Analysis Overview
SHA256
62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c
Threat Level: Likely malicious
The file 62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exe was found to be: Likely malicious.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
Drops startup file
Deletes itself
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 10:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 10:08
Reported
2024-11-13 10:10
Platform
win7-20240729-en
Max time kernel
90s
Max time network
16s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk | C:\Users\Admin\AppData\Local\Temp\62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exe
"C:\Users\Admin\AppData\Local\Temp\62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ACCApi'
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /tn AccSys /tr "C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe" /st 10:13 /du 23:59 /sc daily /ri 1 /f
C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe
"C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8343.tmp.cmd""
C:\Windows\SysWOW64\timeout.exe
timeout 6
Network
Files
memory/2464-0-0x00000000741FE000-0x00000000741FF000-memory.dmp
memory/2464-1-0x00000000012B0000-0x00000000012D4000-memory.dmp
\Users\Admin\AppData\Roaming\ACCApi\apihost.exe
| MD5 | cf7849c4fe970b7d61cde5af01e67e4c |
| SHA1 | cb86cdf88fd0717146e55259b117bab776709fd1 |
| SHA256 | 8278df451373403db96a04c0147953a219a9770cd959c8ff2f8ce3e238aaba74 |
| SHA512 | effd5f14f95d3652880cb43dd0092926e4082e0432b0f1b4ba288d797423d8d6024d144b6ab2dce12c9ba684f4649803a8032bce26a7d432720aa82d3600e28c |
C:\Users\Admin\AppData\Local\Temp\tmp8343.tmp.cmd
| MD5 | 7fd35d05957e51403baeb7b098cb602c |
| SHA1 | a8220e6211354f4fa805b5882023db708345019c |
| SHA256 | 9c5e51df4d19fc3073ea331d6d4caf409d4111468c270e4203ef0c4fdebba17d |
| SHA512 | 2679d4efc6ef1f8f96f322daf92b14f45326c8e88dba55fd73b957fdeeb8318821149a4f7328c4c650bfeefa392dc41c2e7f9154fb667f3d8f30fbcfa75d4f80 |
memory/2768-22-0x00000000008E0000-0x0000000000904000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 10:08
Reported
2024-11-13 10:10
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
95s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk | C:\Users\Admin\AppData\Local\Temp\62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exe
"C:\Users\Admin\AppData\Local\Temp\62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /tn AccSys /tr "C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe" /st 10:13 /du 23:59 /sc daily /ri 1 /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ACCApi'
C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe
"C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCDFE.tmp.cmd""
C:\Windows\SysWOW64\timeout.exe
timeout 6
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/2668-0-0x00000000744DE000-0x00000000744DF000-memory.dmp
memory/2668-1-0x0000000000CC0000-0x0000000000CE4000-memory.dmp
memory/2668-2-0x0000000005D30000-0x00000000062D4000-memory.dmp
memory/2668-3-0x0000000005780000-0x0000000005812000-memory.dmp
memory/896-8-0x0000000002B50000-0x0000000002B86000-memory.dmp
memory/896-11-0x0000000005760000-0x0000000005D88000-memory.dmp
C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe
| MD5 | 38b160906dd4aa4d6cade1699c8a13f4 |
| SHA1 | 779180b1cd6e064195de8e866bcb46cdce876f3d |
| SHA256 | 285aa5d7f1e59f988f7868705314feb65d247c181556d1b6af7fb00be33db719 |
| SHA512 | ada4b1c58cab09c995b185c618ac9d66326ff4a6df340dbc5f77a89b986eea627f4b2e2194963bb393b138623a55f5b9ceb37d1a72593d5ca3a3ac1c1cec45e9 |
memory/896-18-0x00000000744D0000-0x0000000074C80000-memory.dmp
memory/896-9-0x00000000744D0000-0x0000000074C80000-memory.dmp
memory/896-22-0x00000000055A0000-0x00000000055C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_04md1zfp.px3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/896-32-0x0000000005E00000-0x0000000005E66000-memory.dmp
memory/896-30-0x0000000005D90000-0x0000000005DF6000-memory.dmp
memory/896-33-0x00000000744D0000-0x0000000074C80000-memory.dmp
memory/1380-35-0x00000000744D0000-0x0000000074C80000-memory.dmp
memory/896-36-0x0000000005E70000-0x00000000061C4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpCDFE.tmp.cmd
| MD5 | 82b0d0b98772b32c87832b03a2a80a83 |
| SHA1 | f9641e74867e6783b7594afb8216f2d964373191 |
| SHA256 | 76e5417946c1ff1a7c89ac8ce327d2abc14aaec7b0ba39752e1608263744f9b3 |
| SHA512 | e1f6542878bd15cb026dd426a0a16894fd268c669aca08cbbd63678604f3964f113fee57bde5cd3335e0463d20cc98990307db221c2c97323dc10a0523340735 |
memory/896-41-0x0000000006460000-0x000000000647E000-memory.dmp
memory/896-42-0x0000000006490000-0x00000000064DC000-memory.dmp
memory/1380-43-0x0000000006360000-0x000000000636A000-memory.dmp
memory/896-44-0x0000000006A20000-0x0000000006A52000-memory.dmp
memory/896-45-0x0000000071DB0000-0x0000000071DFC000-memory.dmp
memory/896-55-0x0000000006A00000-0x0000000006A1E000-memory.dmp
memory/896-56-0x0000000007650000-0x00000000076F3000-memory.dmp
memory/896-57-0x0000000007DD0000-0x000000000844A000-memory.dmp
memory/896-58-0x0000000007780000-0x000000000779A000-memory.dmp
memory/896-59-0x00000000077F0000-0x00000000077FA000-memory.dmp
memory/896-60-0x0000000007A00000-0x0000000007A96000-memory.dmp
memory/896-61-0x0000000007980000-0x0000000007991000-memory.dmp
memory/896-62-0x00000000079B0000-0x00000000079BE000-memory.dmp
memory/896-63-0x00000000079C0000-0x00000000079D4000-memory.dmp
memory/896-64-0x0000000007AC0000-0x0000000007ADA000-memory.dmp
memory/896-65-0x0000000007AA0000-0x0000000007AA8000-memory.dmp
memory/896-68-0x00000000744D0000-0x0000000074C80000-memory.dmp
memory/1380-69-0x00000000744D0000-0x0000000074C80000-memory.dmp