f2e029eab2140f964ef689c2a1fe7b0c43b3865d508c2411458a7f1f61834380

Analysis

max time kernel
131s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 07:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2e029eab2140f964ef689c2a1fe7b0c43b3865d508c2411458a7f1f61834380.exe
Size

1.7MB
MD5

f0c3859fdb7757b13720eec39fdd931f
SHA1

85a6d9727bddf50a0031f7a6ffdce97a5c6dbdd5
SHA256

f2e029eab2140f964ef689c2a1fe7b0c43b3865d508c2411458a7f1f61834380
SHA512

8f265d6da30348c9fef4e54370638652ade09c63c7de5597390bc6ccd8f5010d510dec416415fcde0e82cb9747f6e7fc3e26450d952bad4a62b02e62a8250e66
SSDEEP

24576:OXdVtTj2i64T+jdxQCfgOFD3WSwd2QtBBw6xxhVxQtmibjOhZaiRu/4oMaop0UNC:mbTChxKCnFnQXBbrtgb/iQvu0UHOa6

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	f2e029eab2140f964ef689c2a1fe7b0c43b3865d508c2411458a7f1f61834380.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WdExt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	launch.exe

Executes dropped EXE 4 IoCs

pid	Process
2052	WdExt.exe
4304	launch.exe
4880	wtmps.exe
2028	mscaps.exe

Loads dropped DLL 2 IoCs

pid	Process
2616	f2e029eab2140f964ef689c2a1fe7b0c43b3865d508c2411458a7f1f61834380.exe
2052	WdExt.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender Extension = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Defender\\launch.exe\""	launch.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mscaps.exe	wtmps.exe
File opened for modification	C:\Windows\SysWOW64\mscaps.exe	wtmps.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WdExt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	launch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wtmps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2e029eab2140f964ef689c2a1fe7b0c43b3865d508c2411458a7f1f61834380.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2616	f2e029eab2140f964ef689c2a1fe7b0c43b3865d508c2411458a7f1f61834380.exe
2616	f2e029eab2140f964ef689c2a1fe7b0c43b3865d508c2411458a7f1f61834380.exe
2052	WdExt.exe
2052	WdExt.exe
4304	launch.exe
4304	launch.exe
4304	launch.exe
4304	launch.exe
4304	launch.exe
4304	launch.exe
4304	launch.exe
4304	launch.exe
4304	launch.exe
4304	launch.exe
4304	launch.exe
4304	launch.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 4084	2616	f2e029eab2140f964ef689c2a1fe7b0c43b3865d508c2411458a7f1f61834380.exe	85
PID 2616 wrote to memory of 4084	2616	f2e029eab2140f964ef689c2a1fe7b0c43b3865d508c2411458a7f1f61834380.exe	85
PID 2616 wrote to memory of 4084	2616	f2e029eab2140f964ef689c2a1fe7b0c43b3865d508c2411458a7f1f61834380.exe	85
PID 2616 wrote to memory of 1948	2616	f2e029eab2140f964ef689c2a1fe7b0c43b3865d508c2411458a7f1f61834380.exe	87
PID 2616 wrote to memory of 1948	2616	f2e029eab2140f964ef689c2a1fe7b0c43b3865d508c2411458a7f1f61834380.exe	87
PID 2616 wrote to memory of 1948	2616	f2e029eab2140f964ef689c2a1fe7b0c43b3865d508c2411458a7f1f61834380.exe	87
PID 4084 wrote to memory of 2052	4084	cmd.exe	89
PID 4084 wrote to memory of 2052	4084	cmd.exe	89
PID 4084 wrote to memory of 2052	4084	cmd.exe	89
PID 2052 wrote to memory of 1260	2052	WdExt.exe	91
PID 2052 wrote to memory of 1260	2052	WdExt.exe	91
PID 2052 wrote to memory of 1260	2052	WdExt.exe	91
PID 1260 wrote to memory of 4304	1260	cmd.exe	93
PID 1260 wrote to memory of 4304	1260	cmd.exe	93
PID 1260 wrote to memory of 4304	1260	cmd.exe	93
PID 4304 wrote to memory of 2132	4304	launch.exe	95
PID 4304 wrote to memory of 2132	4304	launch.exe	95
PID 4304 wrote to memory of 2132	4304	launch.exe	95
PID 2132 wrote to memory of 4880	2132	cmd.exe	97
PID 2132 wrote to memory of 4880	2132	cmd.exe	97
PID 2132 wrote to memory of 4880	2132	cmd.exe	97
PID 4880 wrote to memory of 2028	4880	wtmps.exe	99
PID 4880 wrote to memory of 2028	4880	wtmps.exe	99
PID 4880 wrote to memory of 2028	4880	wtmps.exe	99

