e0b0b1e77150b120f147fe696162507cfe4fb9f4e13734d66cef457a1a2724bd

Analysis

max time kernel
119s
max time network
81s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

563a35fcff50eeafb0754eca254a9050N.exe
Size

348KB
MD5

563a35fcff50eeafb0754eca254a9050
SHA1

5f08aa965edce4215884cca8f9ae1a95dbcddd0b
SHA256

e0b0b1e77150b120f147fe696162507cfe4fb9f4e13734d66cef457a1a2724bd
SHA512

49b240b7de9936f0eae3e9250fc06609969039ad7e736b6a78f3f3ab55b65f78b1b2117f39c3b3cd99c46b5a67c572a5fd8ac4aa7a1d4c13d2406034acfebb78
SSDEEP

6144:EbpFMByWEhy9vBpHLnU+r/f79MzNtukvSodidiHlFE:E9y2hqbLnZr/5MJt5qZi/E

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	563a35fcff50eeafb0754eca254a9050N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelPowerAgent5 = "rundll32.exe shell32.dll, ShellExec_RunDLL C:\\PROGRA~3\\2H0BFJ~1.EXE"	backgroundTaskHost.exe

Checks for any installed AV software in registry 1 TTPs 3 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avira	backgroundTaskHost.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\AVAST Software\Avast	backgroundTaskHost.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Eset\Nod	backgroundTaskHost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 212 set thread context of 4712	212	563a35fcff50eeafb0754eca254a9050N.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3976	212	WerFault.exe	85
2380	212	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backgroundTaskHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	563a35fcff50eeafb0754eca254a9050N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
212	563a35fcff50eeafb0754eca254a9050N.exe
212	563a35fcff50eeafb0754eca254a9050N.exe
212	563a35fcff50eeafb0754eca254a9050N.exe
212	563a35fcff50eeafb0754eca254a9050N.exe
212	563a35fcff50eeafb0754eca254a9050N.exe
212	563a35fcff50eeafb0754eca254a9050N.exe
212	563a35fcff50eeafb0754eca254a9050N.exe
212	563a35fcff50eeafb0754eca254a9050N.exe
212	563a35fcff50eeafb0754eca254a9050N.exe
212	563a35fcff50eeafb0754eca254a9050N.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe
4712	backgroundTaskHost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	212	563a35fcff50eeafb0754eca254a9050N.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 4712	212	563a35fcff50eeafb0754eca254a9050N.exe	95
PID 212 wrote to memory of 4712	212	563a35fcff50eeafb0754eca254a9050N.exe	95
PID 212 wrote to memory of 4712	212	563a35fcff50eeafb0754eca254a9050N.exe	95
PID 212 wrote to memory of 4712	212	563a35fcff50eeafb0754eca254a9050N.exe	95
PID 212 wrote to memory of 4712	212	563a35fcff50eeafb0754eca254a9050N.exe	95
PID 212 wrote to memory of 4712	212	563a35fcff50eeafb0754eca254a9050N.exe	95
PID 212 wrote to memory of 4712	212	563a35fcff50eeafb0754eca254a9050N.exe	95
PID 212 wrote to memory of 4712	212	563a35fcff50eeafb0754eca254a9050N.exe	95
PID 212 wrote to memory of 4712	212	563a35fcff50eeafb0754eca254a9050N.exe	95
PID 212 wrote to memory of 4712	212	563a35fcff50eeafb0754eca254a9050N.exe	95
PID 212 wrote to memory of 4712	212	563a35fcff50eeafb0754eca254a9050N.exe	95
PID 212 wrote to memory of 2492	212	563a35fcff50eeafb0754eca254a9050N.exe	98
PID 212 wrote to memory of 2492	212	563a35fcff50eeafb0754eca254a9050N.exe	98
PID 212 wrote to memory of 2492	212	563a35fcff50eeafb0754eca254a9050N.exe	98
PID 2492 wrote to memory of 4172	2492	cmd.exe	103
PID 2492 wrote to memory of 4172	2492	cmd.exe	103
PID 2492 wrote to memory of 4172	2492	cmd.exe	103

