Overview

overview

7

Static

static

3

Cleanup_Basic.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    1795s
  • max time network
    1799s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/09/2024, 05:48

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Cleanup_Basic.exe

  • Size

    214KB

  • MD5

    6a44af6eda4462171d04c33051cd6b20

  • SHA1

    e4b5842957c198be01d7b6826c2ae1f425d78746

  • SHA256

    551d146b6e1d7861a5b211597ebdbbb2e1f16021386c382954dc7b322b6ad0a5

  • SHA512

    6842b59bf97e5b41dfd61d297081f8505cf27a562452c71da8ddd3aed5838ccc575980cd1233d32aec242f751e2c5a3689935e9942bd818cce0aab51ca110eb3

  • SSDEEP

    3072:KQLWOnFiCnkIDSrySPnhl0Cj/irN833f+y7bQ6wvCIWf2JjBX+Zfzp8/Hkbl71RR:nACTD4Pbn3f+yfwKIW+fcfzO/o71RUK

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Cleanup_Basic.exe
    "C:\Users\Admin\AppData\Local\Temp\Cleanup_Basic.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4692
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\7.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4504
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\PATCHES_TEMP.bat" "
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:4312
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Recycle.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1396
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\User_Internet_Temp.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1132
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\User_Temp.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4364
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1304,i,2727319350781907497,7925939240893079607,262144 --variations-seed-version --mojo-platform-channel-handle=4252 /prefetch:8
    1⤵
      PID:1460
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2712
      • C:\Users\Admin\AppData\Local\Temp\Cleanup_Basic.exe
        "C:\Users\Admin\AppData\Local\Temp\Cleanup_Basic.exe"
        1⤵
        • System Location Discovery: System Language Discovery
        PID:2984
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Cleanup_Basic\" -spe -an -ai#7zMap724:106:7zEvent30648
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:2604
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Cleanup_Basic\7.bat" "
        1⤵
          PID:4156
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Cleanup_Basic\PATCHES_TEMP.bat" "
          1⤵
          • Drops file in Windows directory
          PID:3940
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Cleanup_Basic\Recycle.bat" "
          1⤵
            PID:4444
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Cleanup_Basic\User_Internet_Temp.bat" "
            1⤵
              PID:3264
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Cleanup_Basic\User_Temp.bat" "
              1⤵
                PID:1892
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1424,i,2727319350781907497,7925939240893079607,262144 --variations-seed-version --mojo-platform-channel-handle=4372 /prefetch:8
                1⤵
                  PID:3952

                Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\7.bat
                        Filesize

                        107B

                        MD5

                        7b7224abcf6313804abfa2175103cb41

                        SHA1

                        48be432bc01ba5bf00a41fcd958c3968ea67acbf

                        SHA256

                        9b6b202deb60806df3e0f23225004a39ccc9fa912dc7630ba0c526fe27583ba4

                        SHA512

                        f77bf46dbdfce4ea8a2497af60abbfa477258d523661d23e802995254b1f5af24524a9d121ede8362894a64e60f9b5f5d20b2b400f587165217e021a22396584

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\PATCHES_TEMP.bat
                        Filesize

                        178B

                        MD5

                        0bf8d1e229e23ab88ebe5d0bf9e2a614

                        SHA1

                        4d29b802ddda9c3d9503bf5b846e33c31d295a85

                        SHA256

                        bc6f2e2411324af18ba011c5a242f1c3f727f1c1facdedc2a9418eaf6d88d7a9

                        SHA512

                        e41eb1c5c6cf8447a6455585d6c1973cc9198af9a4e03ca8d0d338b7bb1100bb3f6490addee0697fa16d95002bbb78bb9e37e33477d591229e35cbd6ff1391af

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Recycle.bat
                        Filesize

                        48B

                        MD5

                        5dbfbb0b57bccb73b2c565b021ff0197

                        SHA1

                        86c3398c53b2bb20322d250209eabf00afa05170

                        SHA256

                        e5b393488f7dadf66aaa8fa99d7881b13f038381af70fcd6567e57b83fcb8814

                        SHA512

                        2133129eab464ca9274949f541fd80b0c98ecdd2634d590ffb83662630f1644d873c56ebd5fd9466784e00e3de18eb00fe942aec0319a8066552d92c10164a8c

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\User_Internet_Temp.bat
                        Filesize

                        316B

                        MD5

                        b341a04e612e6ed2bdfb11e7d1a9a4e5

                        SHA1

                        a4ff52251c0750cef4d19f9a0e5f8130da881d03

                        SHA256

                        fd137fb82fdd2aee8e4887b0ff20cb209f8c67edba4042e69c9f3a78f6e83103

                        SHA512

                        e9e8e7d846dd3fbf6bb17a64de39eeb50c968799e968d8f11bd38e45664d8cb45ec4ee52842185507fb67707ca9d7c8bed43d488f7f343ded12eac6ae94d4f74

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\User_Temp.bat
                        Filesize

                        231B

                        MD5

                        3dfa9a05b23c2205676b887ec654218e

                        SHA1

                        45059be952c84fbfa075823155789448e5613ec5

                        SHA256

                        d51cfe301aa00cd3b7b0accee8c6a7a454087f206594e7d0e7ec083056a7eb30

                        SHA512

                        e2d9120d694acd02d4c5679fc1b9d9c4ce020a009d08f42330c1c05b88f2c997684d91fd28242c48bde9e882fe101587e6b2768067acd2195bbfbf8c792918ea

                        Download Submit