Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 10:26
Static task
static1
Behavioral task
behavioral1
Sample
04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800N.exe
Resource
win10v2004-20241007-en
General
-
Target
04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800N.exe
-
Size
71KB
-
MD5
294e2c97a822c73f043efb54753b8e30
-
SHA1
dec5e9287ecd0c800185b73e50ebeecc4e67eb7e
-
SHA256
04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800
-
SHA512
0c9298bf71bcbdecd748b4ca60236d8dc2f2fff13da52777540499bed9891a4e9ea8348303fa7d0ffc69189bc3064e397f26664f1322eab62bde3fa4a5e0ba42
-
SSDEEP
1536:nvosBknP2Uo+GjDZwue3jzFfc4hghUapTOU:nvVMCcHVc4hghUS/
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800N.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation pifloader32.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrayOnly.lnk cscript.exe -
Executes dropped EXE 1 IoCs
pid Process 3804 pifloader32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pifloader32.exe -
Delays execution with timeout.exe 18 IoCs
pid Process 2684 timeout.exe 2424 timeout.exe 1512 timeout.exe 2448 timeout.exe 4844 timeout.exe 3248 timeout.exe 3968 timeout.exe 4984 timeout.exe 3504 timeout.exe 2592 timeout.exe 1860 timeout.exe 4268 timeout.exe 688 timeout.exe 4776 timeout.exe 3052 timeout.exe 4392 timeout.exe 560 timeout.exe 1088 timeout.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 320 WMIC.exe Token: SeSecurityPrivilege 320 WMIC.exe Token: SeTakeOwnershipPrivilege 320 WMIC.exe Token: SeLoadDriverPrivilege 320 WMIC.exe Token: SeSystemProfilePrivilege 320 WMIC.exe Token: SeSystemtimePrivilege 320 WMIC.exe Token: SeProfSingleProcessPrivilege 320 WMIC.exe Token: SeIncBasePriorityPrivilege 320 WMIC.exe Token: SeCreatePagefilePrivilege 320 WMIC.exe Token: SeBackupPrivilege 320 WMIC.exe Token: SeRestorePrivilege 320 WMIC.exe Token: SeShutdownPrivilege 320 WMIC.exe Token: SeDebugPrivilege 320 WMIC.exe Token: SeSystemEnvironmentPrivilege 320 WMIC.exe Token: SeRemoteShutdownPrivilege 320 WMIC.exe Token: SeUndockPrivilege 320 WMIC.exe Token: SeManageVolumePrivilege 320 WMIC.exe Token: 33 320 WMIC.exe Token: 34 320 WMIC.exe Token: 35 320 WMIC.exe Token: 36 320 WMIC.exe Token: SeIncreaseQuotaPrivilege 320 WMIC.exe Token: SeSecurityPrivilege 320 WMIC.exe Token: SeTakeOwnershipPrivilege 320 WMIC.exe Token: SeLoadDriverPrivilege 320 WMIC.exe Token: SeSystemProfilePrivilege 320 WMIC.exe Token: SeSystemtimePrivilege 320 WMIC.exe Token: SeProfSingleProcessPrivilege 320 WMIC.exe Token: SeIncBasePriorityPrivilege 320 WMIC.exe Token: SeCreatePagefilePrivilege 320 WMIC.exe Token: SeBackupPrivilege 320 WMIC.exe Token: SeRestorePrivilege 320 WMIC.exe Token: SeShutdownPrivilege 320 WMIC.exe Token: SeDebugPrivilege 320 WMIC.exe Token: SeSystemEnvironmentPrivilege 320 WMIC.exe Token: SeRemoteShutdownPrivilege 320 WMIC.exe Token: SeUndockPrivilege 320 WMIC.exe Token: SeManageVolumePrivilege 320 WMIC.exe Token: 33 320 WMIC.exe Token: 34 320 WMIC.exe Token: 35 320 WMIC.exe Token: 36 320 WMIC.