Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 09:38
Static task
static1
Behavioral task
behavioral1
Sample
2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe
Resource
win7-20241023-en
General
-
Target
2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe
-
Size
9.6MB
-
MD5
8168594bee79378e25b371736d38c0ae
-
SHA1
959da3e13bdd1138ad2a86b724bd1280f405d873
-
SHA256
2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c
-
SHA512
f03ac700f20582f5ad5f16be396e81a21a8864c77333c53784aeab376073ccd5ba8f4a8c1482d817e2ca73b983dfb2cff4b4cf449081dbdcb5cda2305e75b08b
-
SSDEEP
196608:wJEUqNdLdxriGIQPWbHklWs1lUYiqz+OxAvQ0qRt95CnqjkfiHGZOcVIS9fQf:eEUqNdLdxrHIQPWIlMqz+OxAvWRt95Cg
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe -
Drops startup file 1 IoCs
Processes:
2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SeedPhrase Converter.exe.lnk 2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe -
Executes dropped EXE 1 IoCs
Processes:
SeedPhrase Converter.exepid Process 2568 SeedPhrase Converter.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
timeout.exe2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exepowershell.exeschtasks.exeSeedPhrase Converter.execmd.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SeedPhrase Converter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid Process 2800 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
SeedPhrase Converter.exepid Process 2568 SeedPhrase Converter.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid Process 4672 powershell.exe 4672 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exepowershell.exeSeedPhrase Converter.exedescription pid Process Token: SeDebugPrivilege 4132 2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe Token: SeDebugPrivilege 4672 powershell.exe Token: SeDebugPrivilege 2568 SeedPhrase Converter.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.execmd.exedescription pid Process procid_target PID 4132 wrote to memory of 4672 4132 2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe 86 PID 4132 wrote to memory of 4672 4132 2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe 86 PID 4132 wrote to memory of 4672 4132 2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe 86 PID 4132 wrote to memory of 3792 4132 2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe 87 PID 4132 wrote to memory of 3792 4132 2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe 87 PID 4132 wrote to memory of 3792 4132 2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe 87 PID 4132 wrote to memory of 2568 4132 2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe 90 PID 4132 wrote to memory of 2568 4132 2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe 90 PID 4132 wrote to memory of 2568 4132 2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe 90 PID 4132 wrote to memory of 4872 4132 2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe 91 PID 4132 wrote to memory of 4872 4132 2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe 91 PID 4132 wrote to memory of 4872 4132 2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe 91 PID 4872 wrote to memory of 2800 4872 cmd.exe 93 PID 4872 wrote to memory of 2800 4872 cmd.exe 93 PID 4872 wrote to memory of 2800 4872 cmd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe"C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe"1⤵
- Checks computer location settings
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Conventer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4672
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /tn Conventer /tr "C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe" /st 09:43 /du 23:59 /sc daily /ri 1 /f2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3792
-
-
C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe"C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:2568
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9069.tmp.cmd""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\timeout.exetimeout 63⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2800
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.2MB
MD5426204109bb4aa0d1f70472b65c40412
SHA18bc861d2e04c0ca9f3adbb5585bda6fe8ea06bb4
SHA256c33464f3642fdd812f4f529d3751be4b46aced6807616106b36fd7abae1a8de2
SHA5123354c5aef2edcf3e561f6ba2054b83636d8c63010a3149742b4d601e74a69fc426b1203a4117eaf26ac28e0dd3b8e663efab6051b202382a7b546b6691b5647d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
216B
MD5bb7c08ea7749cb0b92b3ad665aade848
SHA1df15a354a25fbd5cf5726ff9e64bb641ed6d1e09
SHA25643bf31aff72d16b2d09e8346c8060c35987916a72aafd65e244dae105e09e22b
SHA5126b89b9c65a76a58bcbc267a94b9d419c8780bf84928a4d29652e4330315afc594ee87332076768c70af4bb3e46192244de87aca5ebf034a44a15fc030d45ac0b