Analysis
-
max time kernel
6s -
max time network
8s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
18-07-2024 12:03
Behavioral task
behavioral1
Sample
dupe.exe
Resource
win7-20240704-en
Errors
General
-
Target
dupe.exe
-
Size
111KB
-
MD5
70e2065cad845ee34e4a39f9b8c963a3
-
SHA1
c4fe48fc7ec3182670a1a6dc9ec26fde32ad653d
-
SHA256
168a57c472350a733ffe154a065b243f0d64faf235004315471785abeb93fe19
-
SHA512
f8bdfae8658f49d4a7a4b83fae078766fbdcfd6438090cc49971e57befc1fe13f22de66cba30b09c6cbf166dce6570a894d11d9985ce9db8a2ad8555d755252f
-
SSDEEP
1536:Y+b6QDWv5IDlOM91qQIwOs0dxv72rEBDG+bhDqI6oQW8zCrAZuhazDy:Pb2IpORLv7ztbxqHoQW8zCrAZuhay
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation dupe.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation dupe.exe -
Executes dropped EXE 1 IoCs
pid Process 5100 dupe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 5056 timeout.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 1320 tasklist.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 324 schtasks.exe 2676 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 5100 dupe.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5100 dupe.exe 5100 dupe.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3776 dupe.exe Token: SeDebugPrivilege 1320 tasklist.exe Token: SeDebugPrivilege 5100 dupe.exe Token: SeDebugPrivilege 5100 dupe.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5100 dupe.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3776 wrote to memory of 324 3776 dupe.exe 88 PID 3776 wrote to memory of 324 3776 dupe.exe 88 PID 3776 wrote to memory of 3092 3776 dupe.exe 90 PID 3776 wrote to memory of 3092 3776 dupe.exe 90 PID 3092 wrote to memory of 1320 3092 cmd.exe 92 PID 3092 wrote to memory of 1320 3092 cmd.exe 92 PID 3092 wrote to memory of 2992 3092 cmd.exe 93 PID 3092 wrote to memory of 2992 3092 cmd.exe 93 PID 3092 wrote to memory of 5056 3092 cmd.exe 95 PID 3092 wrote to memory of 5056 3092 cmd.exe 95 PID 3092 wrote to memory of 5100 3092 cmd.exe 96 PID 3092 wrote to memory of 5100 3092 cmd.exe 96 PID 5100 wrote to memory of 2676 5100 dupe.exe 101 PID 5100 wrote to memory of 2676 5100 dupe.exe 101 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dupe.exe"C:\Users\Admin\AppData\Local\Temp\dupe.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Windows Update" /tr "C:\Users\Public\Downloads\dupe.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:324
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpC3BD.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpC3BD.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 3776"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1320
-
-
C:\Windows\system32\find.exefind ":"3⤵PID:2992
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak3⤵
- Delays execution with timeout.exe
PID:5056
-
-
C:\Users\Public\Downloads\dupe.exe"dupe.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Windows Update" /tr "C:\Users\Public\Downloads\dupe.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:2676
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
190B
MD501bc28348682749045a2cf0b54fbb2c2
SHA197317058f0dd136052e2678336eb9f344a3cae40
SHA256a366a244e6487ac72b102fdbd637d8514f18843247429f9dec327fa38444125e
SHA512e34eb97838b6f7b1424be6a4cb59de3b1966c46eefe95abc9d3f1460df45b0a04d9662eb6e09744cc5bcdcc5921082f3d2147208bce3e48a76dc87e73f0543fd
-
Filesize
111KB
MD570e2065cad845ee34e4a39f9b8c963a3
SHA1c4fe48fc7ec3182670a1a6dc9ec26fde32ad653d
SHA256168a57c472350a733ffe154a065b243f0d64faf235004315471785abeb93fe19
SHA512f8bdfae8658f49d4a7a4b83fae078766fbdcfd6438090cc49971e57befc1fe13f22de66cba30b09c6cbf166dce6570a894d11d9985ce9db8a2ad8555d755252f