Analysis
-
max time kernel
115s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:40
Behavioral task
behavioral1
Sample
a0bdb183854ad6336feaa96373b3d35088eada85eacfbd783a232fd42aa0ca1aN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a0bdb183854ad6336feaa96373b3d35088eada85eacfbd783a232fd42aa0ca1aN.exe
Resource
win10v2004-20241007-en
General
-
Target
a0bdb183854ad6336feaa96373b3d35088eada85eacfbd783a232fd42aa0ca1aN.exe
-
Size
205KB
-
MD5
6c2ffe23d2b705aa168e28c6d490a4b0
-
SHA1
ec25e1a6227ad7a28f7027a48f29979b887526d8
-
SHA256
a0bdb183854ad6336feaa96373b3d35088eada85eacfbd783a232fd42aa0ca1a
-
SHA512
939c4afacc162d5b3b3303f0ba3ffee5bb593da73e5dae1897e7e3ff4b161a9b69c7012fdecced37508e9c8bd70a058f80cf1d8d8631c38b9c8a25868aa9ec7c
-
SSDEEP
3072:c/frTDzurT1S3CzpdmnATE55zjExkKGruONMvhu5QTXzeJX2vkMfSDPwU:Wfrnzurs3Czpexj2kGOIu5QTyJMKk
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a0bdb183854ad6336feaa96373b3d35088eada85eacfbd783a232fd42aa0ca1aN.exeoneetx.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation a0bdb183854ad6336feaa96373b3d35088eada85eacfbd783a232fd42aa0ca1aN.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation oneetx.exe -
Executes dropped EXE 3 IoCs
Processes:
oneetx.exeoneetx.exeoneetx.exepid process 2912 oneetx.exe 3900 oneetx.exe 3088 oneetx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cacls.execmd.execacls.exeoneetx.exeschtasks.execmd.execacls.execacls.exea0bdb183854ad6336feaa96373b3d35088eada85eacfbd783a232fd42aa0ca1aN.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oneetx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0bdb183854ad6336feaa96373b3d35088eada85eacfbd783a232fd42aa0ca1aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
a0bdb183854ad6336feaa96373b3d35088eada85eacfbd783a232fd42aa0ca1aN.exepid process 2268 a0bdb183854ad6336feaa96373b3d35088eada85eacfbd783a232fd42aa0ca1aN.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
a0bdb183854ad6336feaa96373b3d35088eada85eacfbd783a232fd42aa0ca1aN.exeoneetx.execmd.exedescription pid process target process PID 2268 wrote to memory of 2912 2268 a0bdb183854ad6336feaa96373b3d35088eada85eacfbd783a232fd42aa0ca1aN.exe oneetx.exe PID 2268 wrote to memory of 2912 2268 a0bdb183854ad6336feaa96373b3d35088eada85eacfbd783a232fd42aa0ca1aN.exe oneetx.exe PID 2268 wrote to memory of 2912 2268 a0bdb183854ad6336feaa96373b3d35088eada85eacfbd783a232fd42aa0ca1aN.exe oneetx.exe PID 2912 wrote to memory of 2492 2912 oneetx.exe schtasks.exe PID 2912 wrote to memory of 2492 2912 oneetx.exe schtasks.exe PID 2912 wrote to memory of 2492 2912 oneetx.exe schtasks.exe PID 2912 wrote to memory of 1920 2912 oneetx.exe cmd.exe PID 2912 wrote to memory of 1920 2912 oneetx.exe cmd.exe PID 2912 wrote to memory of 1920 2912 oneetx.exe cmd.exe PID 1920 wrote to memory of 2328 1920 cmd.exe cmd.exe PID 1920 wrote to memory of 2328 1920 cmd.exe cmd.exe PID 1920 wrote to memory of 2328 1920 cmd.exe cmd.exe PID 1920 wrote to memory of 864 1920 cmd.exe cacls.exe PID 1920 wrote to memory of 864 1920 cmd.exe cacls.exe PID 1920 wrote to memory of 864 1920 cmd.exe cacls.exe PID 1920 wrote to memory of 3688 1920 cmd.exe cacls.exe PID 1920 wrote to memory of 3688 1920 cmd.exe cacls.exe PID 1920 wrote to memory of 3688 1920 cmd.exe cacls.exe PID 1920 wrote to memory of 2080 1920 cmd.exe cmd.exe PID 1920 wrote to memory of 2080 1920 cmd.exe cmd.exe PID 1920 wrote to memory of 2080 1920 cmd.exe cmd.exe PID 1920 wrote to memory of 2844 1920 cmd.exe cacls.exe PID 1920 wrote to memory of 2844 1920 cmd.exe cacls.exe PID 1920 wrote to memory of 2844 1920 cmd.exe cacls.exe PID 1920 wrote to memory of 2960 1920 cmd.exe cacls.exe PID 1920 wrote to memory of 2960 1920 cmd.exe cacls.exe PID 1920 wrote to memory of 2960 1920 cmd.exe cacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0bdb183854ad6336feaa96373b3d35088eada85eacfbd783a232fd42aa0ca1aN.exe"C:\Users\Admin\AppData\Local\Temp\a0bdb183854ad6336feaa96373b3d35088eada85eacfbd783a232fd42aa0ca1aN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2492
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
- System Location Discovery: System Language Discovery
PID:2328
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"4⤵
- System Location Discovery: System Language Discovery
PID:864
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E4⤵
- System Location Discovery: System Language Discovery
PID:3688
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
- System Location Discovery: System Language Discovery
PID:2080
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:N"4⤵
- System Location Discovery: System Language Discovery
PID:2844
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:R" /E4⤵
- System Location Discovery: System Language Discovery
PID:2960
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe1⤵
- Executes dropped EXE
PID:3900
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe1⤵
- Executes dropped EXE
PID:3088
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
205KB
MD56c2ffe23d2b705aa168e28c6d490a4b0
SHA1ec25e1a6227ad7a28f7027a48f29979b887526d8
SHA256a0bdb183854ad6336feaa96373b3d35088eada85eacfbd783a232fd42aa0ca1a
SHA512939c4afacc162d5b3b3303f0ba3ffee5bb593da73e5dae1897e7e3ff4b161a9b69c7012fdecced37508e9c8bd70a058f80cf1d8d8631c38b9c8a25868aa9ec7c