Resubmissions

30/07/2024, 06:44

240730-hhpnyayhrd 10

27/05/2024, 14:12

240527-rh1wmsgc52 10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/05/2024, 14:12

General

  • Target

    7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe

  • Size

    2.0MB

  • MD5

    20d1a291ba22e0d37ba1c9ef7c4f2a8e

  • SHA1

    977deb9b18a8599aac68cfd86fd95219a54fc8c4

  • SHA256

    7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a

  • SHA512

    662369dcf70c1abe0142a139f950df672d62b3dbda910a804b6ef6a76280fa543aba4d1a9e52bea1584cdc0c674110b7a11fb0948be82e27c77e92b465f16d42

  • SSDEEP

    24576:2y2KxiKAGfq78Qh7zCIU1D6hynUlAqFzATZAguEkVm2nc6DKcPGsiSbBydwBFrUm:2K1WlU1D6hk8RFzAZ5+m21Kc+sPbVT

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 5 IoCs
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 10 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe
    "C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1512
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gtbqvaux\gtbqvaux.cmdline"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4188
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E32.tmp" "c:\Windows\System32\CSC3FA59D6F4674283A142CBCBDF86EAD8.TMP"
        3⤵
          PID:5012
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bFI9bmS0b9.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4516
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:212
          • C:\Windows\system32\w32tm.exe
            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
            3⤵
              PID:5108
            • C:\Program Files (x86)\Reference Assemblies\Microsoft\SearchApp.exe
              "C:\Program Files (x86)\Reference Assemblies\Microsoft\SearchApp.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:2504
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "BackgroundTransferHostB" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\ja-JP\BackgroundTransferHost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3096
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "BackgroundTransferHost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\BackgroundTransferHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2828
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "BackgroundTransferHostB" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\ja-JP\BackgroundTransferHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1552
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\SearchApp.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3544
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\SearchApp.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2776
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\SearchApp.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1176
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\upfc.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1360
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\L2Schemas\upfc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3136
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Windows\L2Schemas\upfc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2976
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\Offline Web Pages\RuntimeBroker.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1460
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4144
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4632
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\host\fxr\smss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3416
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\fxr\smss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3184
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\dotnet\host\fxr\smss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4564

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Program Files\dotnet\host\fxr\smss.exe

                Filesize

                2.0MB

                MD5

                20d1a291ba22e0d37ba1c9ef7c4f2a8e

                SHA1

                977deb9b18a8599aac68cfd86fd95219a54fc8c4

                SHA256

                7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a

                SHA512

                662369dcf70c1abe0142a139f950df672d62b3dbda910a804b6ef6a76280fa543aba4d1a9e52bea1584cdc0c674110b7a11fb0948be82e27c77e92b465f16d42

              • C:\Users\Admin\AppData\Local\Temp\RES3E32.tmp

                Filesize

                1KB

                MD5

                d111cefaa2e132a433bd265310351148

                SHA1

                397af57e8ac90f89dca5f4a1cee7f0689f3fdbdf

                SHA256

                1386452aa5b8ce6f5501988b6d7308d49d135d8d7c873a0c614b914df70b409f

                SHA512

                a717006e2e55fed38d9684bd911c74ca1c0a8bc8b920d6c5e13b42e7236fd62cbfe2b68b5fc07de09ffcfa3ba73d76f0bfc8cf9395b16f6f66edbb1ed4e883bf

              • C:\Users\Admin\AppData\Local\Temp\bFI9bmS0b9.bat

                Filesize

                243B

                MD5

                047eaea9b53b2712d0f1c81fd2b29ab1

                SHA1

                d201aa817091945e49ee6473aa189fa1dd4b94ae

                SHA256

                46f27e9670b1a09f5f65d7128ceb7dfc7e1ae2f7c959ec21a3e7ad2dfe70d449

                SHA512

                9f7545228e206ae0bd8ee50e3cce603583daba3b0e59f07e94975ce2e1a9fd4e01c333c7d309c96b2c136a587a1cd08c3e46325bd3c706f748e86c964c72e8d2

              • \??\c:\Users\Admin\AppData\Local\Temp\gtbqvaux\gtbqvaux.0.cs

                Filesize

                402B

                MD5

                98e4ad8f3f577e69a7ec66e82dce6472

                SHA1

                cd7272b0ce9af065055f834823c4af1808d00116

                SHA256

                a37d681ac80bb09e54efc8f588904ed5db91e13fe3ed7b9e0ecea2bdad32bc2c

                SHA512

                824b14647297a12ba1013a228079662e9ea3f430c42f179510b0403c75971563ca706a3aba0c8ccde5dd3768954674d5f2df90a2ce7f19bd6407a946e54d9e83

