Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
23-05-2024 11:13
General
-
Target
X22-74224.exe
-
Size
3.7MB
-
MD5
133800da193dac14b538577b2a5f39d0
-
SHA1
7135c3dd93c43d9d323c16f4323eeaa28c415f6f
-
SHA256
27a49064bae3fbe92df2738884079f2214865f8fa2b84d21229f05ac1868928f
-
SHA512
bcf9d3b3528f63370e6da6364b8fbfda6044f3a430d4a51501d9cfb1d5103e687bcb59bdceb163af331bcb429980396844cf26d29aeba89ed79813fefb83408b
-
SSDEEP
98304:DNM0iKxRMIm/Ly4RYXAffiiIiQLAUUuQNnn02nj:DVxRc/W4YwfKHiQZT2j
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 21 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\X22-74224.exe"C:\Users\Admin\AppData\Local\Temp\X22-74224.exe"1⤵
- Modifies registry class
-
C:\Users\Admin\Desktop\setup.exe"C:\Users\Admin\Desktop\setup.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Checks system information in the registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb edit "C:\Users\Admin\Desktop\configuration-Office365-x64.xml"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE"C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "C:\Users\Admin\Desktop\configuration-Office365-x64.xml"2⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb edit "C:\Users\Admin\Desktop\configuration-Office365-x86.xml"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE"C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "C:\Users\Admin\Desktop\configuration-Office365-x86.xml"2⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb edit "C:\Users\Admin\Desktop\configuration-Office2019Enterprise.xml"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE"C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "C:\Users\Admin\Desktop\configuration-Office2019Enterprise.xml"2⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb edit "C:\Users\Admin\Desktop\configuration-Office2021Enterprise.xml"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE"C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "C:\Users\Admin\Desktop\configuration-Office2021Enterprise.xml"2⤵
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD595201d9e44c732d9b261b4b334505d6b
SHA1d5f3f499ef27920d8a614152191a7e0c2f9c0264
SHA256baa9a89717f4013b2799bd06490c738246759ecdf7a3200406fad5a443e83669
SHA51215ddf637b642144dca99e2794cb4ca4d1dfa9d682e7eb42075d9b269dd5a479b5ea86017db142b599a3f022ebb695baf3691305ab17009060b4f64ddd7254282
-
Filesize
18KB
MD502882ad3f930ba7d577b570ce1e10d1a
SHA10f9d23f1fd9a759d7b5d85a4a94f9eaf5aed641e
SHA256ccd03d7fca50dc0e35426131038879a59f8a6c102a7543237182e1281678bad7
SHA5126e2d54a0501b793df66978cf27ca0c90b688d87cff0807ab90e351942d5893ac97739508b73edbfba257865219c29f8ca96adb3a60ad36e760932375519cf45f
-
Filesize
26B
MD5bd3457e50947d4280734e74b51b5b68d
SHA1424635c6b5622a6c01a59d290a1c9ab8e593effc
SHA25623d647979bc5dc186de5ba3e00a222a912ab8e4782eb6407efa70e29e95979f5
SHA512e83e3615a5e94af288eb1c9b92f55e271765cc43531ec94574371debf63c0c4a58327b6fd8a4775bfba8a3234220cb0396b6d33164309a09a1d826c0689143fb
-
Filesize
3B
MD521438ef4b9ad4fc266b6129a2f60de29
SHA15eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd
SHA25613bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354
SHA51237436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5f78234922b70d03b04d1c1e94cdeebbd
SHA1cb83ade2e2158c4b72e8dd7bfeebf9dd666450d7
SHA256d4913b9e6faf2a5cd7db5956a305af45767d6675b110df4b6e11827a692929d2
SHA512222a831c6b91d99b104b2bef778eed909d78efeb4e1e099a11a4c047f0415806074b6fd2a87cc3ea4c16499a42e37b7f8c2d9566d2da07b6433f24e4698c58af
-
Filesize
1KB
MD5315eea2acb2f3d5a9235ee5a6be4a164
SHA1249ce4d4344326f2a23ebc0f9ee2119b5f896903
SHA256923230d7e183f8f7f3e65e67df35fa163dd41624af58c53d793907ffb0c09b76
SHA51205fea0eab49647031bcf772fbe7f87839a33aabbca84b6636574211d6847b86a9fcb7bdfbf325ae10f0278e4af92b0176d596ee6de378a1b804309bc027cbb21
-
Filesize
1014B
MD5544756964c06ed5dbf916041156d46d7
SHA1d4711855a764ab3d415f1d4e0baaeefc1d12440b
SHA2560f8008fdf8d54085c0e49d8424f3aae8886400ec52b6755233c642311839eef1
SHA5128a9b5ec7dfe296f029e510ccb12f2df66a428622feb152f2eb4110111f2e75a472b1a8db9c69bec7f6dc61b8f7289ee7c5f4243f35f9ac85350b5d1303d5f6f6
-
Filesize
1014B
MD5167a334ac1ab7528b4e2720699e04057
SHA17df519f7949450baa105d6636b2440813d51888a
SHA2562665660837107a692a78c04e3926d2be8c48ca111099148e987527d0bf6b082d
SHA5124498a57731a293594cbc84ac9e4aea1dcef7b4c0c34f5d07c37609c4ed1c1fd5a2764de945fb838ee97cef08ab9e195a2fd23f80a560e6443809c123fa810077
-
Filesize
7.1MB
MD5567a4c265f3d910221c2769e5964c2fb
SHA151456f884f115154673ef6a95a8eb3e3ce1d3108
SHA2566cfc00d087f4d23ac0478cb8da29935f11a7c70dae5240da7455df48b629356b
SHA512232010a8179eaa7b64dba62910bee8c79a0bbce4e5ae87092c65ef722b2065168f45e8196e0827717eb84fe5f9ea5dc6f251133f8f0075efef6e75ec294feac8
-
Filesize
304KB
-
Filesize
152KB
-
Filesize
304KB
-
Filesize
652KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
88KB
-
Filesize
40KB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB