Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
02-10-2024 01:22
General
-
Target
78fee239cf44c2ab923669b8ccf016ef117a9682e339d96de87fa2f0a45200cc.exe
-
Size
7.7MB
-
MD5
58509394a423edb98b0b1be7f18551ab
-
SHA1
4b7a8ff6ec8bd5908e306cb23d2b84ce3ff03ec3
-
SHA256
78fee239cf44c2ab923669b8ccf016ef117a9682e339d96de87fa2f0a45200cc
-
SHA512
41ec27bb184d55d84b3e7150df35d2229cf93ae389fc4f8b9f8bded29fb730661ddc3a21d6d926f6d98cc169e851e44928fb2058bd898d96924f69e301350b9a
-
SSDEEP
196608:GPtx5dUAuaAxSTZLvD6/x1R92cJUMo7xS6:ctx5dUARAh5n9/GMolS6
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Drops file in Program Files directory 7 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Modifies registry class 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 31 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\78fee239cf44c2ab923669b8ccf016ef117a9682e339d96de87fa2f0a45200cc.exe"C:\Users\Admin\AppData\Local\Temp\78fee239cf44c2ab923669b8ccf016ef117a9682e339d96de87fa2f0a45200cc.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\blockhostnet\dbHnJe8FTGPofdGpjq0jOMhg.vbe"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\blockhostnet\iXSXm.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\blockhostnet\msinto.exe"C:\blockhostnet/msinto.exe"5⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dzpkzhsc\dzpkzhsc.cmdline"6⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1737.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC350BEFC47204451B954EDC3ECD916B5.TMP"7⤵
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aj4ksdyz\aj4ksdyz.cmdline"6⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES17C4.tmp" "c:\Windows\System32\CSC9D28A93834924453A1D352F8D2FFD48.TMP"7⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O4vpGs7A1d.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650017⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\lsass.exe"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\lsass.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\explorer.exe"C:\Users\Admin\AppData\Local\Temp\explorer.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4440,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:81⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 8 /tr "'C:\blockhostnet\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\blockhostnet\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 8 /tr "'C:\blockhostnet\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\blockhostnet\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\blockhostnet\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\blockhostnet\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msintom" /sc MINUTE /mo 13 /tr "'C:\blockhostnet\msinto.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msinto" /sc ONLOGON /tr "'C:\blockhostnet\msinto.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msintom" /sc MINUTE /mo 7 /tr "'C:\blockhostnet\msinto.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207B
MD5740b3b70e25cdfc12e2d9d2fa9ee90c6
SHA1d40f9884a1985b48d7ca94b0355ca820c135408c
SHA256a2689abaace557b67afa8b5d29b98c82515767e547a6c6c139e243c2b7e8d52c
SHA512f0536fbbc3a2ac1c69fb7ac2e5a5c0c7f096e1c18a21c427247e982ba30c4234854b7940100493a3a12d48ee716986aac173e76e4087d0b451f77ed5469ae659
-
Filesize
1KB
MD575bea72e93e06720c3bfc3aa5a94de34
SHA1201613d8c03f6646ad8007e21bfe7c2dbf2b61c5
SHA2569768d95d9ba9d2e362c577777fbdff8316483c88dee5607776f4b3eab5dd0b2a
SHA512a17ec6dcf62e2819b14a5ec98bc52ebad7247776402d2327a4797ffa7e588cb90e7e103875d4383af3974d4d0a5f89acebea939765499b23fc40fd637cea2ee7
-
Filesize
1KB
MD50f82760c4d61345559093497587a38b8
SHA110e40b9dbdc56cfccb1f714a520b505d4cbcc0bd
SHA2560197c2891a93731367d68e74de219f8af145c7288c7234a467d9a6ddc4cc8e97
