Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
28-07-2024 09:29
Behavioral task
behavioral1
Sample
windows.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
windows.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
windows.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral4
Sample
windows.exe
Resource
win11-20240709-en
General
-
Target
windows.exe
-
Size
913KB
-
MD5
4c30c907584baa7c1931a3a83ba69149
-
SHA1
09d3887d9895189a49930a61aea8c788b1ad1c0e
-
SHA256
afc180f84398fdf09969b61c538dd1b7d2259fba43b44a5ed00dac386df7a046
-
SHA512
1f581850f9722153d760f6a0f125b71aae3b87546c851a26674cc37ec76b13e39f8abc93a77e1d32fdfe906fa80945fbfb9774cb002dadd922b629879c9246cc
-
SSDEEP
24576:1Eqr4MROxnF25bYmfFhQ3rZlI0AilFEvxHil71B:1EjMiz3rZlI0AilFEvxHi
Malware Config
Signatures
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
windows.exedescription ioc Process File created C:\Windows\assembly\Desktop.ini windows.exe File opened for modification C:\Windows\assembly\Desktop.ini windows.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Drops file in Windows directory 3 IoCs
Processes:
windows.exedescription ioc Process File opened for modification C:\Windows\assembly windows.exe File created C:\Windows\assembly\Desktop.ini windows.exe File opened for modification C:\Windows\assembly\Desktop.ini windows.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
windows.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 windows.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier windows.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
windows.exepid Process 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe 1188 windows.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
windows.exedescription pid Process Token: SeDebugPrivilege 1188 windows.exe Token: SeBackupPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe Token: SeSecurityPrivilege 1188 windows.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
MiniSearchHost.exewindows.exepid Process 1592 MiniSearchHost.exe 1188 windows.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
windows.execsc.exedescription pid Process procid_target PID 1188 wrote to memory of 4628 1188 windows.exe 80 PID 1188 wrote to memory of 4628 1188 windows.exe 80 PID 4628 wrote to memory of 4376 4628 csc.exe 82 PID 4628 wrote to memory of 4376 4628 csc.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\windows.exe"C:\Users\Admin\AppData\Local\Temp\windows.exe"1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a9qr97gi.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB528.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB527.tmp"3⤵PID:4376
-
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:1592
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57f0098ee28b37afdf693e57006632180
SHA144a7277b3ba2e563119ae8c882a2399336b6fe70
SHA25687188d850f991237c0953dea3b6bfff1246342624ac65b8e30ffb57e30b6759f
SHA512277e5acea67752622a4dba57fe77b2409c50974cc4af5efaeef8baaf77183dde86c5f0e081ed5cb20dcca239e02332ddfe65eec152585a1758963921c337d1de
-
Filesize
76KB
MD5be84702ecbdcc4f2347ebe98b6cc084e
SHA1065e7d08fa95d3d0a790538f781dca41fa38ca34
SHA256c770551f7a208fd943a654e698f1d0a2499c19e6d0b66bf0c089f5cc90ecd123
SHA512a9882cc56d96ddba6e07708fb4c61e898666f600a3b25af24e94c506a203ff12db0caee982870d037a5ffacb60933f0c09f8a5b5611b9ebd70f28dd8efeb099d
-
Filesize
516KB
MD5dde3ec6e17bc518b10c99efbd09ab72e
SHA1a2306e60b74b8a01a0dbc1199a7fffca288f2033
SHA25660a5077b443273238e6629ce5fc3ff7ee3592ea2e377b8fc28bfe6e76bda64b8
SHA51209a528c18291980ca7c5ddca67625035bbb21b9d95ab0854670d28c59c4e7adc6d13a356fa1d2c9ad75d16b334ae9818e06ddb10408a3e776e4ef0d7b295f877
-
Filesize
676B
MD565dec07b5c0e933144b21dc92ab38159
SHA109264019c3ca7615d977e683293aa6cdfbd6874f
SHA25686870d2e1484ae3964e5f99ad5137184183439d8f15b13f403a695cdf8eca675
SHA512075f92bb29e38028c15126a58a0d54930cc0fed5befdc95ca6c5e254c70e1373a24db9ae93c9332686920844341839dcb2e250ace06a168f82a13feaa1c28e1e
-
Filesize
208KB
MD54122c7921e7a45e99dee100a08a9d86f
SHA1a053ef42a7c346981694db648fbbf1950dccde5f
SHA256c1a6d958ec325d52d00696350fc7a71d77ff52faee874e366754259f54d62c1c
SHA512373f253b06b8f4a305505757c805314c524989b0151e4636a77c73308fbe6416a69a5965cfbca391d426b90b0d7b37c67d2d2973bdf16cd2041a16f12b971017
-
Filesize
349B
MD5f124021b1c9e13f5effa2790c22557d8
SHA15c1556bb884fe9a602da1c507bf0aa23203411ab
SHA256e8d0fe92a9d59b27e38222fd9f35ba7a3d258182b8ade53f6a2430c973e0d309
SHA512d5155fcff3711894b272eb37b1b0ebe1151c8d3b0cdd4d80ad3d6f753f11dc9493e14abc58be7cf0f84de965f5382f75748f33a4dd4adb96099b160c4aee2533