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 4864 wrote to memory of 1204 4864 04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800N.exe 85 PID 4864 wrote to memory of 1204 4864 04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800N.exe 85 PID 1204 wrote to memory of 3464 1204 cmd.exe 88 PID 1204 wrote to memory of 3464 1204 cmd.exe 88 PID 1204 wrote to memory of 3804 1204 cmd.exe 89 PID 1204 wrote to memory of 3804 1204 cmd.exe 89 PID 1204 wrote to memory of 3804 1204 cmd.exe 89 PID 3804 wrote to memory of 1608 3804 pifloader32.exe 91 PID 3804 wrote to memory of 1608 3804 pifloader32.exe 91 PID 1608 wrote to memory of 2708 1608 cmd.exe 93 PID 1608 wrote to memory of 2708 1608 cmd.exe 93 PID 1608 wrote to memory of 2664 1608 cmd.exe 94 PID 1608 wrote to memory of 2664 1608 cmd.exe 94 PID 2664 wrote to memory of 320 2664 cmd.exe 95 PID 2664 wrote to memory of 320 2664 cmd.exe 95 PID 1608 wrote to memory of 2424 1608 cmd.exe 97 PID 1608 wrote to memory of 2424 1608 cmd.exe 97 PID 1608 wrote to memory of 3968 1608 cmd.exe 102 PID 1608 wrote to memory of 3968 1608 cmd.exe 102 PID 1608 wrote to memory of 1512 1608 cmd.exe 105 PID 1608 wrote to memory of 1512 1608 cmd.exe 105 PID 1608 wrote to memory of 2592 1608 cmd.exe 106 PID 1608 wrote to memory of 2592 1608 cmd.exe 106 PID 1608 wrote to memory of 3052 1608 cmd.exe 107 PID 1608 wrote to memory of 3052 1608 cmd.exe 107 PID 1608 wrote to memory of 4392 1608 cmd.exe 110 PID 1608 wrote to memory of 4392 1608 cmd.exe 110 PID 1608 wrote to memory of 1860 1608 cmd.exe 111 PID 1608 wrote to memory of 1860 1608 cmd.exe 111 PID 1608 wrote to memory of 4984 1608 cmd.exe 112 PID 1608 wrote to memory of 4984 1608 cmd.exe 112 PID 1608 wrote to memory of 560 1608 cmd.exe 113 PID 1608 wrote to memory of 560 1608 cmd.exe 113 PID 1608 wrote to memory of 2448 1608 cmd.exe 114 PID 1608 wrote to memory of 2448 1608 cmd.exe 114 PID 1608 wrote to memory of 1088 1608 cmd.exe 115 PID 1608 wrote to memory of 1088 1608 cmd.exe 115 PID 1608 wrote to memory of 4268 1608 cmd.exe 116 PID 1608 wrote to memory of 4268 1608 cmd.exe 116 PID 1608 wrote to memory of 4844 1608 cmd.exe 117 PID 1608 wrote to memory of 4844 1608 cmd.exe 117 PID 1608 wrote to memory of 688 1608 cmd.exe 118 PID 1608 wrote to memory of 688 1608 cmd.exe 118 PID 1608 wrote to memory of 3504 1608 cmd.exe 119 PID 1608 wrote to memory of 3504 1608 cmd.exe 119 PID 1608 wrote to memory of 3248 1608 cmd.exe 120 PID 1608 wrote to memory of 3248 1608 cmd.exe 120 PID 1608 wrote to memory of 4776 1608 cmd.exe 121 PID 1608 wrote to memory of 4776 1608 cmd.exe 121 PID 1608 wrote to memory of 2684 1608 cmd.exe 122 PID 1608 wrote to memory of 2684 1608 cmd.exe 122
Processes
-
C:\Users\Admin\AppData\Local\Temp\04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800N.exe"C:\Users\Admin\AppData\Local\Temp\04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\83C6.tmp\83C7.bat C:\Users\Admin\AppData\Local\Temp\04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800N.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\system32\cmd.execmd /c /MIN C:\Users\Admin\AppData\Local\Temp\tmp.cmd3⤵PID:3464
-
-
C:\ProgramData\pifloader32.exeC:\ProgramData\pifloader32.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\857C.tmp\857D.bat C:\ProgramData\pifloader32.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\system32\cscript.execscript /b /nologo "C:\Users\Admin\AppData\Local\Temp\log28.vbs"5⤵
