b756f04d1cd713bb11d5ae1032f8e8580d7cb11ad9e58f0219c9a9fb02c20d42

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 22:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b756f04d1cd713bb11d5ae1032f8e8580d7cb11ad9e58f0219c9a9fb02c20d42.exe
Size

1.1MB
MD5

fe92fd358fb079b60a6a38bf212e8b76
SHA1

f26e19331f124564c89d091733267ac261265c69
SHA256

b756f04d1cd713bb11d5ae1032f8e8580d7cb11ad9e58f0219c9a9fb02c20d42
SHA512

642f979d05c4c099f0322de6d6d086153d174ec875714e99063fec6f316c95e3f6731c1225ff1487d58dd35b723a4609905341da9c25a2277c1fb834e44f4588
SSDEEP

24576:qxCiG4tPQ1OgCwH1Wz3rhbNyeAjykZUDwHob0mtI:0CiGL1Og23rhxyeAOkun0mtI

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	b756f04d1cd713bb11d5ae1032f8e8580d7cb11ad9e58f0219c9a9fb02c20d42.exe

Executes dropped EXE 1 IoCs

pid	Process
4688	Immigrants.pif

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2856	tasklist.exe
592	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Immigrants.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b756f04d1cd713bb11d5ae1032f8e8580d7cb11ad9e58f0219c9a9fb02c20d42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4764	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4764	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4688	Immigrants.pif
4688	Immigrants.pif
4688	Immigrants.pif
4688	Immigrants.pif
4688	Immigrants.pif
4688	Immigrants.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2856	tasklist.exe
Token: SeDebugPrivilege	592	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4688	Immigrants.pif
4688	Immigrants.pif
4688	Immigrants.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4688	Immigrants.pif
4688	Immigrants.pif
4688	Immigrants.pif

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 744	5068	b756f04d1cd713bb11d5ae1032f8e8580d7cb11ad9e58f0219c9a9fb02c20d42.exe	87
PID 5068 wrote to memory of 744	5068	b756f04d1cd713bb11d5ae1032f8e8580d7cb11ad9e58f0219c9a9fb02c20d42.exe	87
PID 5068 wrote to memory of 744	5068	b756f04d1cd713bb11d5ae1032f8e8580d7cb11ad9e58f0219c9a9fb02c20d42.exe	87
PID 744 wrote to memory of 2856	744	cmd.exe	89
PID 744 wrote to memory of 2856	744	cmd.exe	89
PID 744 wrote to memory of 2856	744	cmd.exe	89
PID 744 wrote to memory of 4644	744	cmd.exe	90
PID 744 wrote to memory of 4644	744	cmd.exe	90
PID 744 wrote to memory of 4644	744	cmd.exe	90
PID 744 wrote to memory of 592	744	cmd.exe	92
PID 744 wrote to memory of 592	744	cmd.exe	92
PID 744 wrote to memory of 592	744	cmd.exe	92
PID 744 wrote to memory of 2836	744	cmd.exe	93
PID 744 wrote to memory of 2836	744	cmd.exe	93
PID 744 wrote to memory of 2836	744	cmd.exe	93
PID 744 wrote to memory of 2868	744	cmd.exe	94
PID 744 wrote to memory of 2868	744	cmd.exe	94
PID 744 wrote to memory of 2868	744	cmd.exe	94
PID 744 wrote to memory of 4336	744	cmd.exe	95
PID 744 wrote to memory of 4336	744	cmd.exe	95
PID 744 wrote to memory of 4336	744	cmd.exe	95
PID 744 wrote to memory of 2792	744	cmd.exe	96
PID 744 wrote to memory of 2792	744	cmd.exe	96
PID 744 wrote to memory of 2792	744	cmd.exe	96
PID 744 wrote to memory of 4688	744	cmd.exe	97
PID 744 wrote to memory of 4688	744	cmd.exe	97
PID 744 wrote to memory of 4688	744	cmd.exe	97
PID 744 wrote to memory of 4764	744	cmd.exe	98
PID 744 wrote to memory of 4764	744	cmd.exe	98
PID 744 wrote to memory of 4764	744	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\b756f04d1cd713bb11d5ae1032f8e8580d7cb11ad9e58f0219c9a9fb02c20d42.exe
"C:\Users\Admin\AppData\Local\Temp\b756f04d1cd713bb11d5ae1032f8e8580d7cb11ad9e58f0219c9a9fb02c20d42.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k move Guest Guest.bat & Guest.bat & exit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2856
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4644
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:592
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa.exe opssvc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 13711
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2868
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Earn + Program + Asset + Reserve + Slowly 13711\Immigrants.pif
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4336
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Viking + Chaos + Participated 13711\Z
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2792
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\13711\Immigrants.pif
    13711\Immigrants.pif 13711\Z
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4688
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 localhost
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\13711\Immigrants.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\13711\Z

Filesize
1011KB

MD5
86f54ba6ed2e65a34276922a62cf04e6

SHA1
7c66874ba8bad12836d18672b31b856be6ebe4dd

SHA256
a388bbf5baf8b3fb09340031dac1c88edc8929a630586af3dcbb37cfe580e26a

SHA512
17993fa53a01cce1f6518afa3e5d9922232e072314b47083434ea4ea9bcb04875c10ed8b4d271d8193a928fe5352b3274c7842a11fb37d1ec2deb3c91528bc3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Asset

