52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
Size

3.2MB
MD5

56969d3e42eb60bc95c97d51377f0de8
SHA1

6d9844be2bbcc86f9c07d8d40c774ce642502c4f
SHA256

52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79
SHA512

ad81e190b09b211a63ea9917934909576ee43c8f97f1b98020c0add770d57214a7e4ae11bc9601f42fced0124072a148d68dddd175995e1a8126de03d59112a0
SSDEEP

98304:DHK+r2k6cc9zrObZKEM8O8PluQhfgN5/7FBR:DHKRk8CsEEOfyd

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe

Executes dropped EXE 1 IoCs

pid	Process
1096	csrss.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\dllhost.exe	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
File created	C:\Program Files\Java\jre-1.8\5940a34987c991	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\IdentityCRL\production\RuntimeBroker.exe	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
File created	C:\Windows\IdentityCRL\production\9e8d7a4ca61bd9	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
Token: SeDebugPrivilege	1096	csrss.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 3080	3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe	88
PID 3240 wrote to memory of 3080	3240	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe	88
PID 3080 wrote to memory of 1116	3080	cmd.exe	90
PID 3080 wrote to memory of 1116	3080	cmd.exe	90
PID 3080 wrote to memory of 3456	3080	cmd.exe	91
PID 3080 wrote to memory of 3456	3080	cmd.exe	91
PID 3080 wrote to memory of 1096	3080	cmd.exe	97
PID 3080 wrote to memory of 1096	3080	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
"C:\Users\Admin\AppData\Local\Temp\52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3TLHMGgyHB.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3080
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1116
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3456
- - C:\Users\Default User\csrss.exe
    "C:\Users\Default User\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3TLHMGgyHB.bat

Filesize
207B

MD5
93f6a9878ba0c6834b0a83fef82da268

SHA1
16ad8722150a69c3a58298a26d04f53cf31ea461

SHA256
2c49e4f62a43ee60d116caaefdc97d6e924fab93254ac630341419c9f8dac6fc

SHA512
835c5824195085d8e392757d4c0ca6e56bdc23058cb05c2de10c212b8e4aebc1425aa51b48f8195454b4e84fb45fe4cff81a972bc29accdc27670c25100dbbfd

Download Submit
C:\Windows\IdentityCRL\production\RuntimeBroker.exe

Filesize
3.2MB

MD5
56969d3e42eb60bc95c97d51377f0de8

SHA1
6d9844be2bbcc86f9c07d8d40c774ce642502c4f

SHA256
52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79

SHA512
ad81e190b09b211a63ea9917934909576ee43c8f97f1b98020c0add770d57214a7e4ae11bc9601f42fced0124072a148d68dddd175995e1a8126de03d59112a0

