7fd25f5eb8297d2670c3b009acb05d3442f2a8d0e520d4fd74cc277e6000ce25

Analysis

max time kernel
91s
max time network
73s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-08-2024 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bad-time-trio.exe
Size

13.1MB
MD5

040015c59a9d341e4a10e73d3153656c
SHA1

65c00b964cb639fed9d4cac4f7a00696ddc7df2d
SHA256

7fd25f5eb8297d2670c3b009acb05d3442f2a8d0e520d4fd74cc277e6000ce25
SHA512

2507e940d5543395f55f654a5b7a20b16012117d4808160dba1cc15fd86f3f62c4ee3dd87d7b6e01bd06e0070e81df68dfa7e5780322d570f00a68a10a956600
SSDEEP

393216:aWN3eETMN73okWV+89ieyjqI/OfXFiju1k:aWN3eETMN73OieyjIFiyC

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 22 IoCs

pid	Process
4848	bad-time-trio.exe
4848	bad-time-trio.exe
4848	bad-time-trio.exe
4848	bad-time-trio.exe
4848	bad-time-trio.exe
4848	bad-time-trio.exe
4848	bad-time-trio.exe
4848	bad-time-trio.exe
4848	bad-time-trio.exe
4848	bad-time-trio.exe
4848	bad-time-trio.exe
4848	bad-time-trio.exe
4848	bad-time-trio.exe
4848	bad-time-trio.exe
4848	bad-time-trio.exe
4848	bad-time-trio.exe
4848	bad-time-trio.exe
4848	bad-time-trio.exe
4848	bad-time-trio.exe
4848	bad-time-trio.exe
4848	bad-time-trio.exe
4848	bad-time-trio.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bad-time-trio.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4848	bad-time-trio.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2400	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2400	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4848	bad-time-trio.exe

C:\Users\Admin\AppData\Local\Temp\bad-time-trio.exe
"C:\Users\Admin\AppData\Local\Temp\bad-time-trio.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4848

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f8 0x528
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3908,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=1412 /prefetch:8
1⤵
PID:4528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mrt430F.tmp\Easing.mfx

Filesize
168KB

MD5
052d1c7eed7b50a18eddc10dfad3ae22

SHA1
6f88687f930e73106d2b8af00f5317eca74e0c61

SHA256
1b5e79e999c4cff19fe0260bdeaeeaea0fcda6057bf6d17bf0f121e9797d20ef

SHA512
ef89c692a47d2ad66d6f4e722e9b330a85cca0faea2f022abfc3da3c1d32fc7c0cf01d6a6e36fddd0b82c97eebc707c9e00e2431792d551b7178fb8d50452966

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt430F.tmp\cctrans.dll

Filesize
347KB

MD5
21e093d52a3afe8ed5532fcaa189c067

SHA1
8aa7bcb26e3064cd4d1172090ff00d083ee19cc4

SHA256
9b834b5d26983451ef3a11c8c2a715724daa188fbd28597081ecb1e9ed672f87

SHA512
b4c2205c234e8ed4973fca9c64c0ec11753eb200c1d2eb3c66b9f4509426c8774f14ae1271583e0eaff268eae9c8375c5993af107e4db8d7c87b817bd1ccd9e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt430F.tmp\gifflt.ift

Filesize
28KB

MD5
9a1a0b8e7045c06c47abeb52d861c377

SHA1
6a1c36eb8354f62d5eab6d7c62316fd7d0e1aa92

SHA256
8fadc250c2afc00b0430c5df576cfd2d444367ad928027334c5d03829241cf92

SHA512
918a672f82be50a42c237eeb361b971c724a1d7b11cab183dfd5125bdb7663cae588fa92b142dc99a88407a133bbe58bd7bc0c5c60d93287c470375fc094f079

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt430F.tmp\jpgflt.ift

Filesize
96KB

MD5
ba4a1f5006fc3fc33f30e82a964cd7b3

SHA1
8099283e645b6ef523757afdf552da3dc9b72924

SHA256
5bcaaff4c698581603d4165308260412b38ac6cf708486b53bda3bc76241098d

SHA512
8eaa1bae465a0ddd498372fcc9bd9c2b3bd9ba861abcc9158a0e3b8cf14f2a6fc8aae8fb129f96ea090c023247dec56524b2f42fa25239c08145dbe7c664a11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt430F.tmp\kcini.mfx

Filesize
330KB

MD5
a6ad14845999c5aa7adf2911671a7c5b

SHA1
98dfd5a9584d1c1b330c2c104c1779bd55ded211

SHA256
5af175ffb932fb653873dad095dd40f2ab8d3fb56f287213c21bb68652ddad2d

SHA512
32bb59826b82d47ec420ac2532e1387a85422d2f0ce5370ad2c95b914a7615d3b122dbf4dd045105eb8ffea49324dac57659f0e5f2500b4d0eb75047cb36dfd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt430F.tmp\kclist.mfx

Filesize
32KB

MD5
10a8ccacb046c0dc05adfc6964e99e95

SHA1
48acabc563a9c6d48eae3eda5254306127c00528

SHA256
57d8f859ecf57eed8f2fdc3271ec1d57c879899a527d77a80c9f45b1377742f5

SHA512
e972e0a6d4aa5c0cab99283c27038eb31f0adf2f581b4be9b58768d25a81f71e2aa5482500e4cb16bbc60d41f84ef926cd61a9cbe9fce1fce4adca564a6b147a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt430F.tmp\mmf2d3d9.dll

