Resubmissions
12-04-2024 14:13
240412-rjrz5aba72 812-04-2024 14:12
240412-rh8aqaba68 712-04-2024 14:05
240412-rd9mzsea7x 812-04-2024 14:05
240412-rd82fsea7v 812-04-2024 14:05
240412-rd8exsea7t 809-04-2024 07:05
240409-hws9aacd6z 809-04-2024 07:05
240409-hwljfacd6x 809-04-2024 07:04
240409-hwbz1acd6t 809-04-2024 07:03
240409-hvcvxacd3y 815-01-2024 20:15
240115-y1q8gsfdf2 7Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
12-04-2024 14:12
General
-
Target
tmp.exe
-
Size
9.4MB
-
MD5
db3edf03a8a2c8e96fe2d2deaaec76ff
-
SHA1
2d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1
-
SHA256
a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60
-
SHA512
121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135
-
SSDEEP
98304:kT2OhoLUWeKqyubAguIYylB9RK0RU4lFp887VO0J/yLaeWwGvJldmxe:VOE/IYypvU4loRpK
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /TN "Timer"2⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM2⤵
- Creates scheduled task(s)
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD52bb005f08e40b9d8c31f1c09da44565d
SHA18a7097ecaeca704b6d653bfedea449cfbe79072f
SHA256d7c96f73a5074bd88297839f5e749996eb91510490acd18d16edd5751f087943
SHA5123da328cd8050288fcd5e9545812f5b0767aa9c19674d6f6f5dc35e92d436b2690056018910ff5a90f33c1f6d9602c70a256637d52498f1794efc8617fea6cbe3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD534f595487e6bfd1d11c7de88ee50356a
SHA14caad088c15766cc0fa1f42009260e9a02f953bb
SHA2560f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d
SHA51210976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ttozi4eh.h2g.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\System\svchost.exeFilesize
9.4MB
MD5db3edf03a8a2c8e96fe2d2deaaec76ff
SHA12d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1
SHA256a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60
SHA512121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135
-
memory/696-83-0x0000000180000000-0x000000018070E000-memory.dmpFilesize
7.1MB
-
memory/696-52-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/696-49-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/808-37-0x00007FFE34B50000-0x00007FFE35611000-memory.dmpFilesize
10.8MB
-
memory/808-23-0x00007FFE34B50000-0x00007FFE35611000-memory.dmpFilesize
10.8MB
-
memory/808-24-0x00000265E7AC0000-0x00000265E7AD0000-memory.dmpFilesize
64KB
-
memory/808-34-0x00000265E7AC0000-0x00000265E7AD0000-memory.dmpFilesize
64KB
-
memory/1316-53-0x00007FFE34B50000-0x00007FFE35611000-memory.dmpFilesize
10.8MB
-
memory/1316-68-0x00007FFE34B50000-0x00007FFE35611000-memory.dmpFilesize
10.8MB
-
memory/1316-66-0x00000154187C0000-0x00000154187D0000-memory.dmpFilesize
64KB
-
memory/1316-54-0x00000154187C0000-0x00000154187D0000-memory.dmpFilesize
64KB
-
memory/1316-55-0x00000154187C0000-0x00000154187D0000-memory.dmpFilesize
64KB
-
memory/1556-50-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/1556-3-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/1556-2-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/1556-4-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/1556-1-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/1556-0-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/1556-8-0x0000000140000000-0x0000000140A64400-memory.dmpFilesize
10.4MB
-
memory/2148-70-0x000002627A650000-0x000002627A660000-memory.dmpFilesize
64KB
-
memory/2148-69-0x00007FFE34B50000-0x00007FFE35611000-memory.dmpFilesize
10.8MB
-
memory/2148-82-0x00007FFE34B50000-0x00007FFE35611000-memory.dmpFilesize
10.8MB
-
memory/4848-22-0x00007FFE34B50000-0x00007FFE35611000-memory.dmpFilesize
10.8MB
-
memory/4848-19-0x0000013A799E0000-0x0000013A799F0000-memory.dmpFilesize
64KB
-
memory/4848-18-0x00007FFE34B50000-0x00007FFE35611000-memory.dmpFilesize
10.8MB
-
memory/4848-7-0x0000013A7BA90000-0x0000013A7BAB2000-memory.dmpFilesize
136KB
-
memory/4848-20-0x0000013A799E0000-0x0000013A799F0000-memory.dmpFilesize
64KB