Download Submit
memory/3240-0-0x00007FFE91E53000-0x00007FFE91E55000-memory.dmp

Filesize
8KB

Download
memory/3240-1-0x0000000000990000-0x0000000000998000-memory.dmp

Filesize
32KB

Download
memory/3240-2-0x000000001B560000-0x000000001B8EC000-memory.dmp

Filesize
3.5MB

Download
memory/3240-6-0x000000001B560000-0x000000001B8E7000-memory.dmp

Filesize
3.5MB

Download
memory/3240-4-0x000000001B560000-0x000000001B8E7000-memory.dmp

Filesize
3.5MB

Download
memory/3240-11-0x000000001B560000-0x000000001B8E7000-memory.dmp

Filesize
3.5MB

Download
memory/3240-13-0x000000001B560000-0x000000001B8E7000-memory.dmp

Filesize
3.5MB

Download
memory/3240-29-0x000000001B560000-0x000000001B8E7000-memory.dmp

Filesize
3.5MB

Download
memory/3240-31-0x000000001B560000-0x000000001B8E7000-memory.dmp

Filesize
3.5MB

Download
memory/3240-51-0x000000001B560000-0x000000001B8E7000-memory.dmp

Filesize
3.5MB

Download
memory/3240-49-0x000000001B560000-0x000000001B8E7000-memory.dmp

Filesize
3.5MB

Download
memory/3240-47-0x000000001B560000-0x000000001B8E7000-memory.dmp

Filesize
3.5MB

Download
memory/3240-45-0x000000001B560000-0x000000001B8E7000-memory.dmp

Filesize
3.5MB

Download
memory/3240-43-0x000000001B560000-0x000000001B8E7000-memory.dmp

Filesize
3.5MB

Download
memory/3240-39-0x000000001B560000-0x000000001B8E7000-memory.dmp

Filesize
3.5MB

Download
memory/3240-37-0x000000001B560000-0x000000001B8E7000-memory.dmp

Filesize
3.5MB

Download
memory/3240-35-0x000000001B560000-0x000000001B8E7000-memory.dmp

Filesize
3.5MB

Download
memory/3240-33-0x000000001B560000-0x000000001B8E7000-memory.dmp

Filesize
3.5MB

Download
memory/3240-41-0x000000001B560000-0x000000001B8E7000-memory.dmp

Filesize
3.5MB

Download
memory/3240-27-0x000000001B560000-0x000000001B8E7000-memory.dmp

Filesize
3.5MB

Download
memory/3240-25-0x000000001B560000-0x000000001B8E7000-memory.dmp

Filesize
3.5MB

Download
memory/3240-23-0x000000001B560000-0x000000001B8E7000-memory.dmp

Filesize
3.5MB

Download
memory/3240-21-0x000000001B560000-0x000000001B8E7000-memory.dmp

Filesize
3.5MB

Download
memory/3240-19-0x000000001B560000-0x000000001B8E7000-memory.dmp

Filesize
3.5MB

Download
memory/3240-17-0x000000001B560000-0x000000001B8E7000-memory.dmp

Filesize
3.5MB

Download
memory/3240-15-0x000000001B560000-0x000000001B8E7000-memory.dmp

Filesize
3.5MB

Download
memory/3240-9-0x00007FFE91E50000-0x00007FFE92911000-memory.dmp

Filesize
10.8MB

Download
memory/3240-8-0x000000001B560000-0x000000001B8E7000-memory.dmp

Filesize
3.5MB

Download
memory/3240-3-0x000000001B560000-0x000000001B8E7000-memory.dmp

Filesize
3.5MB

Download
memory/3240-65-0x000000001B560000-0x000000001B8E7000-memory.dmp

Filesize
3.5MB

Download
memory/3240-67-0x000000001B560000-0x000000001B8E7000-memory.dmp

Filesize
3.5MB

Download
memory/3240-63-0x000000001B560000-0x000000001B8E7000-memory.dmp

Filesize
3.5MB

Download
memory/3240-61-0x000000001B560000-0x000000001B8E7000-memory.dmp

Filesize
3.5MB

Download
memory/3240-59-0x000000001B560000-0x000000001B8E7000-memory.dmp

Filesize
3.5MB

Download
memory/3240-57-0x000000001B560000-0x000000001B8E7000-memory.dmp

Filesize
3.5MB

Download
memory/3240-55-0x000000001B560000-0x000000001B8E7000-memory.dmp

Filesize
3.5MB

Download
memory/3240-53-0x000000001B560000-0x000000001B8E7000-memory.dmp

Filesize
3.5MB

Download
memory/3240-1583-0x00007FFE91E53000-0x00007FFE91E55000-memory.dmp

Filesize
8KB

Download