Filesize
149KB

MD5
8ac1baefdc2ded378686004cb4fff9e1

SHA1
d0a34045d2cfa3b7cac9e89cbcaeb93a5f84d01a

SHA256
5249e4b2628e7d35a52bd49445883b5e0b11efde03c508aa6c026c87cf6b2ac8

SHA512
2a3dba0bf40c27174a9958496b5fd8f7221763f6e9b44fc4282fd7ae720c313289048f419e0ffbd4ed74831bd201c7658c14649f9a1ff00869efa7f448286dbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chaos

Filesize
470KB

MD5
1236736fe0a02c2cd4bfe15deb893827

SHA1
c3af0c3e0b07d3500e91c6ad27b4ea236a42dbc2

SHA256
3cb67c9178de85ddfd478c85ddea7b3d1e9d8ae1a5512a3bb7e10b7efcac7939

SHA512
605a2ed66c72569f0253516f7e94ad0112ec69f7c87fcd48f5d283089abc9996a654429675dcdb3e111db415d326d7afa8c17a60a8fee935a65c0003b1a1d2ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Earn

Filesize
242KB

MD5
3dc2a9b76a1d6565091a348e2b1f8751

SHA1
79565e6821e0f4c1a8d28494365d3b3deb354140

SHA256
acf6ace5d4162c30d687204df636013d66167a1a01af56e7c2721fe32a156558

SHA512
ae6861c940bb3609d361e043f73c54882091adb1de34e8217b5787639fb7035e6d358cd2418e1c967c97886193ec9a54c95b9ea9fb681b18a6c682897e24656d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Guest

Filesize
12KB

MD5
501aca372cb3df2ad5581521fd1e67d5

SHA1
f63c4e28c7acded78b9d29d55cee98bb7b869229

SHA256
a8ed85ff54eaf2817cde494e8260069c14366edfc42358f057df6382a77da0f1

SHA512
696ae629e0ed5a353fdba3521a45e33b013ffb12d274e90ea96ce271e8c6e660280eb437140f5eec1e617cdb41be220d1a1cb39b476bbba229857cd42fb8242a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Participated

Filesize
108KB

MD5
70e099c6462c8ef9dbec213f5ce0496f

SHA1
f9fed8482e75329372eda0ec5ef5d9b228a7ffd5

SHA256
b84d99acccf17a6ca04803a2a3d8f115b610b6ee3ddf86353b79fc88748c037c

SHA512
e8176abb52afb32d962eca35ee756c99eef3592fcda2f3f3853392e8f6258ec027a20f48e8a1ca23e22494369efc091de6bf8ad636fdccd39a1eefa58acf611e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Program

Filesize
176KB

MD5
0b6b9db466bb6f816784ee7380ea9572

SHA1
fa236a7c914ece18bce4e9538f7497df17a214ed

SHA256
ba01cc5b82a5ccb4087e3e430c6ede046c336a071e768300ccd976422da83847

SHA512
670ee24b2b98dbe8eda5bac654de21d759786f4eb797bda9ac5848102f2a652463c45a518ca92adf3351e0efd5e0c4947226effeb164fdc10306584781267507

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Reserve

Filesize
183KB

MD5
6145b2986f61b8dd11c301bc6b0279db

SHA1
d2142316774e6e920ec594071de22b48ca30630c

SHA256
e8ac10eda692a57273edcdecd449fdd8f37d6fea1f17829811ba46148ae3dc49

SHA512
4ee8a582c7a334063703393fb690fd48fef12eb631de2643efe4a7fde6b5a599de754043159bf0f42dca4235b4a0d68f38cf0a9f34ea3c6232c78662d3a0daf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Slowly

Filesize
174KB

MD5
7cef207172cbdf6768101f8a2602f787

SHA1
20e50bd7257e773fab11928da0a6500693fbad11

SHA256
6c3482c9f62da91208f4f67fe2a41211f8a2a7929bfda4841495d20d29bf1e9c

SHA512
42e38ae3e936cadbb6b4d0eb013977bcbe3c80a9a44fd22f49ec1ba593625a4146122941e3b90f3a4c20680eb50d074607086cc1f52a851f4e5ae2eaf0ce44f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Viking

Filesize
433KB

MD5
d2241c8bced7ee96287bc6e8b0deb59d

SHA1
e8c360585688cea64381f827950d302b6faebc94

SHA256
f11bbadb34467256d62f93ffc984813a7360dd52598937078916f9f1e8c10aa2

SHA512
50e7116a121ab71ec008229a9ddfa5b95092909c791575385c5db2a465a457ca83e77acc03107f8d9e3bc6a0e998d15a03705c5f890b680efe50cd3d89d3f5d3

Download Submit
memory/4688-33-0x0000000000150000-0x00000000001CB000-memory.dmp

Filesize
492KB

Download
memory/4688-35-0x0000000000150000-0x00000000001CB000-memory.dmp

Filesize
492KB

Download
memory/4688-34-0x0000000000150000-0x00000000001CB000-memory.dmp

Filesize
492KB

Download
memory/4688-36-0x0000000000150000-0x00000000001CB000-memory.dmp

Filesize
492KB

Download
memory/4688-37-0x0000000000150000-0x00000000001CB000-memory.dmp

Filesize
492KB

Download