Analysis
-
max time kernel
104s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03/11/2024, 08:17
Static task
static1
Behavioral task
behavioral1
Sample
5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe
Resource
win7-20240903-en
General
-
Target
5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe
-
Size
5.8MB
-
MD5
a309dd870ce8f6c413c53fb6ad7282f0
-
SHA1
bf1ef29145ce21dfdc0aa328621805f0af806da5
-
SHA256
5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71
-
SHA512
4b61a9087ebefb65016d3a56dcba5018124ad4903d34ed9cb918c9340c89ffdcb4523c2ea97f48c5a4215df6ec2b23c02c5556cfa13d47d90d2cc33a2219f00b
-
SSDEEP
98304:aWSdjmMgDQsEeaHMNKWJXFNvBpqjD3E3gQPN4jK2sR7EWKEXnHozQIMuyraeKFwd:CmM3lH32LvBpqnE3KI79nXHorIraekwd
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4584 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SeedPhrase Converter.exe.lnk 5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe -
Executes dropped EXE 1 IoCs
pid Process 4328 SeedPhrase Converter.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SeedPhrase Converter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3740 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1492 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4328 SeedPhrase Converter.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4584 powershell.exe 4584 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1980 5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe Token: SeDebugPrivilege 4584 powershell.exe Token: SeDebugPrivilege 4328 SeedPhrase Converter.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1980 wrote to memory of 4584 1980 5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe 88 PID 1980 wrote to memory of 4584 1980 5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe 88 PID 1980 wrote to memory of 4584 1980 5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe 88 PID 1980 wrote to memory of 1492 1980 5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe 89 PID 1980 wrote to memory of 1492 1980 5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe 89 PID 1980 wrote to memory of 1492 1980 5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe 89 PID 1980 wrote to memory of 4328 1980 5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe 92 PID 1980 wrote to memory of 4328 1980 5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe 92 PID 1980 wrote to memory of 4328 1980 5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe 92 PID 1980 wrote to memory of 2064 1980 5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe 93 PID 1980 wrote to memory of 2064 1980 5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe 93 PID 1980 wrote to memory of 2064 1980 5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe 93 PID 2064 wrote to memory of 3740 2064 cmd.exe 95 PID 2064 wrote to memory of 3740 2064 cmd.exe 95 PID 2064 wrote to memory of 3740 2064 cmd.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe"C:\Users\Admin\AppData\Local\Temp\5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe"1⤵
- Checks computer location settings
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Conventer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4584
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /tn Conventer /tr "C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe" /st 08:22 /du 23:59 /sc daily /ri 1 /f2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1492
-
-
C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe"C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:4328
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp66C8.tmp.cmd""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\timeout.exetimeout 63⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3740
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.4MB
MD55a9bd6c65a5a08c3837692d846bd34b3
SHA168b051b4a724d0c1aa8b4d01fcc56b13eb62c688
SHA256e0f276fd8e51bacaffe9acb2c2c0c31fd0fd4e2a202990627715c33496373ad5
SHA512cf431d058103e3b976e1f7f15b381ee9b69a65b6ad262732aeb7b5c1cba3f24c3b5b6bbb6f8f6cb1c9aaa1334b936db7d0d22966ccdc1e0fbf1dba0303b3b657
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
217B
MD5812a2f426fc6c244e78782b79c7306de
SHA177f040326c8ee35eb28f017042424478f8076403
SHA25653cb2fd0fc5130db1b7359a8bc4b1cad8c326fa1d5d7feb44ec2813004496a90
SHA512cdfc70edb2714efd949a0bec02c975470c0f0f026b3621dff5e1cf222083ad89182016b78deaa214bc0abe03833ef5cd46dec9e07aec0d7d1f9fbd74488cf2aa