54e0d5432537529d082865d7b1d2b3f3db14f80124414a672fb72a4569cf0ce8

Analysis

max time kernel
139s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2024, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CleanupTool.exe
Size

6.6MB
MD5

01055d7b175ece6a0c846b7aeb3afb1c
SHA1

d2876eb4aaac6cf4cc90aa4194d12187a627c850
SHA256

54e0d5432537529d082865d7b1d2b3f3db14f80124414a672fb72a4569cf0ce8
SHA512

3caa6365447f45275ca1a07167e0d29f5302b28e100b62eb9460a1abb96605fa356898e73d2460c6be835e798d23adfa6e240172f2d38adf5a8083607c47ea51
SSDEEP

196608:D9kdARgI+eX1ItAW7pDTAJi195DEguI7iVjoN:D9kcV+eX01wi1/ZmUN

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	CleanupTool.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
5012	reg.exe
4396	reg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 2824	1352	CleanupTool.exe	89
PID 1352 wrote to memory of 2824	1352	CleanupTool.exe	89
PID 1352 wrote to memory of 2824	1352	CleanupTool.exe	89
PID 2824 wrote to memory of 696	2824	cmd.exe	92
PID 2824 wrote to memory of 696	2824	cmd.exe	92
PID 2824 wrote to memory of 696	2824	cmd.exe	92
PID 2824 wrote to memory of 3692	2824	cmd.exe	93
PID 2824 wrote to memory of 3692	2824	cmd.exe	93
PID 2824 wrote to memory of 3692	2824	cmd.exe	93
PID 2824 wrote to memory of 2528	2824	cmd.exe	94
PID 2824 wrote to memory of 2528	2824	cmd.exe	94
PID 2824 wrote to memory of 2528	2824	cmd.exe	94
PID 2824 wrote to memory of 456	2824	cmd.exe	95
PID 2824 wrote to memory of 456	2824	cmd.exe	95
PID 2824 wrote to memory of 456	2824	cmd.exe	95
PID 2824 wrote to memory of 1716	2824	cmd.exe	96
PID 2824 wrote to memory of 1716	2824	cmd.exe	96
PID 2824 wrote to memory of 1716	2824	cmd.exe	96
PID 2824 wrote to memory of 4488	2824	cmd.exe	97
PID 2824 wrote to memory of 4488	2824	cmd.exe	97
PID 2824 wrote to memory of 4488	2824	cmd.exe	97
PID 1352 wrote to memory of 540	1352	CleanupTool.exe	98
PID 1352 wrote to memory of 540	1352	CleanupTool.exe	98
PID 1352 wrote to memory of 540	1352	CleanupTool.exe	98
PID 540 wrote to memory of 5012	540	cmd.exe	100
PID 540 wrote to memory of 5012	540	cmd.exe	100
PID 540 wrote to memory of 5012	540	cmd.exe	100
PID 540 wrote to memory of 1468	540	cmd.exe	101
PID 540 wrote to memory of 1468	540	cmd.exe	101
PID 540 wrote to memory of 1468	540	cmd.exe	101
PID 1468 wrote to memory of 1400	1468	cmd.exe	102
PID 1468 wrote to memory of 1400	1468	cmd.exe	102
PID 1468 wrote to memory of 1400	1468	cmd.exe	102
PID 540 wrote to memory of 1416	540	cmd.exe	103
PID 540 wrote to memory of 1416	540	cmd.exe	103
PID 540 wrote to memory of 1416	540	cmd.exe	103
PID 540 wrote to memory of 1524	540	cmd.exe	104
PID 540 wrote to memory of 1524	540	cmd.exe	104
PID 540 wrote to memory of 1524	540	cmd.exe	104
PID 540 wrote to memory of 1284	540	cmd.exe	105
PID 540 wrote to memory of 1284	540	cmd.exe	105
PID 540 wrote to memory of 1284	540	cmd.exe	105
PID 540 wrote to memory of 3996	540	cmd.exe	106
PID 540 wrote to memory of 3996	540	cmd.exe	106
PID 540 wrote to memory of 3996	540	cmd.exe	106
PID 540 wrote to memory of 1360	540	cmd.exe	107
PID 540 wrote to memory of 1360	540	cmd.exe	107
PID 540 wrote to memory of 1360	540	cmd.exe	107
PID 540 wrote to memory of 1764	540	cmd.exe	108
PID 540 wrote to memory of 1764	540	cmd.exe	108
PID 540 wrote to memory of 1764	540	cmd.exe	108
PID 540 wrote to memory of 2032	540	cmd.exe	109
PID 540 wrote to memory of 2032	540	cmd.exe	109
PID 540 wrote to memory of 2032	540	cmd.exe	109
PID 540 wrote to memory of 1932	540	cmd.exe	110
PID 540 wrote to memory of 1932	540	cmd.exe	110
PID 540 wrote to memory of 1932	540	cmd.exe	110
PID 540 wrote to memory of 3660	540	cmd.exe	111
PID 540 wrote to memory of 3660	540	cmd.exe	111
PID 540 wrote to memory of 3660	540	cmd.exe	111
PID 540 wrote to memory of 4648	540	cmd.exe	112
PID 540 wrote to memory of 4648	540	cmd.exe	112
PID 540 wrote to memory of 4648	540	cmd.exe	112
PID 540 wrote to memory of 3812	540	cmd.exe	113

