Resubmissions
18-10-2024 17:25
241018-vzl1la1cqq 1018-10-2024 16:26
241018-txhdyswgqh 1018-10-2024 16:25
241018-tw78zsydrp 318-10-2024 16:22
241018-tvh8gawfqa 3Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
18-10-2024 17:25
General
-
Target
6812964531.exe
-
Size
67KB
-
MD5
7de65122a13ab9d81368ee3dff3cc80a
-
SHA1
ecbb4db641431d4d672e4b88e8d309419fd32f04
-
SHA256
a73a05a4b6ec6ae1c1ba6d3d12b68cc52b899e2a6dbbaaa1f48f2c260a733123
-
SHA512
b156d77a665c3256ddfd016e46105b6e87db6a4c1ca77e9bb25b221c368f3cc53dddc7159602cfb926ef0cc9bacac57b6bd41e7e28998883c996727d58d29401
-
SSDEEP
1536:pr3rob4nqB6veqHnq+Pgm5NN9vbDTc+1vIQ/EXyBej:h7PEg3qcv5PvB/EVj
Malware Config
Signatures
-
UAC bypass 3 TTPs 1 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6812964531.exe"C:\Users\Admin\AppData\Local\Temp\6812964531.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\6812964531.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre-1.8\bin\java.exejava -jar C:\Users\Admin\download_libra.jar3⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"5⤵
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c SCHTASKS /CREATE /F /SC MINUTE /TN OneDrive\OneDriveUpdateTask /RL HIGHEST /TR C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\cache.jar4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSCHTASKS /CREATE /F /SC MINUTE /TN OneDrive\OneDriveUpdateTask /RL HIGHEST /TR C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\cache.jar5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\cache.jar"4⤵
-
-
-
-
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\cache.jar"1⤵
-
C:\Windows\system32\cmd.execmd /c wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.execmd /c wmic cpu get name2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\cheat_master_install.exe"C:\Users\Admin\AppData\Local\Temp\cheat_master_install.exe"2⤵
- UAC bypass
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\3mb_online_install.exe"C:\Users\Admin\AppData\Local\Temp\3mb_online_install.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\cheat_master_install.exeC:\Users\Admin\AppData\Local\Temp\cheat_master_install.exe explorer.exe1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Image File Execution Options Injection
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Image File Execution Options Injection
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46B
MD580073fb35176b7db23fba8f36b5176bb
SHA18b01c2cbd4a61e4411f7c29e2fbe1c9c7b662f27
SHA256df009c7355d8c1d58d0c598fa50cae813b11c5484cd868125a47977befe08f44
SHA512290a109cc61f4e67e3b1ca0b4ad6d2213060b3070a03402ae8b3bdb9f7c92542f259ac843e0aec00057bbb6b873259db69cb58e4078c24354c9bad77fd3459ae
-
Filesize
46B
MD51c8682260807ff0cf220519480e203f0
SHA185ab626819f00e6396f4ce3ed65b6e822802d317
SHA25644d2ce4f022c30ede8bee4f3403136741e6c7c7caf01a4b6c704411fe12092b8
SHA5128b69648d729b70e582b672ff69dcc744f27a3e20c2a6caa27f5e092a8666ad70073bc9a9f7fe748af6a1dd46f9feb0e73a6becd2f6dd59678f3e68cbba76301c
-
Filesize
25.9MB
MD5d33f1dd43fbfa6439a67e89c2cdf8f7f
SHA1d84179f551939149bedd0fedd8d2f9d00f119ce4
SHA256cd7af2789ff94fb2ee15de35c3181d54c14ae8ff6ae6c2cd5912cd897da75648
SHA51281b5e596b61aef451b14f472dfad825ab8d223cd3e4fb48490ff0d7134a6ab3a2d0baa395c82916a914d669f9adecea0284de82f1d4b3ea09558c4066b3e0446
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.4MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.4MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.4MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
2.8MB
-
Filesize
124KB
-
Filesize
2.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
2.4MB