fa3b854f0e4c0d35ca9a5647bc6935ee1e6a3920d9b951c51b2cb7bc1588c904

Analysis

max time kernel
94s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2024 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malware.exe
Size

114KB
MD5

4fcf540bd465177ee03e6d798ad162f0
SHA1

8464065bca2b577ff861585f03ec42f443dc38c3
SHA256

2cc636f4a1e76bd05ddc3c4cbdc8b2b848424d01146ae698e398795895007b77
SHA512

c36789e362b9d5e5756caa8e9d52fdd6ff8632927bdc9d694c0a316a902a68691ec32634d45331ae8ff816cf5cb3ac1756c8eb3a510a5f98ac6a6abbeaf4725f
SSDEEP

3072:slWhLIfG/dcG2aGp62L/uPddR0rAXR9C2G:slg5e62Tut0rQRt

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2720	cleansweep.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	malware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cleansweep.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4076	malware.exe
4076	malware.exe
4076	malware.exe
4076	malware.exe
2720	cleansweep.exe
2720	cleansweep.exe
2720	cleansweep.exe
2720	cleansweep.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4076	malware.exe
Token: SeDebugPrivilege	4076	malware.exe
Token: SeDebugPrivilege	2720	cleansweep.exe
Token: SeDebugPrivilege	2720	cleansweep.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 3488	4076	malware.exe	56
PID 4076 wrote to memory of 3488	4076	malware.exe	56
PID 4076 wrote to memory of 3488	4076	malware.exe	56
PID 4076 wrote to memory of 3488	4076	malware.exe	56
PID 4076 wrote to memory of 3488	4076	malware.exe	56
PID 4076 wrote to memory of 3488	4076	malware.exe	56
PID 4076 wrote to memory of 3488	4076	malware.exe	56
PID 4076 wrote to memory of 3488	4076	malware.exe	56
PID 4076 wrote to memory of 3488	4076	malware.exe	56
PID 4076 wrote to memory of 3488	4076	malware.exe	56
PID 4076 wrote to memory of 3488	4076	malware.exe	56
PID 4076 wrote to memory of 3488	4076	malware.exe	56
PID 4076 wrote to memory of 3488	4076	malware.exe	56
PID 4076 wrote to memory of 3488	4076	malware.exe	56
PID 4076 wrote to memory of 3488	4076	malware.exe	56
PID 4076 wrote to memory of 3488	4076	malware.exe	56
PID 4076 wrote to memory of 3488	4076	malware.exe	56
PID 4076 wrote to memory of 3488	4076	malware.exe	56
PID 4076 wrote to memory of 3488	4076	malware.exe	56
PID 4076 wrote to memory of 3488	4076	malware.exe	56
PID 4076 wrote to memory of 3488	4076	malware.exe	56
PID 4076 wrote to memory of 3488	4076	malware.exe	56
PID 4076 wrote to memory of 3488	4076	malware.exe	56
PID 4076 wrote to memory of 3488	4076	malware.exe	56
PID 4076 wrote to memory of 3488	4076	malware.exe	56
PID 4076 wrote to memory of 3488	4076	malware.exe	56
PID 4076 wrote to memory of 3488	4076	malware.exe	56
PID 4076 wrote to memory of 3488	4076	malware.exe	56
PID 4076 wrote to memory of 3488	4076	malware.exe	56
PID 4076 wrote to memory of 3488	4076	malware.exe	56
PID 4076 wrote to memory of 3488	4076	malware.exe	56
PID 4076 wrote to memory of 3488	4076	malware.exe	56
PID 4076 wrote to memory of 3488	4076	malware.exe	56
PID 4076 wrote to memory of 612	4076	malware.exe	5
PID 4076 wrote to memory of 612	4076	malware.exe	5
PID 4076 wrote to memory of 612	4076	malware.exe	5
PID 4076 wrote to memory of 612	4076	malware.exe	5
PID 4076 wrote to memory of 612	4076	malware.exe	5
PID 4076 wrote to memory of 612	4076	malware.exe	5
PID 4076 wrote to memory of 612	4076	malware.exe	5
PID 4076 wrote to memory of 612	4076	malware.exe	5
PID 4076 wrote to memory of 612	4076	malware.exe	5
PID 4076 wrote to memory of 612	4076	malware.exe	5
PID 4076 wrote to memory of 612	4076	malware.exe	5
PID 4076 wrote to memory of 612	4076	malware.exe	5
PID 4076 wrote to memory of 612	4076	malware.exe	5
PID 4076 wrote to memory of 612	4076	malware.exe	5
PID 4076 wrote to memory of 612	4076	malware.exe	5
PID 4076 wrote to memory of 612	4076	malware.exe	5
PID 4076 wrote to memory of 612	4076	malware.exe	5
PID 4076 wrote to memory of 612	4076	malware.exe	5
PID 4076 wrote to memory of 612	4076	malware.exe	5
PID 4076 wrote to memory of 612	4076	malware.exe	5
PID 4076 wrote to memory of 612	4076	malware.exe	5
PID 4076 wrote to memory of 612	4076	malware.exe	5
PID 4076 wrote to memory of 612	4076	malware.exe	5
PID 4076 wrote to memory of 612	4076	malware.exe	5
PID 4076 wrote to memory of 612	4076	malware.exe	5
PID 4076 wrote to memory of 612	4076	malware.exe	5
PID 4076 wrote to memory of 612	4076	malware.exe	5
PID 4076 wrote to memory of 612	4076	malware.exe	5
PID 4076 wrote to memory of 612	4076	malware.exe	5
PID 4076 wrote to memory of 612	4076	malware.exe	5
PID 4076 wrote to memory of 612	4076	malware.exe	5

