Resubmissions
12-04-2024 14:13
240412-rjrz5aba72 812-04-2024 14:12
240412-rh8aqaba68 712-04-2024 14:05
240412-rd9mzsea7x 812-04-2024 14:05
240412-rd82fsea7v 812-04-2024 14:05
240412-rd8exsea7t 809-04-2024 07:05
240409-hws9aacd6z 809-04-2024 07:05
240409-hwljfacd6x 809-04-2024 07:04
240409-hwbz1acd6t 809-04-2024 07:03
240409-hvcvxacd3y 815-01-2024 20:15
240115-y1q8gsfdf2 7Analysis
-
max time kernel
580s -
max time network
601s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
09-04-2024 07:04
General
-
Target
tmp.exe
-
Size
9.4MB
-
MD5
db3edf03a8a2c8e96fe2d2deaaec76ff
-
SHA1
2d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1
-
SHA256
a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60
-
SHA512
121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135
-
SSDEEP
98304:kT2OhoLUWeKqyubAguIYylB9RK0RU4lFp887VO0J/yLaeWwGvJldmxe:VOE/IYypvU4loRpK
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 8 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /TN "Timer"2⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM2⤵
- Creates scheduled task(s)
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
944B
MD5ea89d89bb68741a1b919ece06a6ac4fa
SHA16929525e943c1f56d7fb0687aa4eb257a4e05867
SHA2564a2aef0e425b133c6147fff146dc8e82d40bb618c9cf0c3c57446e6109ab7040
SHA5125dd670823f70ee35bde79257a98a941f8e9b83521e3140ac48a814c2b7787ce96355a842fce961ab2770197c1a84cacf3c173c2de0c5bc5060adf9c884be4b87
-
Filesize
944B
MD5caae66b2d6030f85188e48e4ea3a9fa6
SHA1108425bd97144fa0f92ff7b2109fec293d14a461
SHA256a6c642eaf80247e9682be60ab5ae9ece4d042af56013d164d8047b6fd1aefa1d
SHA512189119a2390e51a49ea0fb8ad1427279cc2bf85f220f3212957c50b33387623b42ab7736fb5a717757b5c4b99c570e7ed2e5e6a578424aafb5c126cdf129ea15
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
9.4MB
MD5db3edf03a8a2c8e96fe2d2deaaec76ff
SHA12d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1
SHA256a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60
SHA512121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.4MB
-
Filesize
10.4MB
-
Filesize
10.4MB
-
Filesize
10.4MB
-
Filesize
10.4MB
-
Filesize
10.4MB
-
Filesize
10.4MB
-
Filesize
10.4MB
-
Filesize
10.4MB
-
Filesize
10.4MB
-
Filesize
10.4MB
-
Filesize
7.1MB
-
Filesize
10.4MB
-
Filesize
10.4MB