- Drops startup file
PID:2708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c WMIC Path Win32_LocalTime Get Day,Hour,Minute,Month,Second,Year /Format:table5⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\System32\Wbem\WMIC.exeWMIC Path Win32_LocalTime Get Day,Hour,Minute,Month,Second,Year /Format:table6⤵
- Suspicious use of AdjustPrivilegeToken
PID:320
-
-
-
C:\Windows\system32\timeout.exetimeout /T 7 /nobreak5⤵
- Delays execution with timeout.exe
PID:2424
-
-
C:\Windows\system32\timeout.exetimeout /T 7 /nobreak5⤵
- Delays execution with timeout.exe
PID:3968
-
-
C:\Windows\system32\timeout.exetimeout /T 7 /nobreak5⤵
- Delays execution with timeout.exe
PID:1512
-
-
C:\Windows\system32\timeout.exetimeout /T 7 /nobreak5⤵
- Delays execution with timeout.exe
PID:2592
-
-
C:\Windows\system32\timeout.exetimeout /T 7 /nobreak5⤵
- Delays execution with timeout.exe
PID:3052
-
-
C:\Windows\system32\timeout.exetimeout /T 7 /nobreak5⤵
- Delays execution with timeout.exe
PID:4392
-
-
C:\Windows\system32\timeout.exetimeout /T 7 /nobreak5⤵
- Delays execution with timeout.exe
PID:1860
-
-
C:\Windows\system32\timeout.exetimeout /T 7 /nobreak5⤵
- Delays execution with timeout.exe
PID:4984
-
-
C:\Windows\system32\timeout.exetimeout /T 7 /nobreak5⤵
- Delays execution with timeout.exe
PID:560
-
-
C:\Windows\system32\timeout.exetimeout /T 7 /nobreak5⤵
- Delays execution with timeout.exe
PID:2448
-
-
C:\Windows\system32\timeout.exetimeout /T 7 /nobreak5⤵
- Delays execution with timeout.exe
PID:1088
-
-
C:\Windows\system32\timeout.exetimeout /T 7 /nobreak5⤵
- Delays execution with timeout.exe
PID:4268
-
-
C:\Windows\system32\timeout.exetimeout /T 7 /nobreak5⤵
- Delays execution with timeout.exe
PID:4844
-
-
C:\Windows\system32\timeout.exetimeout /T 7 /nobreak5⤵
- Delays execution with timeout.exe
PID:688
-
-
C:\Windows\system32\timeout.exetimeout /T 7 /nobreak5⤵
- Delays execution with timeout.exe
PID:3504
-
-
C:\Windows\system32\timeout.exetimeout /T 7 /nobreak5⤵
- Delays execution with timeout.exe
PID:3248
-
-
C:\Windows\system32\timeout.exetimeout /T 7 /nobreak5⤵
- Delays execution with timeout.exe
PID:4776
-
-
C:\Windows\system32\timeout.exetimeout /T 7 /nobreak5⤵
- Delays execution with timeout.exe
PID:2684
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD55ed3eb46b8099e71f24492462272671c
SHA17fa040f4dd3cdab6ec47d2db50f5c26c06becb98
SHA256b9b66f98c1f164a461ad6f2c2087eb98cee4f556a805195871a69064435a757f
SHA5129715465b0f950c4a83d4862428410f657bdac692aa253c5f40c1fb25aaa881dc851e6326f18fa82a5ad4d2db06c0e761a774d97e541d328bc7ab000166b9d3a6
-
Filesize
4KB
MD50ea5fa94a89146f88854b46e18284141
SHA1db3a53ad07943f4ec37f38eada72bb2195eca619
SHA2563d8f4ced477de197df507677c349bf9d1dd1cfdb91327f58bd66e8a28f2e74cd
SHA5126495561c529fa880b7e5327b469565dae60dc2850585c021ba93eafa4b37657b19ea9105cd6c48ed9cce7dc790f636498e2e02407b66d4d088080c9c935c0675
-
Filesize
329B
MD5dca5253415cc37e4404cbea4eadc77c7
SHA1be82b2554fa49fabd3e427d0fce82b2c490456b5
SHA2566271ad49562396c26eca6b4826b13f93b4d84ee4b54c83db3d157d8b68312692
SHA51275de408bd218f2e5a639d86104cde7219f54b97af1d1d6f416fef58f58254a6df83c022153bfe50d7e00c5fde3622b48c6e48ebe1a7c3142929bd59518aa5a68