              • \??\c:\Users\Admin\AppData\Local\Temp\gtbqvaux\gtbqvaux.cmdline

                Filesize

                235B

                MD5

                43eaf735f8ad2557325442ae4f32bd76

                SHA1

                1ca98fe954036deb5bfbee9ef3e949373be16b47

                SHA256

                08f4b0687cc37ae031bad573ced77070e3f5d3290e4cb8ef8e5d634d19f3fdff

                SHA512

                1988a8d5781242e5d03b94c032b509a05447cfda95b9688a42903122558596fe8bd4d9449fa4d080622f484177413f551aa09507c2909f26309df23e6967f3b9

              • \??\c:\Windows\System32\CSC3FA59D6F4674283A142CBCBDF86EAD8.TMP

                Filesize

                1KB

                MD5

                0e0a242f8f023c943e845e3326f7e233

                SHA1

                0e271c02e32fa6b6b4b0b27c8cdc4e4afb5b2d78

                SHA256

                31740b218505867f934d13c16295f7c1a57045d8e4c0079799b9caa067b2411c

                SHA512

                b7528fd87e6964e8e7c2743dca777d9f905750eaab7ef2683cb49e5b3b42cdce20736fce312856117af968a9c24e8cfee05f453cdbfa3cc12136dbb4a34d71db

              • memory/1512-22-0x000000001BEA0000-0x000000001C3C8000-memory.dmp

                Filesize

                5.2MB

              • memory/1512-25-0x0000000002C30000-0x0000000002C3E000-memory.dmp

                Filesize

                56KB

              • memory/1512-9-0x000000001B920000-0x000000001B970000-memory.dmp

                Filesize

                320KB

              • memory/1512-12-0x0000000002C60000-0x0000000002C78000-memory.dmp

                Filesize

                96KB

              • memory/1512-17-0x0000000002C20000-0x0000000002C2C000-memory.dmp

                Filesize

                48KB

              • memory/1512-15-0x00007FFFBA0C0000-0x00007FFFBAB81000-memory.dmp

                Filesize

                10.8MB

              • memory/1512-21-0x00007FFFBA0C0000-0x00007FFFBAB81000-memory.dmp

                Filesize

                10.8MB

              • memory/1512-20-0x00007FFFBA0C0000-0x00007FFFBAB81000-memory.dmp

                Filesize

                10.8MB

              • memory/1512-19-0x000000001B580000-0x000000001B592000-memory.dmp

                Filesize

                72KB

              • memory/1512-14-0x0000000002AC0000-0x0000000002ACE000-memory.dmp

                Filesize

                56KB

              • memory/1512-0-0x00000000007E0000-0x00000000009EA000-memory.dmp

                Filesize

                2.0MB

              • memory/1512-27-0x0000000002C80000-0x0000000002C8C000-memory.dmp

                Filesize

                48KB

              • memory/1512-28-0x00007FFFBA0C0000-0x00007FFFBAB81000-memory.dmp

                Filesize

                10.8MB

              • memory/1512-10-0x00007FFFBA0C0000-0x00007FFFBAB81000-memory.dmp

                Filesize

                10.8MB

              • memory/1512-23-0x00007FFFBA0C0000-0x00007FFFBAB81000-memory.dmp

                Filesize

                10.8MB

              • memory/1512-29-0x00007FFFBA0C0000-0x00007FFFBAB81000-memory.dmp

                Filesize

                10.8MB

              • memory/1512-8-0x0000000002C40000-0x0000000002C5C000-memory.dmp

                Filesize

                112KB

              • memory/1512-40-0x00007FFFBA0C0000-0x00007FFFBAB81000-memory.dmp

                Filesize

                10.8MB

              • memory/1512-41-0x00007FFFBA0C0000-0x00007FFFBAB81000-memory.dmp

                Filesize

                10.8MB

              • memory/1512-6-0x0000000002AB0000-0x0000000002ABE000-memory.dmp

                Filesize

                56KB

              • memory/1512-4-0x00007FFFBA0C0000-0x00007FFFBAB81000-memory.dmp

                Filesize

                10.8MB

              • memory/1512-3-0x00007FFFBA0C0000-0x00007FFFBAB81000-memory.dmp

                Filesize

                10.8MB

              • memory/1512-57-0x00007FFFBA0C0000-0x00007FFFBAB81000-memory.dmp

                Filesize

                10.8MB

              • memory/1512-2-0x00007FFFBA0C0000-0x00007FFFBAB81000-memory.dmp

                Filesize

                10.8MB

              • memory/1512-60-0x000000001BDB0000-0x000000001BE59000-memory.dmp

                Filesize

                676KB

              • memory/1512-61-0x00007FFFBA0C0000-0x00007FFFBAB81000-memory.dmp

                Filesize

                10.8MB

              • memory/1512-1-0x00007FFFBA0C3000-0x00007FFFBA0C5000-memory.dmp

                Filesize

                8KB

              • memory/2504-74-0x000000001BFA0000-0x000000001C049000-memory.dmp

                Filesize

                676KB