C:\Users\Admin\AppData\Local\Temp\CleanupTool.exe
"C:\Users\Admin\AppData\Local\Temp\CleanupTool.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\28EE7E79-AFF1-463B-BA7D-714558D8779C\setup.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKEY_CURRENT_USER\Console\%SystemRoot%_system32_cmd.exe
    3⤵
    PID:696
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\Console\%SystemRoot%_system32_cmd.exe /f
    3⤵
    PID:3692
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\Console\%SystemRoot%_system32_cmd.exe /v FontFamily /t REG_DWORD /d 54 /f
    3⤵
    PID:2528
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\Console\%SystemRoot%_system32_cmd.exe /v FontSize /t REG_DWORD /d 917504 /f
    3⤵
    PID:456
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\Console\%SystemRoot%_system32_cmd.exe /v FontWeight /t REG_DWORD /d 400 /f
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\Console\%SystemRoot%_system32_cmd.exe /v FaceName /t REG_SZ /d "Lucida Console" /f
    3⤵
    PID:4488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\28EE7E79-AFF1-463B-BA7D-714558D8779C\cleanup.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKCU\Console\%SystemRoot%_system32_cmd.exe /f
    3⤵
    - Modifies registry key
    PID:5012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY "HKCU\Control Panel\International" /v sLanguage 2>nul"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1468
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY "HKCU\Control Panel\International" /v sLanguage
      4⤵
      PID:1400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" VER "
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\find.exe
    FIND "5.1"
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" VER "
    3⤵
    PID:1284
- - C:\Windows\SysWOW64\find.exe
    FIND "5.2"
    3⤵
    PID:3996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" VER "
    3⤵
    PID:1360
- - C:\Windows\SysWOW64\find.exe
    FIND "6.0"
    3⤵
    PID:1764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" VER "
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\find.exe
    FIND "6.1"
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" VER "
    3⤵
    PID:3660
- - C:\Windows\SysWOW64\find.exe
    FIND "6.2"
    3⤵
    PID:4648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" VER "
    3⤵
    PID:3812
- - C:\Windows\SysWOW64\find.exe
    FIND "6.3"
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" VER "
    3⤵
    PID:632
- - C:\Windows\SysWOW64\find.exe
    FIND "10.0"
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VER
    3⤵
    PID:2076
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\SYSTEM\CurrentControlSet\Enum\Root\ACRONISDEVICES
    3⤵
    - Modifies registry key
    PID:4396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\28EE7E79-AFF1-463B-BA7D-714558D8779C\cleanup.cmd

Filesize
59KB

MD5
8a23b4d77a07645fe6b78ffceb1f25b0

SHA1
8b7debc7fae92ab9c49a45cbab8c55958d1fa112

SHA256
ba10bdda785e8eda25b24112d7eb8d5e7725c46ec4ff8122f35ec6a5b6d7d8f2

SHA512
7f1d47f52f6bfedafa8997c4dc7549fc45f9480cc5911685eec3696444f6bb6ad1e3485ab049a8b581c42ac3851e291101346bd5fec4eb265f34640891961ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\28EE7E79-AFF1-463B-BA7D-714558D8779C\setup.cmd

Filesize
801B

MD5
8e070269e54fb0de76a8c32229ba39ca

SHA1
aeb39f5d6cfdbd3aff3c3defc28197829e94ce39

SHA256
fead460aa42985af67ba78ef49d27dc354f2734fec7efc29182890184aba58b2

SHA512
0ef8a9796cc3108248901e03d4823a32fc02a25e9e02cf368c0ad434e29076a20af3ab5ca694f0b49557471220f7c660abb42a1e5a2689b144e59eb128da7528

Download Submit