Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03/11/2024, 20:44
Static task
static1
Behavioral task
behavioral1
Sample
24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe
Resource
win7-20240903-en
General
-
Target
24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe
-
Size
1.7MB
-
MD5
15064527753763619d3781b780ded930
-
SHA1
26d03ea8ced5a9fceb3260cf9e71bf1f08768c8b
-
SHA256
24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338
-
SHA512
626a700ab6fc50be15b59e63a5114c100d5b95a6531f24ada010a70f9438f2c769df336980e58bfb4b799e484ec9b897555bc31be3a10fc3b9b356be0452f5de
-
SSDEEP
49152:qJfJlyMrgsK4Dg2JYYZqNi/3nXeHgUAozs1:qJBlVg2J9SOntVn
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2860 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation 24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk 24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe -
Executes dropped EXE 1 IoCs
pid Process 3312 apihost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language apihost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4796 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3220 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3312 apihost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2860 powershell.exe 2860 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3076 24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe Token: SeDebugPrivilege 2860 powershell.exe Token: SeDebugPrivilege 3312 apihost.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3076 wrote to memory of 2860 3076 24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe 87 PID 3076 wrote to memory of 2860 3076 24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe 87 PID 3076 wrote to memory of 2860 3076 24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe 87 PID 3076 wrote to memory of 3220 3076 24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe 89 PID 3076 wrote to memory of 3220 3076 24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe 89 PID 3076 wrote to memory of 3220 3076 24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe 89 PID 3076 wrote to memory of 3312 3076 24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe 92 PID 3076 wrote to memory of 3312 3076 24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe 92 PID 3076 wrote to memory of 3312 3076 24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe 92 PID 3076 wrote to memory of 2160 3076 24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe 93 PID 3076 wrote to memory of 2160 3076 24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe 93 PID 3076 wrote to memory of 2160 3076 24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe 93 PID 2160 wrote to memory of 4796 2160 cmd.exe 95 PID 2160 wrote to memory of 4796 2160 cmd.exe 95 PID 2160 wrote to memory of 4796 2160 cmd.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe"C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe"1⤵
- Checks computer location settings
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ACCApi'2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /tn AccSys /tr "C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe" /st 20:50 /du 23:59 /sc daily /ri 1 /f2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3220
-
-
C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe"C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:3312
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC38E.tmp.cmd""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\timeout.exetimeout 63⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4796
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
216B
MD522efc612a01c7d3dc23e7174118bdaa4
SHA106f59e4221ad6aed725f09b06462bc0d140f177e
SHA256826011bb724cf5fae821d49be1aa7f77c4835667cc2b5cb8b8e5236a195974bb
SHA512229756e3305315d37962bfcbfded2fc8d3b8b119975f7796c8b91bd3bd13f361a74990dd1917e7ed8a1cc9ffa7b0d50941814c338064c2efb1af97eb10398fad
-
Filesize
1.8MB
MD51d05ba175d6c78ed694dec4625826759
SHA11da12c706cd2d8b4150a873c15e2580921888a44
SHA256793290ad562a6a9a8b41f37554ecb0b1656aea8b8af84f521deb39f9d0414c5a
SHA512a719602692f3d13c3ff97929afd3e0868958c758855d65d26ab90a2bbbd838d89162b4ac801cd900afc01b5884ab1fc56dc74b1824b7fc4ebb918087a4edc141