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:788
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:316

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:664

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:796
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:3148
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3836
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3996
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4064
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:660
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3916
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:1796
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:2656
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:4152
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:2736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:860

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1100
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1216

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1328
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1420

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1588

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1632

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1884

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1944

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2156

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2800

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3404

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3488
- C:\Users\Admin\AppData\Local\Temp\malware.exe
  "C:\Users\Admin\AppData\Local\Temp\malware.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\cleansweep.exe\cleansweep.exe
    "C:\cleansweep.exe\cleansweep.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4364

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2956

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:3160

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\cleansweep.exe\cleansweep.exe

Filesize
93KB

MD5
b630314c2e56c8c5c997074f73603174

SHA1
3b63601bcac49db028168a5e2bd65ee0c833efc7

SHA256
d70862e25daa09d6ccf66dce2865993b2b9e02e3e176c56ac026bcc85009c57a

SHA512
aa4c8b2e41550deffc27ca35841f1e207d23cce73d14b7d996c579844e9a605fda88ab685902643798088be561377f16b0c68c109bfdd2ad36f7880a8e8e9fe1

Download Submit
C:\cleansweep.exe\config.bin

Filesize
399B

MD5
c7b4778e8912313d152dc22aeed6f7f0

SHA1
43f845cc44b1f3e582c152aac68aa38f5ebec6f4

SHA256
83eaee38683c1f975f4322011d2c235eec88c9d9c4a98275b7ec033d88629adc

SHA512
b75c93d478b6ef670247f3c7bb1870b7e14eaeb583b6f34a66a6bdaa4a0c364f4551e80a91fbabb71bf6eaeed17e7d3ffe332293197a37bceff24e0fa6b41331

Download Submit
memory/3488-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3488-22-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3488-30-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3488-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3488-28-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3488-27-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3488-23-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3488-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3488-21-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3488-20-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3488-19-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3488-18-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3488-17-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3488-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3488-0-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3488-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3488-29-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3488-31-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3488-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3488-10-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3488-8-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3488-7-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3488-6-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3488-5-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3488-4-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3488-3-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3488-2-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3488-1-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3488-25-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3488-24-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3488-9-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3488-32-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3488-26-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download