Overview

overview

9

Static

static

3

calc.exe

windows10-2004-x64

9

Resubmissions

02-10-2024 01:35

241002-bz6v8a1bjm 9

02-10-2024 01:16

241002-bmvbnatdna 9

Analysis

  • max time kernel
    131s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-10-2024 01:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    calc.exe

  • Size

    422KB

  • MD5

    4bf28f0b6a5b20681a1378a0d8afe694

  • SHA1

    f606479738c2e8dbb67cd9998dc35c830425c559

  • SHA256

    cf6b9d70a6b10490407df35b3fb8968de048328614171ab5c9de51d7638eed3a

  • SHA512

    73dd9e42e0e8489435b96776df67adb8729c47d06fecb4555447975a8f40c68980c9792446dfad2967888b45e69bbab58c29950d2089097c37ac3cb8477171ae

  • SSDEEP

    6144:94v4sIND/AB4jYWoyGN2Ik5AfPjFWFNAy/7+dOYG+/Wi+3I:WABhABEXotkI0A8AyzKOce4

Score
9/10
discoveryexecution

Malware Config

Signatures

  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Checks computer location settings 2 TTPs 8 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Permission Groups Discovery: Local Groups 1 TTPs

    Attempt to find local system groups and permission settings.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\calc.exe
    "C:\Users\Admin\AppData\Local\Temp\calc.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4436
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" PhNll77Jcb.jse
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1148
      • C:\Windows\SysWOW64\net.exe
        "C:\Windows\System32\net.exe" user LocalAdministrator /add
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4476
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 user LocalAdministrator /add
          4⤵
          • System Location Discovery: System Language Discovery
          PID:5036
      • C:\Windows\SysWOW64\net.exe
        "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5004
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1928
      • C:\Users\Admin\AppData\Local\Temp\calc.exe
        "C:\Users\Admin\AppData\Local\Temp\calc.exe"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4144
        • C:\Windows\SysWOW64\wscript.exe
          "C:\Windows\System32\wscript.exe" EeEKhl8oMX.jse
          4⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2436
          • C:\Windows\SysWOW64\net.exe
            "C:\Windows\System32\net.exe" user LocalAdministrator /add
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3924
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 user LocalAdministrator /add
              6⤵
              • System Location Discovery: System Language Discovery
              PID:976
          • C:\Windows\SysWOW64\net.exe
            "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4272
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
              6⤵
              • System Location Discovery: System Language Discovery
              PID:732
          • C:\Users\Admin\AppData\Local\Temp\calc.exe
            "C:\Users\Admin\AppData\Local\Temp\calc.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2116
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1044,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4388 /prefetch:8
    1⤵
      PID:5040
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3240
      • C:\Users\Admin\AppData\Local\Temp\calc.exe
        "C:\Users\Admin\AppData\Local\Temp\calc.exe"
        1⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3236
        • C:\Windows\SysWOW64\wscript.exe
          "C:\Windows\System32\wscript.exe" vuGhHO5d1O.jse
          2⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1148
          • C:\Windows\SysWOW64\net.exe
            "C:\Windows\System32\net.exe" user LocalAdministrator /add
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1132
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 user LocalAdministrator /add
              4⤵
              • System Location Discovery: System Language Discovery
              PID:3744
          • C:\Windows\SysWOW64\net.exe
            "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4216
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
              4⤵
              • System Location Discovery: System Language Discovery
              PID:3836
          • C:\Users\Admin\AppData\Local\Temp\calc.exe
            "C:\Users\Admin\AppData\Local\Temp\calc.exe"
            3⤵
            • Checks computer location settings
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:632
            • C:\Windows\SysWOW64\wscript.exe
              "C:\Windows\System32\wscript.exe" xHMpROGr03.jse
              4⤵
              • Checks computer location settings
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3724
              • C:\Windows\SysWOW64\net.exe
                "C:\Windows\System32\net.exe" user LocalAdministrator /add
                5⤵
                • System Location Discovery: System Language Discovery
                PID:4952
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 user LocalAdministrator /add
                  6⤵
                  • System Location Discovery: System Language Discovery
                  PID:4440
              • C:\Windows\SysWOW64\net.exe
                "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
                5⤵
                • System Location Discovery: System Language Discovery
                PID:732
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
                  6⤵
                  • System Location Discovery: System Language Discovery
                  PID:412
              • C:\Users\Admin\AppData\Local\Temp\calc.exe
                "C:\Users\Admin\AppData\Local\Temp\calc.exe"
                5⤵
                • System Location Discovery: System Language Discovery
                PID:1016

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\PhNll77Jcb.jse
        Filesize

        905B

        MD5

        b4eb7f28555dda63f591a950f2db89d1

        SHA1

        92ba2174422096a09ce506c041165564360accc3

        SHA256

        00c9f54dc4deec12db8ba086ec347d03f978e46222d9c5ec5c6240f7ac171c5c

        SHA512

        3268de3032832a54e3251589b6d41ff43f3181e7fbc5de6d466ea45c6db0c8bba6704f87954b4e28a9273067ebe20066169ff70f896a236a3f786291fb660d24

        Download Submit

      • memory/2116-10-0x0000000000400000-0x0000000000486000-memory.dmp

        Filesize

        536KB

        Download

      • memory/4144-5-0x0000000000400000-0x0000000000486000-memory.dmp

        Filesize

        536KB

        Download

      • memory/4436-0-0x0000000000400000-0x0000000000486000-memory.dmp

        Filesize

        536KB

        Download