Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2024 09:20
Static task
static1
Behavioral task
behavioral1
Sample
PO-B1120017228.exe
Resource
win7-20240221-en
General
-
Target
PO-B1120017228.exe
-
Size
256KB
-
MD5
8c810e18058e24ff54a30a44e040569a
-
SHA1
b0329f16013e786898cd75c101565fa70850be03
-
SHA256
0e07d406f33fbf19219ea60e644cfd634fc8c934508bb608a6a1a3f13db1cc5a
-
SHA512
f9beeaf52b85d01596382b2d5a64922332fea7f4894c24eeeae45ad07ba80cd70800a81e29f13922accc1d922b0ba56e8456a24bd03f0f1e51c623f2cc6726e1
-
SSDEEP
6144:PZJR0bf1uc1p4wp/vNClO74ahHmJGhygfke7WLSaRnG:hiD1pR/Vv74aJygfkeSLv
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
PO-B1120017228.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation PO-B1120017228.exe -
Drops startup file 1 IoCs
Processes:
PO-B1120017228.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe.lnk PO-B1120017228.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp.exepid process 4580 tmp.exe -
Processes:
PO-B1120017228.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PO-B1120017228.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
PO-B1120017228.exedescription ioc process File opened for modification C:\Windows\assembly\Desktop.ini PO-B1120017228.exe File created C:\Windows\assembly\Desktop.ini PO-B1120017228.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO-B1120017228.exedescription pid process target process PID 4268 set thread context of 4324 4268 PO-B1120017228.exe PO-B1120017228.exe -
Drops file in Windows directory 3 IoCs
Processes:
PO-B1120017228.exedescription ioc process File opened for modification C:\Windows\assembly\Desktop.ini PO-B1120017228.exe File opened for modification C:\Windows\assembly PO-B1120017228.exe File created C:\Windows\assembly\Desktop.ini PO-B1120017228.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4108 timeout.exe -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\winlogon\winlogon.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
PO-B1120017228.exePO-B1120017228.exepid process 4268 PO-B1120017228.exe 4268 PO-B1120017228.exe 4268 PO-B1120017228.exe 4324 PO-B1120017228.exe 4324 PO-B1120017228.exe 4324 PO-B1120017228.exe 4268 PO-B1120017228.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
PO-B1120017228.exepid process 4324 PO-B1120017228.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
PO-B1120017228.exePO-B1120017228.exedescription pid process Token: SeDebugPrivilege 4268 PO-B1120017228.exe Token: 33 4268 PO-B1120017228.exe Token: SeIncBasePriorityPrivilege 4268 PO-B1120017228.exe Token: SeDebugPrivilege 4324 PO-B1120017228.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
PO-B1120017228.execmd.exePO-B1120017228.execmd.exedescription pid process target process PID 4268 wrote to memory of 3204 4268 PO-B1120017228.exe cmd.exe PID 4268 wrote to memory of 3204 4268 PO-B1120017228.exe cmd.exe PID 4268 wrote to memory of 3204 4268 PO-B1120017228.exe cmd.exe PID 3204 wrote to memory of 3252 3204 cmd.exe reg.exe PID 3204 wrote to memory of 3252 3204 cmd.exe reg.exe PID 3204 wrote to memory of 3252 3204 cmd.exe reg.exe PID 4268 wrote to memory of 4580 4268 PO-B1120017228.exe tmp.exe PID 4268 wrote to memory of 4580 4268 PO-B1120017228.exe tmp.exe PID 4268 wrote to memory of 4324 4268 PO-B1120017228.exe PO-B1120017228.exe PID 4268 wrote to memory of 4324 4268 PO-B1120017228.exe PO-B1120017228.exe PID 4268 wrote to memory of 4324 4268 PO-B1120017228.exe PO-B1120017228.exe PID 4268 wrote to memory of 4324 4268 PO-B1120017228.exe PO-B1120017228.exe PID 4268 wrote to memory of 4324 4268 PO-B1120017228.exe PO-B1120017228.exe PID 4268 wrote to memory of 4324 4268 PO-B1120017228.exe PO-B1120017228.exe PID 4268 wrote to memory of 4324 4268 PO-B1120017228.exe PO-B1120017228.exe PID 4268 wrote to memory of 4324 4268 PO-B1120017228.exe PO-B1120017228.exe PID 4268 wrote to memory of 4392 4268 PO-B1120017228.exe cmd.exe PID 4268 wrote to memory of 4392 4268 PO-B1120017228.exe cmd.exe PID 4268 wrote to memory of 4392 4268 PO-B1120017228.exe cmd.exe PID 4324 wrote to memory of 3492 4324 PO-B1120017228.exe schtasks.exe PID 4324 wrote to memory of 3492 4324 PO-B1120017228.exe schtasks.exe PID 4324 wrote to memory of 3492 4324 PO-B1120017228.exe schtasks.exe PID 4392 wrote to memory of 4108 4392 cmd.exe timeout.exe PID 4392 wrote to memory of 4108 4392 cmd.exe timeout.exe PID 4392 wrote to memory of 4108 4392 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe"C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe"1⤵
- Checks computer location settings
- Drops startup file
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogon\winlogon.exe.lnk" /f3⤵PID:3252
-
C:\Users\Admin\AppData\Roaming\tmp.exe"C:\Users\Admin\AppData\Roaming\tmp.exe"2⤵
- Executes dropped EXE
PID:4580 -
C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe"C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DHCP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6C95.tmp"3⤵
- Creates scheduled task(s)
PID:3492 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\winlogon\winlogon.exe.bat2⤵
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\SysWOW64\timeout.exetimeout /t 3003⤵
- Delays execution with timeout.exe
PID:4108
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e5cc560fef620b58811b19ec54168440
SHA1a6d5d68e2009bb12ffd49c5251d26fe973f7e10f
SHA25682da477cdf0dc2ed8197afd69d702e34240578250c233b489dfe5e8472f56b75
SHA51264e5b751072bb0eea1b36dd6385be0b824e90db08fac384ce02f63a51b9a23ad7efd2ac7c71d5c2f1f2f7018c881335dae321ed96c821adca5d9b58ed6ec7bb6
-
Filesize
203KB
MD5aee43daf7741caca297366c1b3847064
SHA11489823a4d9b9a1af0c0b68d4f9736b2e4e8760c
SHA25686f69803a5ef3352b380deeb1f13a31ea64a284ef468aa383c18a362f0136533
SHA5122ae87b23504e2fa2b5cf971c3aa90dd5169b7d867608e1ed03519545904bcf512a2798cd1efb2cd781a96e7e146ce346cd2470fb77fcf9a8633928fee31f7f15
-
Filesize
256KB
MD58c810e18058e24ff54a30a44e040569a
SHA1b0329f16013e786898cd75c101565fa70850be03
SHA2560e07d406f33fbf19219ea60e644cfd634fc8c934508bb608a6a1a3f13db1cc5a
SHA512f9beeaf52b85d01596382b2d5a64922332fea7f4894c24eeeae45ad07ba80cd70800a81e29f13922accc1d922b0ba56e8456a24bd03f0f1e51c623f2cc6726e1
-
Filesize
194B
MD5a6a348e297488daf6ff46dfa30aae8b2
SHA1df8d695405da71f61dc6640882ce942271ae5695
SHA256877588837ba56aebb4e60e060f881401a081fdc852e6cdea71086d86b6f82daa
SHA51282227ba2d19b6b8ee1fe0f4a034b1725a33fb524d53bc045c471da724798ccd2327173fb1b113056a31e09fd228059f6335050ceeb4c0f33f349b60caa49a3ba