Analysis
-
max time kernel
125s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12-09-2024 15:29
Static task
static1
Behavioral task
behavioral1
Sample
EarthTime.exe
Resource
win7-20240708-en
General
-
Target
EarthTime.exe
-
Size
8.7MB
-
MD5
71f703024c3d3bfc409f66bb61f971a0
-
SHA1
f24fc14f39c160b54dc3b2fbd1eba605ec0eb04f
-
SHA256
bcff246f0739ed98f8aa615d256e7e00bc1cb24c8cabaea609b25c3f050c7805
-
SHA512
cf33fbaf9ff1b457d39428e96ba0b1ce09f231bc2b396cf01ccd9ba42f6f4d333f0926ac3178da96ce9c550ae47e4404a81b3542ab0044b788318800c9b4b05e
-
SSDEEP
98304:jBt7GGYoxXJgc80PlTTwqZytmlF8L0pS2E/E1ixewzlbe1dxMsAVuQDjgt/FgvA:jBhxYuJggO220pSj5pKFMsAkQDUTl
Malware Config
Signatures
-
SectopRAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4364-24-0x0000000001030000-0x00000000010F6000-memory.dmp family_sectoprat -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
EarthTime.execmd.exedescription pid Process procid_target PID 4960 set thread context of 4860 4960 EarthTime.exe 93 PID 4860 set thread context of 4364 4860 cmd.exe 104 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
EarthTime.execmd.exeMSBuild.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EarthTime.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
EarthTime.execmd.exepid Process 4960 EarthTime.exe 4960 EarthTime.exe 4860 cmd.exe 4860 cmd.exe 4860 cmd.exe 4860 cmd.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
EarthTime.execmd.exepid Process 4960 EarthTime.exe 4860 cmd.exe 4860 cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid Process Token: SeDebugPrivilege 4364 MSBuild.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
EarthTime.execmd.exedescription pid Process procid_target PID 4960 wrote to memory of 4860 4960 EarthTime.exe 93 PID 4960 wrote to memory of 4860 4960 EarthTime.exe 93 PID 4960 wrote to memory of 4860 4960 EarthTime.exe 93 PID 4960 wrote to memory of 4860 4960 EarthTime.exe 93 PID 4860 wrote to memory of 4364 4860 cmd.exe 104 PID 4860 wrote to memory of 4364 4860 cmd.exe 104 PID 4860 wrote to memory of 4364 4860 cmd.exe 104 PID 4860 wrote to memory of 4364 4860 cmd.exe 104 PID 4860 wrote to memory of 4364 4860 cmd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\EarthTime.exe"C:\Users\Admin\AppData\Local\Temp\EarthTime.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4364
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4160,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=3932 /prefetch:81⤵PID:4896
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5b74bbd41a2a210e44b06bc0a3d804dc2
SHA1d516d0f5b31f6dbd5c431e5c7a9353546ed376d9
SHA256762408f967aea9e5b03d999e01f149b822fadcf30b42d75b9738c04c4f4ef1fd
SHA512c040331c34f1fe65227ac01d3f6c53575dc98a98c71e6cbca372ba5a4fc454c6f998f0ebf5956ea96a08c24e2e3027203c39cfd7c52f0c9349b8afb031b89db4
-
Filesize
1.4MB
MD5afe1fb9b12de28bd0db6e524546ad22b
SHA1411ae9c117b4ab5879b4901250640de8ea565ae7
SHA256f21b8494efca6305b65629b8c2fa4846e5a356b7f073fa37c5ed241ddef054c6
SHA512712bc1bfa9ba08673cd3340d9950e77206240a9f4d00d691d16138db1691b6641779dbb4061f57f421a1c0d5029f954315eeae5060649333cac5c914f2d4d9c7