C:\Users\Admin\AppData\Local\Temp\f2e029eab2140f964ef689c2a1fe7b0c43b3865d508c2411458a7f1f61834380.exe
"C:\Users\Admin\AppData\Local\Temp\f2e029eab2140f964ef689c2a1fe7b0c43b3865d508c2411458a7f1f61834380.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4084
- - C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1260
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe" /i 2052
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4304
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\wtmps.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wtmps.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\mscaps.exe
        
        "C:\Windows\system32\mscaps.exe" /C:\Users\Admin\AppData\Local\Temp\wtmps.exe
        8⤵
        Executes dropped EXE
        
        PID:2028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\92CA.tmp

Filesize
406B

MD5
37512bcc96b2c0c0cf0ad1ed8cfae5cd

SHA1
edf7f17ce28e1c4c82207cab8ca77f2056ea545c

SHA256
27e678bf5dc82219d6edd744f0b82567a26e40f8a9dcd6487205e13058e3ed1f

SHA512
6d4252ab5aa441a76ce2127224fefcb221259ab4d39f06437b269bd6bfdaae009c8f34e9603ec734159553bc9f1359bdd70316cd426d73b171a9f17c41077641

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtmps.exe

Filesize
276KB

MD5
75c1467042b38332d1ea0298f29fb592

SHA1
f92ea770c2ddb04cf0d20914578e4c482328f0f8

SHA256
3b20c853d4ca23240cd338b8cab16f1027c540ddfe9c4ffdca1624d2f923b373

SHA512
5c47c59ad222e2597ccdf2c100853c48f022e933f44c279154346eacf9e7e6f54214ada541d43a10424035f160b56131aab206c11512a9fd6ea614fbd3160aa0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe

Filesize
172KB

MD5
daac1781c9d22f5743ade0cb41feaebf

SHA1
e2549eeeea42a6892b89d354498fcaa8ffd9cac4

SHA256
6a7093440420306cf7de53421a67af8a1094771e0aab9535acbd748d08ed766c

SHA512
190a7d5291e20002f996edf1e04456bfdff8b7b2f4ef113178bd42a9e5fd89fe6d410ae2c505de0358c4f53f9654ac1caaa8634665afa6d9691640dd4ee86160

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe

Filesize
1.2MB

MD5
d33b8714379100a649e0efe64f588e50

SHA1
226ff2b20b2be641a8b968c46478f6249f5b95a5

SHA256
cc3c6eb1033521e0f22b942763ced6e4113d2b0a90db888866db3d7a60901059

SHA512
e8b2e28335ad73579cdd6784d67218e4de573cf061a32108ea24638137fbf07ab672acd5ddf991157916fb97236d09821dc52eb1847e841b5c397959ad69b763

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe

Filesize
1.7MB

MD5
6ca57191372c7859aff9493eac04bc43

SHA1
13646d4aee31cae2ced75bc4870989d1dde57493

SHA256
7ed764ef60ff4c96987af2c6ede2ac2b3f7a4bb568af8af040b6332883438bd1

SHA512
ee9976ba4357fc9cf0ca0a95ef73065619414dc8e5a17776dbe5e63bffd115d55ba9499cfc750174cb98e986971cf19cf8dbb849c836ce9bc22331b965998e60

