Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-10-2024 18:56
Behavioral task
behavioral1
Sample
Payload.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
Payload.exe
-
Size
55KB
-
MD5
70e0cf3f78f582fa88e357c083747ba7
-
SHA1
26836c26f4a173bc9da51ff874fa918052b40717
-
SHA256
94240ea83ea0cbde12c6cce81f1382fc414aaf38571a9e54a152f64c082ff7f9
-
SHA512
2855323330a1d16c8260db67c3fafe665723c835acc0b0e8c1952f4d088eb49b23fec919c5a8fcf0246603e888548c814d4e41949252464a71df19af2391cdbf
-
SSDEEP
1536:m+mIDn/NOryWhI0DtwsNMDmXExI3pmDm:EIDnE+v0DtwsNMDmXExI3pm
Score
7/10
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f53a2de487461812859f1781af27b20d.exe Payload.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f53a2de487461812859f1781af27b20d.exe Payload.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f53a2de487461812859f1781af27b20d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe\" .." Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\f53a2de487461812859f1781af27b20d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe\" .." Payload.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Payload.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4172 cmd.exe 4292 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4292 PING.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 472 Payload.exe Token: 33 472 Payload.exe Token: SeIncBasePriorityPrivilege 472 Payload.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 472 wrote to memory of 3648 472 Payload.exe 90 PID 472 wrote to memory of 3648 472 Payload.exe 90 PID 472 wrote to memory of 3648 472 Payload.exe 90 PID 472 wrote to memory of 4172 472 Payload.exe 92 PID 472 wrote to memory of 4172 472 Payload.exe 92 PID 472 wrote to memory of 4172 472 Payload.exe 92 PID 4172 wrote to memory of 4292 4172 cmd.exe 94 PID 4172 wrote to memory of 4292 4172 cmd.exe 94 PID 4172 wrote to memory of 4292 4172 cmd.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payload.exe"C:\Users\Admin\AppData\Local\Temp\Payload.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:472 -
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn CleanSweepCheck /f2⤵
- System Location Discovery: System Language Discovery
PID:3648
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Local\Temp\Payload.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\SysWOW64\PING.EXEping 0 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4292
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1