Resubmissions

21-08-2024 01:30

240821-bw3pdsxcnq 10

21-08-2024 01:25

240821-bs432sxbjp 10

Analysis

  • max time kernel
    54s
  • max time network
    64s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-08-2024 01:25

General

  • Target

    dc/15.exe

  • Size

    2.1MB

  • MD5

    b12ef70bcce8e0d04e93376d3b83ca66

  • SHA1

    e39d686a8768f863d8249e756e1bc544cfb605aa

  • SHA256

    b668a49752fb5adf32ae36a41cabb6860edc2c3864d73ed40b2dadef1e23b4d2

  • SHA512

    8c846090213c7aa8a3adbd3b57f404a7b5382fce12c46e8c346251a9d8449f8ba68b3dab4cd4db9dd7a7451529fcad785c63946bc9dd6ec1b348a8ea112733be

  • SSDEEP

    24576:2TbBv5rUyXVXp1K75ksCRm9INpUlHmZ4VF2mmPh2MluvAE/m7PYhWzeJTvXOJ5+C:IBJXZssNylGK2qn/mzYhWzuTvXtqyG

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dc\15.exe
    "C:\Users\Admin\AppData\Local\Temp\dc\15.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1516
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\System32\8rbttxuAYWGF2FpwUDyTVR1ohsXZ5bsH7b4R6XEMsu5V3.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1380
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\System32\Jd0J8BJwH2YTk1NdbeIjm4isCuziage65W6sCBAWZ.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3536
        • C:\System32\WindowsDefender.exe
          "C:\System32/WindowsDefender.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4056
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1476
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4468
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:3800
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2320
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1284
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4376
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4688
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1144
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4500
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System32/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:3164
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:452
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:3528
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2576
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4396
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Provisioning\Cosa\taskhostw.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:3552
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\System32\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:3584
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\backgroundTaskHost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4776
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\System32\WindowsDefender.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:388
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\veZsyY2tWW.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3008
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:6060
              • C:\Windows\system32\PING.EXE
                ping -n 10 localhost
                6⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:5620
              • C:\System32\WindowsDefender.exe
                "C:\System32\WindowsDefender.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:6104

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\System32\8rbttxuAYWGF2FpwUDyTVR1ohsXZ5bsH7b4R6XEMsu5V3.vbe

      Filesize

      228B

      MD5

      0b906775c9028f2e889e8b4605347659

      SHA1

      743404672c8980f8bf5ec4a104c8caf689d45a0c

      SHA256

      18d3f0a3ba08fd30312d766b3a5a3b900ffbf94a2b3dd7da9882b7f4ed13292e

      SHA512

      c69cbdce006d4e075df4c49292058e9c3d6a3b12348659cf0c1725516637719a31a9baa7ff20308f2cce7d4612cec9e298f60989d70b604ab56848f4044022c0

    • C:\System32\Jd0J8BJwH2YTk1NdbeIjm4isCuziage65W6sCBAWZ.bat

      Filesize

      85B

      MD5

      329564b98f79e074df814d4226b41dc7

      SHA1

      76ae430af9a4b004b4b7c77c6a01e757e699cdf9

      SHA256

      6fe131b3b22b39a9f41a0fd1929f35c1448da553735934f60ce1a6871ffc169f

      SHA512

      f872c16c43edd0b65dbe5445a164170ac300624936ca26e056a38f9bf6dd1aa2c81d9a338100909a7bedecddc3290433815576df0dd88e301b9a85f27aa45f0e

    • C:\System32\WindowsDefender.exe

      Filesize

      1.8MB

      MD5

      75c65864facdc69a2521e9220052c22a

      SHA1

      df632e513d45eb3b2fd984c4639c427c406bf369

      SHA256

      c744d735378f69a60bd82ad79e2d1d51bfdbaed22a460302c7e9b589955ee81a

      SHA512

      f2863d60c3fcd41a9d7d3af8844b929b2e22e0b338df9889ff95ae628ccc2c71ac6264fa3f4d75df9d5e7f136cc2e8d506a35897755bdd8e804fa71821ccbfe1

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WindowsDefender.exe.log

      Filesize

      1KB

      MD5

      1eff74e45bb1f7104e691358cb209546

      SHA1

      253b13ffad516cc34704f5b882c6fa36953a953f

      SHA256

      7ad96be486e6058b19446b95bb734acdaf4addc557b2d059a66ee1acfe19b3fc

      SHA512

      44163ed001baf697ce66d3b386e13bf5cb94bc24ce6b1ae98665d766d5fcdf0ca28b41ecc26c5f11bbea117ac17099e87f204f9d5469bb102a769548edeead7e

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      d28a889fd956d5cb3accfbaf1143eb6f

      SHA1

      157ba54b365341f8ff06707d996b3635da8446f7

      SHA256

      21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

      SHA512

      0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      cadef9abd087803c630df65264a6c81c

      SHA1

      babbf3636c347c8727c35f3eef2ee643dbcc4bd2

      SHA256

      cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

      SHA512

      7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      59d97011e091004eaffb9816aa0b9abd

      SHA1

      1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

      SHA256

      18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

      SHA512

      d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      bd5940f08d0be56e65e5f2aaf47c538e

      SHA1

      d7e31b87866e5e383ab5499da64aba50f03e8443

      SHA256

      2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

      SHA512

      c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      3a6bad9528f8e23fb5c77fbd81fa28e8

      SHA1

      f127317c3bc6407f536c0f0600dcbcf1aabfba36

      SHA256

      986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

      SHA512

      846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      28d4235aa2e6d782751f980ceb6e5021

      SHA1

      f5d82d56acd642b9fc4b963f684fd6b78f25a140

      SHA256

      8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638

      SHA512

      dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sjhmwjgo.snh.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\veZsyY2tWW.bat

      Filesize

      159B

      MD5

      388d2b0ca9a6ac9090a55dce5dd375fe

      SHA1

      518bf1284c13b4a5982e7edf65f9ea096921a220

      SHA256

      ef570f0913d3d5d68f2bd1f7df170d6de0646b146e8f9a4a17d6cd87b28bbad4

      SHA512

      d9d308a9b9beb2bdee84b99d6a36b2ec2facc43c44770f1cd7e6f78a48513b25a25d9d41b3c6724633c40a1ef8878204465e2c83b629ca069427890fb883d8b4

    • memory/452-57-0x00000293BCBB0000-0x00000293BCBD2000-memory.dmp

      Filesize

      136KB

    • memory/4056-22-0x000000001B5B0000-0x000000001B5BC000-memory.dmp

      Filesize

      48KB

    • memory/4056-20-0x000000001B5F0000-0x000000001B608000-memory.dmp

      Filesize

      96KB

    • memory/4056-18-0x000000001B9B0000-0x000000001BA00000-memory.dmp

      Filesize

      320KB

    • memory/4056-17-0x000000001B5D0000-0x000000001B5EC000-memory.dmp

      Filesize

      112KB

    • memory/4056-15-0x0000000002BC0000-0x0000000002BCE000-memory.dmp

      Filesize

      56KB

    • memory/4056-13-0x00000000007D0000-0x00000000009AA000-memory.dmp

      Filesize

      1.9MB

    • memory/4056-12-0x00007FFDD8B93000-0x00007FFDD8B95000-memory.dmp

      Filesize

      8KB

    • memory/6104-246-0x000000001BE90000-0x000000001BFA5000-memory.dmp

      Filesize

      1.1MB