3095

        SHA256

        d45581b0807a0d04a70ec75e3e4575e73f148e5b4e0d3d325dfbd6400a4bfbd1

        SHA512

        88ac232e7702ebd53788cf8429d266ae367111bfccf4bc9d40ead25b552347521458ca60d320e2775b5d2edcaf8501251cb2db68b38dc000ac50463fb80865be

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        77d622bb1a5b250869a3238b9bc1402b

        SHA1

        d47f4003c2554b9dfc4c16f22460b331886b191b

        SHA256

        f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

        SHA512

        d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        be5e63276ed49ce1e4d8e6f8c722cf8e

        SHA1

        373143c33712bd6133ea7685124fa137c6b28baa

        SHA256

        39d1c27849a93fe087564c8cecd773ffc6a9b965c554094f3b99ce7f54afb1c1

        SHA512

        825d8d09b455752f9e850495e58d6dc5a7d1ebfd6c02796f452b92c77f67d65c87567d9be1e955e91d6432b95cfd4e6193223a6930453ae2f93c12cae86886f6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qjgqc0en.5iu.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\~tlECCC.tmp
        Filesize

        385KB

        MD5

        e802c96760e48c5139995ffb2d891f90

        SHA1

        bba3d278c0eb1094a26e5d2f4c099ad685371578

        SHA256

        cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

        SHA512

        97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

        Download Submit

      • C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp
        Filesize

        2.6MB

        MD5

        dfa55fd7926aaa64e863aef6e728410e

        SHA1

        b74f5e363e6aa070d85ef986d9905f1f5435f200

        SHA256

        04415cf26f3bdcc2c7aede2881ec215acae7696e001b19b18c8f0afd9800bcab

        SHA512

        abbf86bcc8eb0c169c2e278bc6f694ac80a69b32fd99aaf1fc2a6669414694322e08a8371b1c39dd25d777535e075ad3a1aed47c9dbc3ca3e05b643153e35313

        Download Submit

      • C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
        Filesize

        18.2MB

        MD5

        f1d296a685838ab457b9460775a97b5e

        SHA1

        60c07e8ddd37da19a148c700099fc94f2b708648

        SHA256

        9398b48d4c2db6760de40bfa7a37190283f666676ddd1770612c74c155250d50

        SHA512

        6c2f2f455e6423767bfd235d27177e975f335cf76d4cec1ab08ecd692adc1e1f8ffebde5fd2d101a9f9235ac5c6f33c0952e712c857caf027b32dbcb064aa184

        Download Submit

      • C:\Windows\System\svchost.exe
        Filesize

        5.3MB

        MD5

        5c8c4357da5f3293b60e805e947e25d2

        SHA1

        428892c52f224692b3203563115278e150021560

        SHA256

        0a8595501ceb2f0966de998f1c52f690dcb84c6e6737da8e2edd52ca5a246b02

        SHA512

        889c2efa0a4efc8403493c83c87fc52ac31735f84f4a50576f30b05ad12a9668bc5ed06372a8af54e794731423bd9e92a80798bccee4987921ff272612e017db

        Download Submit

      • memory/1128-85-0x00007FFBCAAC0000-0x00007FFBCB581000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1128-77-0x00007FFBCAAC0000-0x00007FFBCB581000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1128-80-0x0000024E6E1E0000-0x0000024E6E1F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1128-79-0x0000024E6E1E0000-0x0000024E6E1F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1972-136-0x0000000140000000-0x000000014015E400-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/1972-133-0x0000000140000000-0x000000014015E400-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/1972-137-0x0000000140000000-0x000000014015E400-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/1972-138-0x0000000140000000-0x000000014015E400-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/1972-135-0x0000000140000000-0x000000014015E400-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/1972-181-0x0000000140000000-0x000000014015E400-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/2384-139-0x00007FFBCC6A0000-0x00007FFBCD161000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2384-164-0x00007FFBCC6A0000-0x00007FFBCD161000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2384-141-0x000001F5D3AB0000-0x000001F5D3AC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2384-140-0x000001F5D3AB0000-0x000001F5D3AC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2520-153-0x0000024F9C6B0000-0x0000024F9C6C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2520-167-0x00007FFBCC6A0000-0x00007FFBCD161000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2520-152-0x00007FFBCC6A0000-0x00007FFBCD161000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2740-26-0x00007FFBCAAC0000-0x00007FFBCB581000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2740-27-0x00000272541A0000-0x00000272541B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2740-12-0x0000027254170000-0x0000027254192000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2740-38-0x00007FFBCAAC0000-0x00007FFBCB581000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2740-28-0x00000272541A0000-0x00000272541B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2892-37-0x00007FFBCAAC0000-0x00007FFBCB581000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2892-30-0x0000019B8D540000-0x0000019B8D550000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2892-29-0x0000019B8D540000-0x0000019B8D550000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2892-31-0x00007FFBCAAC0000-0x00007FFBCB581000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2916-5-0x0000000140000000-0x0000000140644400-memory.dmp

        Filesize

        6.3MB

        Download

      • memory/2916-3-0x0000000140000000-0x0000000140644400-memory.dmp

        Filesize

        6.3MB

        Download

      • memory/2916-49-0x0000000140000000-0x0000000140644400-memory.dmp

        Filesize

        6.3MB

        Download

      • memory/2916-4-0x0000000140000000-0x0000000140644400-memory.dmp

        Filesize

        6.3MB

        Download

      • memory/2916-0-0x0000000140000000-0x0000000140644400-memory.dmp

        Filesize

        6.3MB

        Download

      • memory/4080-182-0x0000000140000000-0x000000014015E400-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/4080-180-0x0000000140000000-0x000000014015E400-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/4080-179-0x0000000140000000-0x000000014015E400-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/4372-86-0x000000000A540000-0x000000000AA3C000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/4372-54-0x0000000140000000-0x0000000140644400-memory.dmp

        Filesize

        6.3MB

        Download

      • memory/4372-126-0x0000000140000000-0x0000000140644400-memory.dmp

        Filesize

        6.3MB

        Download

      • memory/4372-127-0x0000000140000000-0x0000000140644400-memory.dmp

        Filesize

        6.3MB

        Download

      • memory/4372-134-0x0000000140000000-0x0000000140644400-memory.dmp

        Filesize

        6.3MB

        Download

      • memory/4416-76-0x0000019520750000-0x0000019520760000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4416-75-0x00007FFBCAAC0000-0x00007FFBCB581000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4416-78-0x0000019520750000-0x0000019520760000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4416-82-0x00007FFBCAAC0000-0x00007FFBCB581000-memory.dmp

        Filesize

        10.8MB

        Download