Filesize
1.5MB

MD5
c85bcc9f3049b57aa8ccbb290342ff14

SHA1
38f5b81a540f1c995ff8d949702440b70921acc5

SHA256
bddda991185a9e83b9855a109f2fcfa78cd2d5402e9db344c6ec77f6ce69a0c5

SHA512
5097f9d78ddc651aabf41f217f622ee656a1c6de6a9b339354525293102cf631cca2b7babaf991e99e49efe4d1bb6792c8a7a11f82e4ae2081c3961eb9b5afe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt430F.tmp\mmfs2.dll

Filesize
768KB

MD5
200520e6e8b4d675b77971dfa9fb91b3

SHA1
0c583bf4c3eda9c955fd0d0d3ba7fdc62a43bf07

SHA256
763ef4484ba9b9e10e19268c045732515f0ac143cf075e6d1ea1f5adcc77633b

SHA512
8b7bb334b6bd83ae43e5a4fe32a92b38b1edd2c292c4a540a54c2ee16092eb30108524c1c363508f7c62617bb224d9b447f07cda97ab7de01688acbfbacec51b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt430F.tmp\mp3flt.sft

Filesize
24KB

MD5
5bebc3ae0122702b89f9262888d3a393

SHA1
064731c0f1d493b5b82921fa78f06e3d1db95284

SHA256
81c9a9459a8e124793addf142cd513945d6fe600e1d67f74897898d7570e56b2

SHA512
c10cb520c2c4a9fe7c371f17ce7f86f138db247468ab1e465dafd7abd294c2beb13cf3a2595b4c8c820d911d8b70842c8f4e45398693c4f0454f973bd58a10a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt430F.tmp\oggflt.sft

Filesize
130KB

MD5
0c8c1ee3ba92189f4ce21d1b396a2765

SHA1
b7daa4a6e16416151dccbb0a89f304961b6cb627

SHA256
9e589f86317d840df9bb74f6ee20c24ca65afe58f4009740382f63a0f5531941

SHA512
0a4339092ac55bac3b1bdfaaa3401020f8f49918bd2fdb14524f3d558eb840b876aedfdeb54a1da163fa36393abf3fe8ab7e112a34ea9d891e82a22e96c85ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt430F.tmp\pinball.mvx

Filesize
68KB

MD5
b208ae4e862a6c6bd6b99bc31b7bf1f9

SHA1
9f7cd9ea0b400c63f11c0a6e7ca5546db7ff218b

SHA256
cbcd1b19716940cb7b48986dfd51f36bc9e04625c4b6face3822a16ed7b49825

SHA512
8ee62a8fcdc26527a2f2b733eefb4fa629ce6ea4cf65d382d95af691874839e88cca8ceaa7e267dc69aa886bdce42c2f64d3cd0743d01bd6f8fdf825fc4e74a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt430F.tmp\pngflt.ift

Filesize
288KB

MD5
d57365ca275388910be7b09d95ee65b9

SHA1
477e9afa81c0ba97323be56d15ade8fb17c45d78

SHA256
df948630fdb53ddad68d66994f5d2b18a67df32478b6b8b3720c28f40bde7b1f

SHA512
b6a7266c47245cdd5ccc1e4c1b490a22996cac3db53500405354d1a5892896f66aba255ff725808770489a199626a844a86cb80e081a47ed27671bd82ca1cfbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt430F.tmp\txtblt.mfx

Filesize
36KB

MD5
8740745e7af7926a0e7d3b194fb51fdf

SHA1
d7688925efd0287334d444a9e4bd584177ed0fbc

SHA256
09a214d9738946b14c4470ea95b45de41641e5d69b7559dbf336f7b4624859b0

SHA512
dc52c25b588f386cceb0eef912e0ac38ffb07443011c957ca3d0fda8c2c6d41e8fbcb33dfc1b7c5ff469216cd8c233d5025b88575bd10684827c18fb5ef52bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt430F.tmp\ultimatefullscreen.mfx

Filesize
73KB

MD5
96059dbec69c3904e4d7ce734a4b38d0

SHA1
5169934f8d89b0dba963861dcbae55e78fc21dfc

SHA256
fd179783ff6e6eb0959185087f33ed4a1b256e58762d9817bcb16888e20f7058

SHA512
82977b2c249e47ca37d6fd62f416ed995b4b5f953bc5c18c84bfbdacc2c5b17fdc50c1e736fafcac242a3f8921b5000e0ec84302bc4e0077d6eeee3aa43cc520

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt430F.tmp\waveflt.sft

Filesize
8KB

MD5
57ea61dd14314ef155e80c6a0be8a664

SHA1
963b0ef2fe976ff77044a821fe1e29be4a8cf8a7

SHA256
92a5053cf5973a6aa228c738d55387f12f1dfa8a837d7b938c60f05b6b56b3ad

SHA512
cc23cb30d76d22500c3ed7ce9ee0388588309d0779441b95559fce25a42f1eff52ca285c347655f8b33c15b75f9d2067738a151f81f605d3b563799a3a06c9a9

Download Submit
C:\Users\Admin\AppData\Roaming\MMFApplications\BTTU.ini

Filesize
15B

MD5
d49c8eb87d062a3a5dc8cb192153ba34

SHA1
187069077dbc0c1aae284b33905700d6f7b89a64

SHA256
93fa0a4cb750638e4a4fa8a7454234ea444b010009b8b9d9cc1750b7353bd2f8

SHA512
963f6dfe65d24220c71be61a910e4d5675f215e8906f44b13ff207942517ba156bbf9ab783948effeada707e20447a5f837b3fe99d5e47c21d20e19b78e0f936

Download Submit
memory/4848-43-0x00000000029B0000-0x00000000029C2000-memory.dmp

Filesize
72KB

Download
memory/4848-58-0x0000000003770000-0x0000000003788000-memory.dmp

Filesize
96KB

Download
memory/4848-73-0x00000000037B0000-0x00000000037D4000-memory.dmp

Filesize
144KB

Download