Analysis

  • max time kernel
    71s
  • max time network
    80s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 21:38

General

  • Target

    Octo Free Tweaking Utility V1.0.bat

  • Size

    32KB

  • MD5

    8392add3fcbeded059c0788e13305148

  • SHA1

    aabebd21818beb9d92354a26bff3b091f6d33070

  • SHA256

    bd035666f01df67518bf6a7976e58d019fe4281b7cc959bc623b5bbc8cb6aa31

  • SHA512

    454321ad19d4544632c51d02a2cd9adb48d856a982e45afdf2c2abd06412a212bb4ee60075ceee1f46370ecb722ed73d0749fd9cae1f627cfd3013d221728774

  • SSDEEP

    384:5TFAFXvNHSuTB4VPVVpZzBYqvRBzalRL/TJ:5TqXDSPVVpZzclRL/TJ

Malware Config

Signatures

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:384
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4520
      • C:\Windows\system32\findstr.exe
        findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
        3⤵
          PID:1156
      • C:\Windows\SysWOW64\OneDriveSetup.exe
        C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1508
        • C:\Windows\SysWOW64\OneDriveSetup.exe
          "C:\Windows\SysWOW64\OneDriveSetup.exe" C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /permachine /childprocess /silent /cusid:S-1-5-21-3227495264-2217614367-4027411560-1000
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1568
        • C:\Windows\SysWOW64\OneDriveSetup.exe
          C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /peruser /childprocess
          3⤵
          • Modifies system executable filetype association
          • Drops desktop.ini file(s)
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:5092
          • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe
            "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe" /uninstall
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            PID:3956
      • C:\Windows\system32\reg.exe
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d 0 /f
        2⤵
          PID:2332
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
        1⤵
        • System Location Discovery: System Language Discovery
        PID:4296

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp1B05.tmp

        Filesize

        25.9MB

        MD5

        bd2866356868563bd9d92d902cf9cc5a

        SHA1

        c677a0ad58ba694891ef33b54bb4f1fe4e7ce69b

        SHA256

        6676ba3d4bf3e5418865922b8ea8bddb31660f299dd3da8955f3f37961334ecb

        SHA512

        5eccf7be791fd76ee01aafc88300b2b1a0a0fb778f100cbc37504dfc2611d86bf3b4c5d663d2b87f17383ef09bd7710adbe4ece148ec12a8cfd2195542db6f27