memory/3240-1909-0x00007FFE91E50000-0x00007FFE92911000-memory.dmp

Filesize
10.8MB

Download
memory/3240-3562-0x00007FFE91E50000-0x00007FFE92911000-memory.dmp

Filesize
10.8MB

Download
memory/3240-3563-0x00007FFE91E50000-0x00007FFE92911000-memory.dmp

Filesize
10.8MB

Download
memory/3240-3565-0x000000001B4B0000-0x000000001B4D6000-memory.dmp

Filesize
152KB

Download
memory/3240-3566-0x00007FFE91E50000-0x00007FFE92911000-memory.dmp

Filesize
10.8MB

Download
memory/3240-3567-0x00007FFE91E50000-0x00007FFE92911000-memory.dmp

Filesize
10.8MB

Download
memory/3240-3572-0x000000001B4E0000-0x000000001B4FC000-memory.dmp

Filesize
112KB

Download
memory/3240-3570-0x00007FFE91E50000-0x00007FFE92911000-memory.dmp

Filesize
10.8MB

Download
memory/3240-3573-0x000000001B9F0000-0x000000001BA40000-memory.dmp

Filesize
320KB

Download
memory/3240-3569-0x0000000002A60000-0x0000000002A6E000-memory.dmp

Filesize
56KB

Download
memory/3240-3575-0x0000000002A70000-0x0000000002A80000-memory.dmp

Filesize
64KB

Download
memory/3240-3576-0x00007FFE91E50000-0x00007FFE92911000-memory.dmp

Filesize
10.8MB

Download
memory/3240-3582-0x000000001B500000-0x000000001B510000-memory.dmp

Filesize
64KB

Download
memory/3240-3580-0x0000000002A80000-0x0000000002A90000-memory.dmp

Filesize
64KB

Download
memory/3240-3583-0x00007FFE91E50000-0x00007FFE92911000-memory.dmp

Filesize
10.8MB

Download
memory/3240-3585-0x000000001B510000-0x000000001B51E000-memory.dmp

Filesize
56KB

Download
memory/3240-3578-0x000000001B520000-0x000000001B538000-memory.dmp

Filesize
96KB

Download
memory/3240-3587-0x000000001C720000-0x000000001C732000-memory.dmp

Filesize
72KB

Download
memory/3240-3590-0x000000001B540000-0x000000001B550000-memory.dmp

Filesize
64KB

Download
memory/3240-3588-0x00007FFE91E50000-0x00007FFE92911000-memory.dmp

Filesize
10.8MB

Download
memory/3240-3592-0x000000001C740000-0x000000001C756000-memory.dmp

Filesize
88KB

Download
memory/3240-3595-0x000000001C760000-0x000000001C772000-memory.dmp

Filesize
72KB

Download
memory/3240-3593-0x00007FFE91E50000-0x00007FFE92911000-memory.dmp

Filesize
10.8MB

Download
memory/3240-3596-0x00007FFE91E50000-0x00007FFE92911000-memory.dmp

Filesize
10.8MB

Download
memory/3240-3600-0x000000001BA40000-0x000000001BA4E000-memory.dmp

Filesize
56KB

Download
memory/3240-3602-0x000000001BA50000-0x000000001BA60000-memory.dmp

Filesize
64KB

Download
memory/3240-3597-0x00007FFE91E50000-0x00007FFE92911000-memory.dmp

Filesize
10.8MB

Download
memory/3240-3603-0x00007FFE91E50000-0x00007FFE92911000-memory.dmp

Filesize
10.8MB

Download
memory/3240-3605-0x000000001C780000-0x000000001C790000-memory.dmp

Filesize
64KB

Download
memory/3240-3598-0x000000001CCB0000-0x000000001D1D8000-memory.dmp

Filesize
5.2MB

Download
memory/3240-3607-0x000000001C7F0000-0x000000001C84A000-memory.dmp

Filesize
360KB

Download
memory/3240-3609-0x000000001C790000-0x000000001C79E000-memory.dmp

Filesize
56KB

Download
memory/3240-3611-0x000000001C7A0000-0x000000001C7B0000-memory.dmp

Filesize
64KB

Download
memory/3240-3613-0x000000001C7B0000-0x000000001C7BE000-memory.dmp

Filesize
56KB

Download
memory/3240-3615-0x000000001C850000-0x000000001C868000-memory.dmp

Filesize
96KB

Download
memory/3240-3617-0x000000001C7C0000-0x000000001C7CC000-memory.dmp

Filesize
48KB

Download
memory/3240-3619-0x000000001CAC0000-0x000000001CB0E000-memory.dmp

Filesize
312KB

Download
memory/3240-3638-0x00007FFE91E50000-0x00007FFE92911000-memory.dmp

Filesize
10.8MB

Download