Analysis
-
max time kernel
241s -
max time network
243s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 14:42
Errors
General
-
Target
7lk7vT1.exe
-
Size
119KB
-
MD5
f548ca220d471a524cb1c7d8ff613721
-
SHA1
3040c8945b16a58f44dd4f1ae5a7b0faf61b405e
-
SHA256
5d0be378578617a2264e822d1b4424d71e8fa3e8dad60b30af614b173682880b
-
SHA512
b1ea254c1ab6c3983cdb906f39403da5b342fed1836b14b4654a0e25dcae274edc517e30ec66fefbeb6f511b89e869a4d785098896bf55eac36108c79494c158
-
SSDEEP
3072:BKUpvwYGqOcW7gabRq15QWXzCrAZu8Gq:MIWMabAL
Malware Config
Extracted
toxiceye
https://api.telegram.org/bot6444357834:AAGtL3te5_xl4dvacn8BJElHrky5SlLcE_4/sendMessage?chat_id=5974265372
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 7lk7vT1.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation RTGManager.exe -
Executes dropped EXE 1 IoCs
pid Process 2340 RTGManager.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3380 schtasks.exe 3652 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2000 timeout.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 4816 tasklist.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "137" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2340 RTGManager.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe 2340 RTGManager.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 244 7lk7vT1.exe Token: SeDebugPrivilege 4816 tasklist.exe Token: SeDebugPrivilege 2340 RTGManager.exe Token: SeDebugPrivilege 2340 RTGManager.exe Token: 33 2252 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2252 AUDIODG.EXE Token: SeShutdownPrivilege 2660 shutdown.exe Token: SeRemoteShutdownPrivilege 2660 shutdown.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2340 RTGManager.exe 3200 LogonUI.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 244 wrote to memory of 3380 244 7lk7vT1.exe 96 PID 244 wrote to memory of 3380 244 7lk7vT1.exe 96 PID 244 wrote to memory of 3660 244 7lk7vT1.exe 98 PID 244 wrote to memory of 3660 244 7lk7vT1.exe 98 PID 3660 wrote to memory of 4816 3660 cmd.exe 100 PID 3660 wrote to memory of 4816 3660 cmd.exe 100 PID 3660 wrote to memory of 2044 3660 cmd.exe 101 PID 3660 wrote to memory of 2044 3660 cmd.exe 101 PID 3660 wrote to memory of 2000 3660 cmd.exe 102 PID 3660 wrote to memory of 2000 3660 cmd.exe 102 PID 3660 wrote to memory of 2340 3660 cmd.exe 106 PID 3660 wrote to memory of 2340 3660 cmd.exe 106 PID 2340 wrote to memory of 3652 2340 RTGManager.exe 109 PID 2340 wrote to memory of 3652 2340 RTGManager.exe 109 PID 2340 wrote to memory of 2660 2340 RTGManager.exe 127 PID 2340 wrote to memory of 2660 2340 RTGManager.exe 127 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7lk7vT1.exe"C:\Users\Admin\AppData\Local\Temp\7lk7vT1.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:244 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Sh1zo\RTGManager.exe"2⤵
- Creates scheduled task(s)
PID:3380
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpF2CC.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpF2CC.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 244"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4816
-
-
C:\Windows\system32\find.exefind ":"3⤵PID:2044
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak3⤵
- Delays execution with timeout.exe
PID:2000
-
-
C:\Users\Sh1zo\RTGManager.exe"RTGManager.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Sh1zo\RTGManager.exe"4⤵
- Creates scheduled task(s)
PID:3652
-
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" /s /t 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3608,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=4336 /prefetch:81⤵PID:1620
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f8 0x2d01⤵
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa38cf855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3200
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187B
MD505104aa5377bd195ae88b02dcaaca11c
SHA133912e0fb389d1912bf55b03cf5a0b9a038052bc
SHA256305577933b11f0e74fe2a604023e722027320d48052b14fb39ddf3bc594215e7
SHA512b6169f81e5f873288ba0f4a71d651a8b66648d94c2b1f60b8e3c417e04f9205c7d9d0f2ee1f4e2e29c232b0108262aab1b51e0f0345b2c344bc91c70ab0b1812
-
Filesize
119KB
MD5f548ca220d471a524cb1c7d8ff613721
SHA13040c8945b16a58f44dd4f1ae5a7b0faf61b405e
SHA2565d0be378578617a2264e822d1b4424d71e8fa3e8dad60b30af614b173682880b
SHA512b1ea254c1ab6c3983cdb906f39403da5b342fed1836b14b4654a0e25dcae274edc517e30ec66fefbeb6f511b89e869a4d785098896bf55eac36108c79494c158