Analysis Overview
SHA256
5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71
Threat Level: Likely malicious
The file 5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N was found to be: Likely malicious.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Deletes itself
Drops startup file
Loads dropped DLL
Executes dropped EXE
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: AddClipboardFormatListener
Delays execution with timeout.exe
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-03 08:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-03 08:17
Reported
2024-11-03 08:19
Platform
win7-20240903-en
Max time kernel
119s
Max time network
18s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SeedPhrase Converter.exe.lnk | C:\Users\Admin\AppData\Local\Temp\5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe
"C:\Users\Admin\AppData\Local\Temp\5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Conventer.exe'
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /tn Conventer /tr "C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe" /st 08:22 /du 23:59 /sc daily /ri 1 /f
C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe
"C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5C91.tmp.cmd""
C:\Windows\SysWOW64\timeout.exe
timeout 6
Network
Files
memory/2232-0-0x000000007473E000-0x000000007473F000-memory.dmp
memory/2232-1-0x0000000000A20000-0x0000000000A3C000-memory.dmp
\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe
| MD5 | 22d3d12c545cc4b0cc90409dc0e789d7 |
| SHA1 | 094b6b694f523bc661f80ae4a689e83eeebe395b |
| SHA256 | 3cb574e04345c4c0e5694747dfd9232fa3fc28e4d87f027a8943d69deab9d1a4 |
| SHA512 | 038da6520f3f7b75c17c665d80f31c5700349194d11e7fa54e974c9a6e42c3e6a8b566750f5e9c3f97c500e0a025e458a97e25868ed13fa2398ede6438eb783f |
memory/2644-10-0x00000000010E0000-0x00000000010FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp5C91.tmp.cmd
| MD5 | 69e580f7404d8bc8a116206dc4edeb09 |
| SHA1 | f558bf7f68b483b94583a092c01ca21857a2a6fc |
| SHA256 | b6a33dd064735e6629e0955040f441152ddd440a86956e5f168070d381fa9633 |
| SHA512 | 205f0b4e7664d6a62b5c07223c1056288f7aadeb64fdc2ddc5b7184d1587626c8401522a2d7683a9db5ac83223bac194ae9b93394eea6876a48b0f07230c9d88 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-03 08:17
Reported
2024-11-03 08:19
Platform
win10v2004-20241007-en
Max time kernel
104s
Max time network
107s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SeedPhrase Converter.exe.lnk | C:\Users\Admin\AppData\Local\Temp\5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe
"C:\Users\Admin\AppData\Local\Temp\5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Conventer.exe'
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /tn Conventer /tr "C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe" /st 08:22 /du 23:59 /sc daily /ri 1 /f
C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe
"C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp66C8.tmp.cmd""
C:\Windows\SysWOW64\timeout.exe
timeout 6
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
Files
memory/1980-0-0x0000000074E5E000-0x0000000074E5F000-memory.dmp
memory/1980-1-0x0000000000640000-0x000000000065C000-memory.dmp
memory/1980-2-0x00000000056F0000-0x0000000005C94000-memory.dmp
memory/1980-3-0x0000000005050000-0x00000000050E2000-memory.dmp
memory/4584-8-0x0000000004580000-0x00000000045B6000-memory.dmp
memory/4584-10-0x0000000004D10000-0x0000000005338000-memory.dmp
memory/4584-9-0x0000000074E50000-0x0000000075600000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe
| MD5 | 5a9bd6c65a5a08c3837692d846bd34b3 |
| SHA1 | 68b051b4a724d0c1aa8b4d01fcc56b13eb62c688 |
| SHA256 | e0f276fd8e51bacaffe9acb2c2c0c31fd0fd4e2a202990627715c33496373ad5 |
| SHA512 | cf431d058103e3b976e1f7f15b381ee9b69a65b6ad262732aeb7b5c1cba3f24c3b5b6bbb6f8f6cb1c9aaa1334b936db7d0d22966ccdc1e0fbf1dba0303b3b657 |
memory/4584-18-0x0000000074E50000-0x0000000075600000-memory.dmp
memory/4584-22-0x0000000005530000-0x0000000005596000-memory.dmp
memory/4584-27-0x0000000074E50000-0x0000000075600000-memory.dmp
memory/4328-37-0x0000000074E50000-0x0000000075600000-memory.dmp
memory/4584-34-0x00000000055A0000-0x00000000058F4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp66C8.tmp.cmd
| MD5 | 812a2f426fc6c244e78782b79c7306de |
| SHA1 | 77f040326c8ee35eb28f017042424478f8076403 |
| SHA256 | 53cb2fd0fc5130db1b7359a8bc4b1cad8c326fa1d5d7feb44ec2813004496a90 |
| SHA512 | cdfc70edb2714efd949a0bec02c975470c0f0f026b3621dff5e1cf222083ad89182016b78deaa214bc0abe03833ef5cd46dec9e07aec0d7d1f9fbd74488cf2aa |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x2vhsb0h.5sp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4584-19-0x0000000004B90000-0x0000000004BB2000-memory.dmp
memory/4584-20-0x0000000004C30000-0x0000000004C96000-memory.dmp
memory/4584-41-0x0000000005B50000-0x0000000005B6E000-memory.dmp
memory/4584-42-0x0000000005B80000-0x0000000005BCC000-memory.dmp
memory/4328-43-0x0000000005680000-0x000000000568A000-memory.dmp
memory/4584-44-0x0000000006110000-0x0000000006142000-memory.dmp
memory/4584-45-0x0000000072630000-0x000000007267C000-memory.dmp
memory/4584-55-0x0000000006150000-0x000000000616E000-memory.dmp
memory/4584-56-0x0000000006B50000-0x0000000006BF3000-memory.dmp
memory/4584-57-0x00000000074C0000-0x0000000007B3A000-memory.dmp
memory/4584-58-0x0000000006E70000-0x0000000006E8A000-memory.dmp
memory/4584-59-0x0000000006EE0000-0x0000000006EEA000-memory.dmp
memory/4584-60-0x00000000070F0000-0x0000000007186000-memory.dmp
memory/4584-61-0x0000000007070000-0x0000000007081000-memory.dmp
memory/4584-62-0x00000000070A0000-0x00000000070AE000-memory.dmp
memory/4584-63-0x00000000070B0000-0x00000000070C4000-memory.dmp
memory/4584-64-0x00000000071B0000-0x00000000071CA000-memory.dmp
memory/4584-65-0x0000000007190000-0x0000000007198000-memory.dmp
memory/4584-68-0x0000000074E50000-0x0000000075600000-memory.dmp
memory/4328-69-0x0000000074E50000-0x0000000075600000-memory.dmp