db1f9839eadfd7dc8c75c497af90215be8559501b4122a17218c59429833154c

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 10:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db1f9839eadfd7dc8c75c497af90215be8559501b4122a17218c59429833154c.exe
Size

979KB
MD5

6b4a9d470362ac3b9a2f55309708c3f8
SHA1

7708b90b913ef8f84b22d846b0a15394370d50aa
SHA256

db1f9839eadfd7dc8c75c497af90215be8559501b4122a17218c59429833154c
SHA512

6f05e5f3bef95ffaa618f4821feb56d4457f466b873bdecf890b1b1f526dab238f8d10a1ebbeacf3cee97269ae0eddc841a90b40b0bf2a5db81790b3262b2194
SSDEEP

24576:/9E2P8JNhRp8Sjfi0DFysgc6srOkooa+rCQsoYkhhqMsKxpwitX5KyfN:/HGhbLjvDFysgcPrvXa+rCVLk7q/Kx5f

Score

10^/10

discovery

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4960 created 3460	4960	Emergency.pif	56

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	db1f9839eadfd7dc8c75c497af90215be8559501b4122a17218c59429833154c.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardSync.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardSync.url	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
4960	Emergency.pif
4404	Emergency.pif

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3880	tasklist.exe
4756	tasklist.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4960 set thread context of 4404	4960	Emergency.pif	102

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\RedeemHarm	db1f9839eadfd7dc8c75c497af90215be8559501b4122a17218c59429833154c.exe
File opened for modification	C:\Windows\BridalBurton	db1f9839eadfd7dc8c75c497af90215be8559501b4122a17218c59429833154c.exe
File opened for modification	C:\Windows\ScrewHint	db1f9839eadfd7dc8c75c497af90215be8559501b4122a17218c59429833154c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db1f9839eadfd7dc8c75c497af90215be8559501b4122a17218c59429833154c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emergency.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
4960	Emergency.pif
4960	Emergency.pif
4960	Emergency.pif
4960	Emergency.pif
4960	Emergency.pif
4960	Emergency.pif
4960	Emergency.pif
4960	Emergency.pif
4960	Emergency.pif
4960	Emergency.pif
4960	Emergency.pif
4960	Emergency.pif
4960	Emergency.pif
4960	Emergency.pif
4960	Emergency.pif
4960	Emergency.pif
4960	Emergency.pif
4960	Emergency.pif
4960	Emergency.pif
4960	Emergency.pif
4960	Emergency.pif
4960	Emergency.pif
4960	Emergency.pif
4960	Emergency.pif
4960	Emergency.pif
4960	Emergency.pif
4960	Emergency.pif
4960	Emergency.pif
4960	Emergency.pif
4960	Emergency.pif
4960	Emergency.pif
4960	Emergency.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3880	tasklist.exe
Token: SeDebugPrivilege	4756	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4960	Emergency.pif
4960	Emergency.pif
4960	Emergency.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4960	Emergency.pif
4960	Emergency.pif
4960	Emergency.pif

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 3404	220	db1f9839eadfd7dc8c75c497af90215be8559501b4122a17218c59429833154c.exe	82
PID 220 wrote to memory of 3404	220	db1f9839eadfd7dc8c75c497af90215be8559501b4122a17218c59429833154c.exe	82
PID 220 wrote to memory of 3404	220	db1f9839eadfd7dc8c75c497af90215be8559501b4122a17218c59429833154c.exe	82
PID 3404 wrote to memory of 3880	3404	cmd.exe	84
PID 3404 wrote to memory of 3880	3404	cmd.exe	84
PID 3404 wrote to memory of 3880	3404	cmd.exe	84
PID 3404 wrote to memory of 1404	3404	cmd.exe	85
PID 3404 wrote to memory of 1404	3404	cmd.exe	85
PID 3404 wrote to memory of 1404	3404	cmd.exe	85
PID 3404 wrote to memory of 4756	3404	cmd.exe	87
PID 3404 wrote to memory of 4756	3404	cmd.exe	87
PID 3404 wrote to memory of 4756	3404	cmd.exe	87
PID 3404 wrote to memory of 924	3404	cmd.exe	88
PID 3404 wrote to memory of 924	3404	cmd.exe	88
PID 3404 wrote to memory of 924	3404	cmd.exe	88
PID 3404 wrote to memory of 2888	3404	cmd.exe	91
PID 3404 wrote to memory of 2888	3404	cmd.exe	91
PID 3404 wrote to memory of 2888	3404	cmd.exe	91
PID 3404 wrote to memory of 3080	3404	cmd.exe	92
PID 3404 wrote to memory of 3080	3404	cmd.exe	92
PID 3404 wrote to memory of 3080	3404	cmd.exe	92
PID 3404 wrote to memory of 4932	3404	cmd.exe	93
PID 3404 wrote to memory of 4932	3404	cmd.exe	93
PID 3404 wrote to memory of 4932	3404	cmd.exe	93
PID 3404 wrote to memory of 4960	3404	cmd.exe	94
PID 3404 wrote to memory of 4960	3404	cmd.exe	94
PID 3404 wrote to memory of 4960	3404	cmd.exe	94
PID 3404 wrote to memory of 3496	3404	cmd.exe	95
PID 3404 wrote to memory of 3496	3404	cmd.exe	95
PID 3404 wrote to memory of 3496	3404	cmd.exe	95
PID 4960 wrote to memory of 1948	4960	Emergency.pif	96
PID 4960 wrote to memory of 1948	4960	Emergency.pif	96
PID 4960 wrote to memory of 1948	4960	Emergency.pif	96
PID 4960 wrote to memory of 4404	4960	Emergency.pif	102
PID 4960 wrote to memory of 4404	4960	Emergency.pif	102
PID 4960 wrote to memory of 4404	4960	Emergency.pif	102
PID 4960 wrote to memory of 4404	4960	Emergency.pif	102
PID 4960 wrote to memory of 4404	4960	Emergency.pif	102

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3460
- C:\Users\Admin\AppData\Local\Temp\db1f9839eadfd7dc8c75c497af90215be8559501b4122a17218c59429833154c.exe
  "C:\Users\Admin\AppData\Local\Temp\db1f9839eadfd7dc8c75c497af90215be8559501b4122a17218c59429833154c.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c move Altered Altered.bat & Altered.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3404
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3880
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa opssvc"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1404
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4756
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
      4⤵
      System Location Discovery: System Language Discovery
      PID:924
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 551680
      4⤵
      System Location Discovery: System Language Discovery
      PID:2888
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "batadvantagesaanbc" Furnishings
      4⤵
      System Location Discovery: System Language Discovery
      PID:3080
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Comply + ..\Delivery + ..\Sales + ..\Exciting + ..\Humanities + ..\Alto K
      4⤵
      System Location Discovery: System Language Discovery
      PID:4932
  - - C:\Users\Admin\AppData\Local\Temp\551680\Emergency.pif
      Emergency.pif K
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4960
    - - C:\Users\Admin\AppData\Local\Temp\551680\Emergency.pif
        
        C:\Users\Admin\AppData\Local\Temp\551680\Emergency.pif
        5⤵
        Executes dropped EXE
        
        PID:4404
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:3496
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardSync.url" & echo URL="C:\Users\Admin\AppData\Local\GuardSync Dynamics\GuardSync.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardSync.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\551680\Emergency.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
C:\Users\Admin\AppData\Local\Temp\551680\K

Filesize
391KB

MD5
c6f5f7e2b862c978f850bf48209085c3

SHA1
39b253ae2471fd47cedbbd8192934b00f3ec5854

SHA256
2ead6640770c50629d377bcb2b5136e152adb537c29fbcb1949c03444ca41334

SHA512
1cf3d0d8a3ce3a162e1c38092da91c99f1ada8a59703cd5d9d00bc0596f993f7666520956681ee255c70a649210cf9877e694386dc2d5ee2183c971643ab80cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Altered

Filesize
25KB

MD5
415906dccc5bfefbb1d24496bb46f7f8

SHA1
ec83a3f314f7047a2d5b2f25389221657ea730f6

SHA256
a6b4d6972df3832f6cef49c8e129847d9f76af94a8bd02f73beb50fbfb01491d

SHA512
0a0273ebd90d67d9816e9376889c9df6ea3973ad36cd1f59d4e91877f3e685e66ac44660f407405bf6547f59e74b055343fc6dd930539a5109cb45cac6728785

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alto

Filesize
43KB

MD5
99d32d9b39835d6b84423330bf358a47

SHA1
a19396c44ad216928ba86532d6fc3f4ec6a5d637

SHA256
e68cfc71b941e860480ae6813435fd4f40794092c2134192f56a4c6f6334713b

SHA512
937812b3041bc63330ee20cc77372b00f327d6d0e37667f4393a9dea2042be545eb7249191257d8c5b772c5502e0c46f39d1c343919e22045f1be47e6da95be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Comply

Filesize
61KB

MD5
943d3e92238c98a09399f2f699640971

SHA1
a1414f4e26a668628101fc0821a8ac6d55637e64

SHA256
5c0cc7f17254ab6c5af89a8f821c2300697bf62e8aaad607238fdad49f472c4f

SHA512
0937d62bb510978d1ec6fdde519017f15907102bb386016c8f84140fdd84324d9ef1736a90b5ed81ceb7e0c055565f5b8b6e59540cea4375c8d9b28f2d4fd659

Download Submit
C:\Users\Admin\AppData\Local\Temp\Delivery

Filesize
55KB

MD5
16c76b68736851dc7ae39e3c4dca9f0d

SHA1
6819bf87a09743d35a1053a038837c47dd8cd128

SHA256
e1fc01136c47462bbe617723a88b569af2205fb1a8839c5a3ba59e67dcec1430

SHA512
722b6d0d29775ac3131f47faddc2e35be6a54141c49322f7b9324b4ecda6962359e700cbb468408ceaedc2035c802161943e6979e33267ce39b9050b90fc8b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Exciting

Filesize
64KB

MD5
76999562bf8866d7f7e318f1e87ffb4f

SHA1
2c30334241f2ef0501921a6fc94048fc5cc2a8fd

SHA256
f8fcb42f464f0b171987f44f0896da2b4d6122b7c5b40decfa4dd3f136cede98

SHA512
9531851f142d0b98b8ae3e544ab0f0c99f2341851eccf2e6cbf8a16ab508140d589269ad26ea99a829d54a663ba4feaabe58ed40aea8d2facb64d1023ffafc0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Furnishings

Filesize
5KB

MD5
ff280cb68ce5e1a6390aa096f761e752

SHA1
68b480954adbc2f03407921f959c37778ca68c65

SHA256
dd536ee64bce1a541b2497c9aa36b3372ee21833865f19cf167c497caa65ae1c

SHA512
4c1277267155c3fb5e1cec36b0a99da6e3bfd156d519a08a4fc9fe21869fcd13ed8ed49f06c19d65e449354b60ee7c656a080febce1bfb82946b8000221d1cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Humanities

Filesize
92KB

MD5
7fb9aff6b478230bae7c263bcdce0e22

SHA1
32fb0f362943d2d0ed07fa6bf026cb40cf73c5cc

SHA256
09b3e339fbfc7107b49db7231d68b579b24a46685b9c8d601fac0e2baeee72ff

SHA512
39cb7e301ba0c1ce8c19c420eafb864d9f6ef441111c49674008f57d6aac69f6ed311c620d652545c4695d5a821b6f52fb5a5611f5cb477a97f56df7483d34ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Idaho

Filesize
867KB

MD5
b874fc334233bbba96fa4a90c5159009

SHA1
7142e4a53942840107d17b0b9dda993f6e8fee5f

SHA256
b8ccaa75856dea134e66acb6470ed9f645bafe5e1ad9a39b6e52bde9de3df83e

SHA512
c45c7f599048bc1f2821e26690868b93dc8529910fa14458aaf584948edc32a080e9ad113d77005116c7a56bfd4fedd556caf0423d37b7bcb7e4c07191a2f730

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sales

Filesize
76KB

MD5
dc3d28e5f5937c5014e97209e86de9fb

SHA1
c1f9ed66c6b06d9ee96a8437c2551767b42e19d9

SHA256
8c374e09bd29fa57c78b576c8fb72c01753bc38e8a6e2850e3db7e18774bb892

SHA512
cfa28388a8c4f063427f19757b6e224ee81bb3ed47fb230707028ea73a0dcf22c663570834274f21de83d0fa2c71993dcc9855ce7802ff84524a2b1042912b89

Download Submit
memory/4404-31-0x0000000000F20000-0x0000000000F57000-memory.dmp

Filesize
220KB

Download
memory/4404-32-0x0000000000F20000-0x0000000000F57000-memory.dmp

Filesize
220KB

Download
memory/4404-34-0x0000000000F20000-0x0000000000F57000-memory.dmp

Filesize
220KB

Download