SHA512a20dc464355016b260df6646ab2942234ca0730ac88f2e890f0eeb49d10d75c99e88dc4a480bc31233c5745085cb6b4281491551887b91ead4c806be3e40d37d
-
Filesize
5.5MB
MD552aaa8c3fd6b813b713ae05ab9e4829c
SHA1d4ac8addbe5e15e867afe58f4bbb8319395ad38e
SHA2560c30d4cb510304d4ce140952f8ce316056cc4bc552cef78a81fd5301aecc1fd2
SHA512c39bba95a8554f1115d0362bad33901fd87e00d5de7671cd48d7b537c97889882b9009a83948087cf8516a32588e4ef831531977740b17a2791cec927934fdd8
-
Filesize
2.1MB
MD5a87cb2a1e23600c28c1a8e6a5c6a1c52
SHA18d8dabcca9b1265a12b4e5a00d517930305468b6
SHA2561ba3c880a6c5d379e7257e3bb14f9aa6b2d836562e5ad0439f219fa76b3d9dca
SHA51223a9132c0eaf6725e42a974c656a8cb5792a67f7eb7e32d33041fb72f45780f97ecfb6822c8099bd7f425fb142dfa6e0e3dbd46b1736d70551c32eb910dbd280
-
Filesize
196B
MD58f9afb736d7dcaf92555a19215fa5c7b
SHA1f735f020e772ac67b5ed87c15d110973980e271b
SHA256d78691f9757ea266450f639553638bdb3f7383341298578a2f4096a7096b2fb4
SHA51269d27657031b6b8c8c9d266f8498a824a13434d62d80144cb5966e26b4e2b2e2e43247af31dc5d845b1a771e267e71ba59dcbcb04f532bce8892a462c035d10b
-
Filesize
71B
MD55b64fe1545fbf11ec2bf13e3cf7579db
SHA1bc17a73a181ca2e2dd489173e12861416e6db274
SHA256579e774b18b84f5d6cba055a2ed46893b438ee98317efafa9837c6e796f6496f
SHA5128e44c179350d5554299c303d54b30c934eff8ed69f807bb810d93087085909d8306eb0f3a7476fc6707c4565c0958e720b8086e5c038e2f337b79f310203c153
-
Filesize
1.8MB
MD583152560524b250c6c27561117df37fe
SHA1f17613b0d3ec3d46a51daf0ca011ff7dc8a8d53a
SHA25672bcbcb256f87968ad40aef6b4dac464921ce8f66cdc242b65eb6e9f23b3ca80
SHA5127793eb5dcc26a00a0c72a07dd084a99d2b41e87e995a25040dd183bd84e94fce652eb896f0eafaa717bd97a67b8d1bb8e7a28b4c7ea4f39c15532881304a218c
-
Filesize
1KB
MD5b5189fb271be514bec128e0d0809c04e
SHA15dd625d27ed30fca234ec097ad66f6c13a7edcbe
SHA256e1984ba1e3ff8b071f7a320a6f1f18e1d5f4f337d31dc30d5bdfb021df39060f
SHA512f0fcb8f97279579beb59f58ea89527ee0d86a64c9de28300f14460bec6c32dda72f0e6466573b6654a1e992421d6fe81ae7cce50f27059f54cf9fdca6953602e
-
Filesize
411B
MD55b8e4b015c461401448533fb1a05bb8a
SHA1fea3b2ce8e557d198dfc447a8eee1974c180ce4d
SHA256931308151c5badadbdb613361780c57f220642f15b6a0baad85c61cac0a6fc3d
SHA5126863a78c3b05fbe524b8ea5827a31172c73698964df4bf66b9416f173736b868ddff9a6de3ca38f7f96b2605da9bdde62e85fc90739dfc1450a8706e7e203a69
-
Filesize
235B
MD585b9f482adf0ec89833be88143ad64b6
SHA1ed071bbd3ed6c034c4d48eb4c718de7fc726e60d
SHA256dcf8853a24f99177aab0249e69e4f834797528fcee5fc6366e9a57adaf4c324e
SHA512101bc635e7b7078117d80e0a98de4e0ccd5c3d181748f449777d0340f8d43a01265aad46079fb1b0b9b8b2e556022b02b84d8921810a450e309f1f4a6886a670
-
Filesize
441B
MD5c707e784e3edc380f7a819c302821fe2
SHA13ffb017d350e3236ecd10c01ec72288fa6fb4b61
SHA256ababe053ef8a10e7cdeae419d9f70e995dd23189391012a6b79089c3395a27be
SHA51296b9c2dabd23a78a2afe16a1b54a9d7792445c522bb70bd1b3f706b3661161bbec7678e405a662817eef37fc0c20ffa1e88c13011b511f6951f2ef6919fc3ae0
-
Filesize
265B
MD565a68132ad2894fa18bfff59f26529f7
SHA1df000ebd35581f3cdda8daaf2eb1d04b4c78b410
SHA2567626894fc079a91ef06226d45990146a191aa09173edd0c96bc385ff29a6c13b
SHA5127eafc75e6068d15148fc409517cf60ebdd89074cbb791e1fc66c2b4ef902c6aa52b1ddb8a05571172ec7b14fafb3f50c0c9f08c4c94fdd158dfffff6779609b8
-
Filesize
1KB
MD5defac805d7edc8907512384855c67e24
SHA1b0b59b7f5f6b872236a383a2381fbdcc7b2b630e
SHA25657cf2da2350701d9232969935334b4bbda42f10945aac7757c951108e0bd24fc
SHA5125dcbdf30678b41c0916b0cf60575ea0029a0acb3ebf2f3a38019d2ce83619a007cc75c8109395d33e1c083cb10a92dc9e94b2b6208526051c0e563448eb10b1f
-
Filesize
56KB
-
Filesize
112KB
-
Filesize
320KB
-
Filesize
96KB
-
Filesize
48KB
-
Filesize
428KB
-
Filesize
1.9MB
-
Filesize
3.2MB
-
Filesize
8.8MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
3.2MB
-
Filesize
428KB
-
Filesize
624KB
-
Filesize
4KB
-
Filesize
7.7MB