Analysis Overview
SHA256
24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338
Threat Level: Likely malicious
The file 24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338 was found to be: Likely malicious.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Loads dropped DLL
Drops startup file
Deletes itself
Executes dropped EXE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-03 20:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-03 20:44
Reported
2024-11-03 20:47
Platform
win7-20240903-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk | C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe
"C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ACCApi'
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /tn AccSys /tr "C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe" /st 20:50 /du 23:59 /sc daily /ri 1 /f
C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe
"C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC12D.tmp.cmd""
C:\Windows\SysWOW64\timeout.exe
timeout 6
Network
Files
memory/2088-0-0x0000000073EFE000-0x0000000073EFF000-memory.dmp
memory/2088-1-0x0000000001300000-0x0000000001324000-memory.dmp
\Users\Admin\AppData\Roaming\ACCApi\apihost.exe
| MD5 | 585c7471080b240b532ac06e6f2b1abd |
| SHA1 | 5d61da778845d49fe7b60e7195d68d5af4341fb5 |
| SHA256 | 868573d904c4ec22f1e4402329864881b681a0683a96b5b1094bad9a0bc65342 |
| SHA512 | e9a18f63810aa3bc8ed642217f3427d34a64034e1c5a788abae39c2f3b3e603b7e8c751e4cf78937212cbb95d88b8a658881c2d8584a36044936357e87d81752 |
memory/1584-10-0x0000000000CD0000-0x0000000000CF4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpC12D.tmp.cmd
| MD5 | fc60269505c04780d70aa55947f209bb |
| SHA1 | e31c5fac2521d556546e0aff041e9735f841800c |
| SHA256 | a1469c80b4506bf2bd5ffead834ff586d197a332e7c3581d5cada5d376181963 |
| SHA512 | 21978ada659ff7301868e7577db371ab2b31855a419118daadb0ec5fe02a4b5386269cc839ca2ea3547ca61e18d69834d4028e69d4ecdf1aa9f9df6d959e62bb |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-03 20:44
Reported
2024-11-03 20:47
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
148s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk | C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe
"C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ACCApi'
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /tn AccSys /tr "C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe" /st 20:50 /du 23:59 /sc daily /ri 1 /f
C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe
"C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC38E.tmp.cmd""
C:\Windows\SysWOW64\timeout.exe
timeout 6
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.11.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/3076-0-0x000000007495E000-0x000000007495F000-memory.dmp
memory/3076-1-0x0000000000AE0000-0x0000000000B04000-memory.dmp
memory/3076-2-0x00000000059C0000-0x0000000005F64000-memory.dmp
memory/3076-3-0x0000000005510000-0x00000000055A2000-memory.dmp
memory/2860-5-0x0000000004D40000-0x0000000004D76000-memory.dmp
memory/2860-9-0x0000000005460000-0x0000000005A88000-memory.dmp
memory/2860-10-0x0000000074950000-0x0000000075100000-memory.dmp
memory/2860-12-0x0000000074950000-0x0000000075100000-memory.dmp
C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe
| MD5 | 1d05ba175d6c78ed694dec4625826759 |
| SHA1 | 1da12c706cd2d8b4150a873c15e2580921888a44 |
| SHA256 | 793290ad562a6a9a8b41f37554ecb0b1656aea8b8af84f521deb39f9d0414c5a |
| SHA512 | a719602692f3d13c3ff97929afd3e0868958c758855d65d26ab90a2bbbd838d89162b4ac801cd900afc01b5884ab1fc56dc74b1824b7fc4ebb918087a4edc141 |
memory/2860-19-0x0000000005A90000-0x0000000005AB2000-memory.dmp
memory/2860-21-0x0000000074950000-0x0000000075100000-memory.dmp
memory/2860-22-0x0000000005CD0000-0x0000000005D36000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_riggcscd.fys.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2860-20-0x0000000005BF0000-0x0000000005C56000-memory.dmp
memory/3312-39-0x0000000074950000-0x0000000075100000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpC38E.tmp.cmd
| MD5 | 22efc612a01c7d3dc23e7174118bdaa4 |
| SHA1 | 06f59e4221ad6aed725f09b06462bc0d140f177e |
| SHA256 | 826011bb724cf5fae821d49be1aa7f77c4835667cc2b5cb8b8e5236a195974bb |
| SHA512 | 229756e3305315d37962bfcbfded2fc8d3b8b119975f7796c8b91bd3bd13f361a74990dd1917e7ed8a1cc9ffa7b0d50941814c338064c2efb1af97eb10398fad |
memory/2860-38-0x0000000005F10000-0x0000000006264000-memory.dmp
memory/2860-41-0x00000000062D0000-0x00000000062EE000-memory.dmp
memory/2860-42-0x0000000006320000-0x000000000636C000-memory.dmp
memory/3312-43-0x0000000005CA0000-0x0000000005CAA000-memory.dmp
memory/2860-44-0x00000000072A0000-0x00000000072D2000-memory.dmp
memory/2860-45-0x0000000072240000-0x000000007228C000-memory.dmp
memory/2860-55-0x00000000068C0000-0x00000000068DE000-memory.dmp
memory/2860-56-0x00000000074E0000-0x0000000007583000-memory.dmp
memory/2860-57-0x0000000007C60000-0x00000000082DA000-memory.dmp
memory/2860-58-0x0000000007620000-0x000000000763A000-memory.dmp
memory/2860-59-0x0000000007690000-0x000000000769A000-memory.dmp
memory/2860-60-0x00000000078A0000-0x0000000007936000-memory.dmp
memory/2860-61-0x0000000007820000-0x0000000007831000-memory.dmp
memory/2860-62-0x0000000007850000-0x000000000785E000-memory.dmp
memory/2860-63-0x0000000007860000-0x0000000007874000-memory.dmp
memory/2860-64-0x0000000007960000-0x000000000797A000-memory.dmp
memory/2860-65-0x0000000007940000-0x0000000007948000-memory.dmp
memory/2860-68-0x0000000074950000-0x0000000075100000-memory.dmp
memory/3312-69-0x0000000074950000-0x0000000075100000-memory.dmp