68f01cdcb4138b19dc0f97e3ffe97c34a4d796d0a34ad87cd490bb569e03cd71

Analysis

max time kernel
118s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

522e8906891c908e934fd87360ad8f50N.exe
Size

44KB
MD5

522e8906891c908e934fd87360ad8f50
SHA1

dd92280e577070594766e27176879a0c36943486
SHA256

68f01cdcb4138b19dc0f97e3ffe97c34a4d796d0a34ad87cd490bb569e03cd71
SHA512

82c2c5cf2b7029f553dbc29a2251f0d94bb0eefc3c995366e0fd514d25039d1db70dee23a4f5253d8b3111ce21134c0caaca7efd5b66b5b90bb77119322fa192
SSDEEP

768:MlH9AdIGjGizA6PAEc9pvu9JwM/3ed/iTAi90G7nobXdv1Es:MlH9cj9w7vu9JwI3eRiMiz7nobtvCs

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	522e8906891c908e934fd87360ad8f50N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	SkipeTurns.exe

Executes dropped EXE 1 IoCs

pid	Process
3300	SkipeTurns.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SkipeTurns = "C:\\Users\\Admin\\AppData\\Roaming\\SkipeTurns.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	522e8906891c908e934fd87360ad8f50N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SkipeTurns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe
Token: SeDebugPrivilege	3300	SkipeTurns.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2172	522e8906891c908e934fd87360ad8f50N.exe
3300	SkipeTurns.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 3300	2172	522e8906891c908e934fd87360ad8f50N.exe	87
PID 2172 wrote to memory of 3300	2172	522e8906891c908e934fd87360ad8f50N.exe	87
PID 2172 wrote to memory of 3300	2172	522e8906891c908e934fd87360ad8f50N.exe	87
PID 3300 wrote to memory of 3768	3300	SkipeTurns.exe	89
PID 3300 wrote to memory of 3768	3300	SkipeTurns.exe	89
PID 3300 wrote to memory of 3768	3300	SkipeTurns.exe	89
PID 3768 wrote to memory of 2428	3768	cmd.exe	91
PID 3768 wrote to memory of 2428	3768	cmd.exe	91
PID 3768 wrote to memory of 2428	3768	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\522e8906891c908e934fd87360ad8f50N.exe
"C:\Users\Admin\AppData\Local\Temp\522e8906891c908e934fd87360ad8f50N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Roaming\SkipeTurns.exe
  "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\COPKJ.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3768
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SkipeTurns" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\COPKJ.txt

Filesize
142B

MD5
7aab82a958be0bdc325ec075c874ca64

SHA1
f4ab3d6776f6ffc569a878a003df9a4f0a331eb6

SHA256
446e766a1c4c57cf38c3b70b1152a5c1216cc86388fefe5d7d39522458436144

SHA512
1737e41a539341737e4fc5c22f13c10b34e5054b2e1b44e604490c4faaf943442c596581fb28b0c967935cfd92c5fd4e7331fb72ae2d4f6ef1b8acc64b46f240

Download Submit
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
44KB

MD5
e26d071a299660858b365781fb2ed45d

SHA1
956669dc6c4cb8cf3a55ae715e131c14c0309f53

SHA256
5bcffa6014c35e62f104ef2a9b479c278a90f5d19e602695380b7570048bd515

SHA512
7a2d8ab27dd4dd7e806b4b939f6b5a8eb7d240bc31b09eed1d20e04516cfff27f3449bb8442c175996432b9f99e32c542c86201bf4605c3641b3a01d70a197d6

Download Submit
memory/2172-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3300-15-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads