Analysis

  • max time kernel
    94s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-10-2024 23:42

General

  • Target

    77f7cd23c4206e377f98a24583be1290ee4de12c9465786d29efa7eb0b84c209.exe

  • Size

    93KB

  • MD5

    5294bc84139e6b58df2af064850e3c79

  • SHA1

    e5b159107f6015f482dc411d585192150f3ed85a

  • SHA256

    77f7cd23c4206e377f98a24583be1290ee4de12c9465786d29efa7eb0b84c209

  • SHA512

    2e2a6729fc7ba7dc3f2d8385cc4c15b2c1dea0532ae15a2d0c932340d213b5d042f3f97f390419bc1a728b35a7b81eb1abb87c5a17f58b60e4f0ca60d3ec07f4

  • SSDEEP

    1536:+HxCaqYLXJOfEbvdTvqGORq0H/waHXxoqNFcMeYxoPRR:+Hx8YL02HamwFDoPv

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 15 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 14 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious behavior: MapViewOfSection 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\77f7cd23c4206e377f98a24583be1290ee4de12c9465786d29efa7eb0b84c209.exe
    "C:\Users\Admin\AppData\Local\Temp\77f7cd23c4206e377f98a24583be1290ee4de12c9465786d29efa7eb0b84c209.exe"
    1⤵
    • Drops startup file
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:8
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3580
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe
        3⤵
        • Suspicious behavior: MapViewOfSection
        PID:2840
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4076
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:2308
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:5000
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:4992
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3748
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1936
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4828
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2900
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1008
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2072
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    PID:972
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    PID:3064
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    PID:4928
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    PID:4140
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    PID:4252
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    PID:2872
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
      PID:4092
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\Windows\explorer.exe
        explorer.exe /LOADSAVEDWINDOWS
        2⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        PID:3608
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Suspicious behavior: EnumeratesProcesses
      PID:4464

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

      Filesize

      471B

      MD5

      b1c0b45ee7dd6cf8af032978e4599f46

      SHA1

      9883eb4119c51ebfd2aed51a6e58c901183e77ec

      SHA256

      14ee1db176141760e96b3dacbd1a963b6da0bc644f5d62ae2163275315e9f81d

      SHA512

      89c96d71ddf16a79cae5a988630fe5bd7ece3a764dcd5ea91d1910d674a2f954701b301c8d62585c520232078326a497331799c4153eafbaac83785c2d288e21

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

      Filesize

      412B

      MD5

      73957f48464a35910f3e003b441b66cf

      SHA1

      67a90ef3e7ac9160abf230feb44b979c7e6302c8

      SHA256

      d267903d94ba42ac0b09bbad56a15cd5e17f1d3f0d427d36c90c1be95198df96

      SHA512

      a1986245efc805efcc9ccf90e044afeb7c11f71f59cf8493246d58851e325f1c911bb837557680b7625d6ff45f459ca7d791c3d7a279bc4c749126f67137e745

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe

      Filesize

      93KB

      MD5

      5294bc84139e6b58df2af064850e3c79

      SHA1

      e5b159107f6015f482dc411d585192150f3ed85a

      SHA256

      77f7cd23c4206e377f98a24583be1290ee4de12c9465786d29efa7eb0b84c209

      SHA512

      2e2a6729fc7ba7dc3f2d8385cc4c15b2c1dea0532ae15a2d0c932340d213b5d042f3f97f390419bc1a728b35a7b81eb1abb87c5a17f58b60e4f0ca60d3ec07f4