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4172	attrib.exe

C:\Users\Admin\AppData\Local\Temp\563a35fcff50eeafb0754eca254a9050N.exe
"C:\Users\Admin\AppData\Local\Temp\563a35fcff50eeafb0754eca254a9050N.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:212
- C:\Windows\SysWOW64\backgroundTaskHost.exe
  "backgroundTaskHost.exe"
  2⤵
  - Adds Run key to start application
  - Checks for any installed AV software in registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\gbw6C40.tmp.bat" "C:\Users\Admin\AppData\Local\Temp\563a35fcff50eeafb0754eca254a9050N.exe""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\563a35fcff50eeafb0754eca254a9050N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:4172
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 1732
  2⤵
  - Program crash
  PID:3976
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 1236
  2⤵
  - Program crash
  PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 212 -ip 212
1⤵
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 212 -ip 212
1⤵
PID:4240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\2h0bfjhdh2.exe

Filesize
348KB

MD5
8982bab3e4786775f6f2e873b5b814e1

SHA1
0f05e6a9cba64820fc91b4e0eeeb4519477e55d4

SHA256
696b825a8535bb076e7320a057ac32a9a1525f8648088d777d2d3524c99002c9

SHA512
afc571f032dc3b24191b522bd4461c888e535b4540f18084b789dd8452d0755b44a78a7793e7fffaee81255e655c219e9f8ef8549bbac4912d6dab1b1d7a6ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3492473cd35c8bdceed8

Filesize
29B

MD5
5b7623eb82c461c5e1d65c960e25c5b3

SHA1
a46af4020f8201e0f760902a52152ddff2ef6765

SHA256
93928f28198def4da8b88cd3f32670da7cb560dcaa220201aca579a5cee3ebee

SHA512
82770df84daf0d40239ca6866e1643c98b7aa2bb9c584363fa1190f5fb55e162df871b16982dbaf00062ae814c0c8c351fe50d5d251dc063bfe5f94ac858e599

Download Submit
C:\Users\Admin\AppData\Local\gbw6C40.tmp.bat

Filesize
54B

MD5
35205e1c6e62566f8364cc29d8509b04

SHA1
382daaa5fbc99d5bffbdc863901e8f940795e356

SHA256
53064f74da279bda3e1209840514dd4129084f4c052e8129ad45359ca0a022d2

SHA512
2058dd131a18dd8132ae2f0766605db6368c3fce6e94264b5f4d44ccdaa717c037629db317101de8b87804c81e9b192c213d849c530d8bbbadb8581e23bd4814

Download Submit
memory/212-9-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/212-4-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/212-0-0x0000000000457000-0x000000000045B000-memory.dmp

Filesize
16KB

Download
memory/212-429-0x0000000000457000-0x000000000045B000-memory.dmp

Filesize
16KB

Download
memory/212-428-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/212-1-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/212-2-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4712-306-0x0000000000760000-0x00000000007CA000-memory.dmp

Filesize
424KB

Download
memory/4712-300-0x0000000000760000-0x00000000007CA000-memory.dmp

Filesize
424KB

Download
memory/4712-7-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/4712-302-0x0000000000760000-0x00000000007CA000-memory.dmp

Filesize
424KB

Download
memory/4712-297-0x0000000000760000-0x00000000007CA000-memory.dmp

Filesize
424KB

Download
memory/4712-410-0x0000000000760000-0x00000000007CA000-memory.dmp

Filesize
424KB

Download
memory/4712-349-0x0000000000760000-0x00000000007CA000-memory.dmp

Filesize
424KB

Download
memory/4712-296-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/4712-292-0x0000000000760000-0x00000000007CA000-memory.dmp

Filesize
424KB

Download
memory/4712-10-0x0000000000760000-0x00000000007CA000-memory.dmp

Filesize
424KB

Download
memory/4712-430-0x0000000000760000-0x00000000007CA000-memory.dmp

Filesize
424KB

Download
memory/4712-447-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download