Analysis
-
max time kernel
108s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
12-04-2024 23:45
Behavioral task
behavioral1
Sample
Contract for collaboration.pdf.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral2
Sample
Promotion video from Spotify.mp4.scr
Resource
win10v2004-20240412-en
General
-
Target
Promotion video from Spotify.mp4.scr
-
Size
274.0MB
-
MD5
e14930dfee63889484336400c2ab909c
-
SHA1
29bbe527926d1347bb866112c3f350f8faf57669
-
SHA256
16583f2195d27d6f02d583815c4323390e0c0c14e1b6ad7a05232253ee2a2bb0
-
SHA512
1b45c8ce425485638713468c4702fc2a642e5e0d563814d3ae62d8bcd539661a960b9dba707cf0609eccb3dd028730713624993cf19eb0fef84cb2e891c4ba26
-
SSDEEP
384:m2rP+4GNW6oBohNW6xt/ssMjLeTI6Kw418lfFdFZr1AFrVPCk:m2y4GM66uNWJJG41ettOT6k
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Promotion video from Spotify.mp4.scrdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation Promotion video from Spotify.mp4.scr -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/2352-0-0x0000000000D00000-0x0000000000D0C000-memory.dmp agile_net behavioral2/memory/2352-2-0x0000000005640000-0x0000000005650000-memory.dmp agile_net -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1988 2352 WerFault.exe Promotion video from Spotify.mp4.scr -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2424 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 4972 powershell.exe 4972 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Promotion video from Spotify.mp4.scrpowershell.exedescription pid process Token: SeDebugPrivilege 2352 Promotion video from Spotify.mp4.scr Token: SeDebugPrivilege 4972 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Promotion video from Spotify.mp4.scrpowershell.execmd.exedescription pid process target process PID 2352 wrote to memory of 4972 2352 Promotion video from Spotify.mp4.scr powershell.exe PID 2352 wrote to memory of 4972 2352 Promotion video from Spotify.mp4.scr powershell.exe PID 2352 wrote to memory of 4972 2352 Promotion video from Spotify.mp4.scr powershell.exe PID 4972 wrote to memory of 2596 4972 powershell.exe cmd.exe PID 4972 wrote to memory of 2596 4972 powershell.exe cmd.exe PID 4972 wrote to memory of 2596 4972 powershell.exe cmd.exe PID 2596 wrote to memory of 2424 2596 cmd.exe timeout.exe PID 2596 wrote to memory of 2424 2596 cmd.exe timeout.exe PID 2596 wrote to memory of 2424 2596 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Promotion video from Spotify.mp4.scr"C:\Users\Admin\AppData\Local\Temp\Promotion video from Spotify.mp4.scr" /S1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" cmd /c timeout 202⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout 203⤵
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\timeout.exetimeout 204⤵
- Delays execution with timeout.exe
PID:2424 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 17722⤵
- Program crash
PID:1988
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2352 -ip 23521⤵PID:4644
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82