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat

Filesize
129B

MD5
d1073c9b34d1bbd570928734aacff6a5

SHA1
78714e24e88d50e0da8da9d303bec65b2ee6d903

SHA256
b3c704b1a728004fc5e25899d72930a7466d7628dd6ddd795b3000897dfa4020

SHA512
4f2b9330e30fcc55245dc5d12311e105b2b2b9d607fbfc4a203c69a740006f0af58d6a01e2da284575a897528da71a2e61a7321034755b78feb646c8dd12347f

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

Filesize
302B

MD5
a41531d0d5b6a38361a8f6a87ff2bd37

SHA1
9819ae3c4d169a08efb2dfd86cd3928fe93ed82f

SHA256
41b4001cd8e500f2f8ea1b9f2205e0bfaff5fa6b1b74b9f04012bea69b6a61c1

SHA512
c1cccc1a9e34d9b3812742d4d727899cb56fd0af5da073f74a6c4b57caa40d73651efe1b79f1c0948515774b2bc831be7637bd978431203361c4f41c989a7872

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

Filesize
126B

MD5
5a3e5ffea9bed3a1309c21da4e15c635

SHA1
1f36da2af5cf8615411401eb7fd754d868bc1717

SHA256
34d59242fd071001c5f334e813404b2c53a6e6c53b91d3521be6013cee509961

SHA512
a7467c89580e0cfc3ecfe35018b410416b36537f92e4825d4aaae15f92ba4e7b34e5d6d9e3ffc51d0ddbcb25bf3bc0651801976bc770d93e12d1b8367f92ccf0

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat

Filesize
102B

MD5
3ca08f080a7a28416774d80552d4aa08

SHA1
0b5f0ba641204b27adac4140fd45dce4390dbf24

SHA256
4e7d460b8dc9f2c01b4c5a16fb956aced10127bc940e8039a80c6455901ea1f0

SHA512
0c64aa462ff70473ef763ec392296fe0ea59b5340c26978531a416732bc3845adf9ca7b673cb7b4ba40cc45674351206096995c43600fccbbbe64e51b6019f01

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\mydll.dll

Filesize
388KB

MD5
e1e47695a0b98432911311352b63eaed

SHA1
836142e550301e0fc13c1a047aae5a2f4481d7cd

SHA256
c67ed34d9254b31e611ee830125c3f2572a1e686f82deb69e1580fb9a4614cd0

SHA512
da49234ee2e1d8f9956ba59d4a49fe04d3ab154f5dd60cf7a6c72e9d42defe8a4b0aeb38845444fe3a8d9c80976467d2101f7c992a48f98f6a9317d0e61ca961

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\mydll.dll

Filesize
388KB

MD5
8d7db101a7211fe3309dc4dc8cf2dd0a

SHA1
6c2781eadf53b3742d16dab2f164baf813f7ac85

SHA256
93db7c9699594caa19490280842fbebec3877278c92128b92e63d75fcd01397a

SHA512
8b139d447068519997f7bbc2c7c2fe3846b89ae1fba847258277c9ab92a93583b28fae7ffa444768929ed5852cc914c0270446cbf0bd20aca49bde6b6f809c83

Download Submit
C:\Windows\SysWOW64\mscaps.exe

Filesize
200KB

MD5
78d3c8705f8baf7d34e6a6737d1cfa18

SHA1
9f09e248a29311dbeefae9d85937b13da042a010

SHA256
2c4c9ec8e9291ba5c73f641af2e0c3e1bbd257ac40d9fb9d3faab7cebc978905

SHA512
9a3c3175276da58f1bc8d1138e63238c8d8ccfbfa1a8a1338e88525eca47f8d745158bb34396b7c3f25e4296be5f45a71781da33ad0bbdf7ad88a9c305b85609

Download Submit
memory/2616-0-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download