    • memory/8-0-0x0000000000400000-0x0000000000419000-memory.dmp

      Filesize

      100KB

    • memory/8-5-0x0000000000400000-0x0000000000419000-memory.dmp

      Filesize

      100KB

    • memory/2252-45-0x0000015F38FC0000-0x0000015F38FE7000-memory.dmp

      Filesize

      156KB

    • memory/2252-55-0x00007FFDDC98D000-0x00007FFDDC98E000-memory.dmp

      Filesize

      4KB

    • memory/2652-32-0x000002143DFF0000-0x000002143E017000-memory.dmp

      Filesize

      156KB

    • memory/2700-48-0x00007FFDDC98D000-0x00007FFDDC98E000-memory.dmp

      Filesize

      4KB

    • memory/2700-94-0x00000271DF660000-0x00000271DF687000-memory.dmp

      Filesize

      156KB

    • memory/2700-33-0x00000271DF5D0000-0x00000271DF5F7000-memory.dmp

      Filesize

      156KB

    • memory/2840-11-0x0000000000EB0000-0x0000000000ED7000-memory.dmp

      Filesize

      156KB

    • memory/2940-34-0x00000246EBCA0000-0x00000246EBCC7000-memory.dmp

      Filesize

      156KB

    • memory/2940-50-0x00007FFDDC98D000-0x00007FFDDC98E000-memory.dmp

      Filesize

      4KB

    • memory/2940-71-0x00000246EBD20000-0x00000246EBD21000-memory.dmp

      Filesize

      4KB

    • memory/3416-70-0x00000000026B0000-0x00000000026B1000-memory.dmp

      Filesize

      4KB

    • memory/3416-62-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

      Filesize

      4KB

    • memory/3416-13-0x0000000002A40000-0x0000000002A67000-memory.dmp

      Filesize

      156KB

    • memory/3416-30-0x00007FFDDC98D000-0x00007FFDDC98E000-memory.dmp

      Filesize

      4KB

    • memory/3416-31-0x0000000002850000-0x0000000002862000-memory.dmp

      Filesize

      72KB

    • memory/3416-12-0x0000000002A40000-0x0000000002A67000-memory.dmp

      Filesize

      156KB

    • memory/3492-44-0x0000014A34C60000-0x0000014A34C87000-memory.dmp

      Filesize

      156KB

    • memory/3492-54-0x00007FFDDC98D000-0x00007FFDDC98E000-memory.dmp

      Filesize

      4KB

    • memory/3552-40-0x000002905D5C0000-0x000002905D5E7000-memory.dmp

      Filesize

      156KB

    • memory/3552-95-0x000002905FA70000-0x000002905FA97000-memory.dmp

      Filesize

      156KB

    • memory/3580-7-0x0000000002690000-0x0000000002691000-memory.dmp

      Filesize

      4KB

    • memory/3580-6-0x0000000000400000-0x0000000000419000-memory.dmp

      Filesize

      100KB

    • memory/3580-8-0x0000000002660000-0x0000000002687000-memory.dmp

      Filesize

      156KB

    • memory/3580-9-0x0000000000400000-0x0000000000419000-memory.dmp

      Filesize

      100KB

    • memory/3772-41-0x000001EA103C0000-0x000001EA103E7000-memory.dmp

      Filesize

      156KB

    • memory/3772-67-0x000001EA10450000-0x000001EA10458000-memory.dmp

      Filesize

      32KB

    • memory/3772-68-0x000001EA10440000-0x000001EA10441000-memory.dmp

      Filesize

      4KB

    • memory/3864-53-0x00007FFDDC98D000-0x00007FFDDC98E000-memory.dmp

      Filesize

      4KB

    • memory/3864-42-0x000001F460760000-0x000001F460787000-memory.dmp

      Filesize

      156KB

    • memory/3928-43-0x0000015773840000-0x0000015773867000-memory.dmp

      Filesize

      156KB

    • memory/4076-81-0x0000000007EB0000-0x0000000007ED7000-memory.dmp

      Filesize

      156KB

    • memory/4076-93-0x0000000007EE0000-0x0000000007F07000-memory.dmp

      Filesize

      156KB

    • memory/4284-56-0x000001BC98F10000-0x000001BC98F37000-memory.dmp

      Filesize

      156KB

    • memory/4444-47-0x000002118FDA0000-0x000002118FDC7000-memory.dmp

      Filesize

      156KB

    • memory/4764-57-0x000001E926800000-0x000001E926827000-memory.dmp

      Filesize

      156KB