Analysis Overview
SHA256
36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5
Threat Level: Likely malicious
The file 36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5 was found to be: Likely malicious.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Loads dropped DLL
Deletes itself
Executes dropped EXE
Drops startup file
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 13:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 13:28
Reported
2024-11-13 13:31
Platform
win7-20241010-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk | C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe
"C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ACCApi'
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /tn AccSys /tr "C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 13:33 /du 23:59 /sc daily /ri 1 /f
C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe
"C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpBDF2.tmp.cmd""
C:\Windows\SysWOW64\timeout.exe
timeout 6
Network
Files
memory/2636-0-0x000000007468E000-0x000000007468F000-memory.dmp
memory/2636-1-0x00000000012C0000-0x00000000012FE000-memory.dmp
\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe
| MD5 | 50d015016f20da0905fd5b37d7834823 |
| SHA1 | 6c39c84acf3616a12ae179715a3369c4e3543541 |
| SHA256 | 36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5 |
| SHA512 | 55f639006a137732b2fa0527cd1be24b58f5df387ce6aa6b8dd47d1419566f87c95fc1a6b99383e8bd0bcba06cc39ad7b32556496e46d7220c6a7b6d8390f7fc |
memory/3028-10-0x0000000000D50000-0x0000000000D8E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpBDF2.tmp.cmd
| MD5 | 76b98eaa3efc2484fcf21c3cf8c96a1b |
| SHA1 | 52b8ad57e6d2cc1bcfa818e26dfbb413e1a16ac2 |
| SHA256 | 899b31cc77f1161893ad0064ca0f2e852d62d01d38da821a143f78c5781e25b4 |
| SHA512 | eedeeec32fa93b26362412e56ad206774e6ec7cfb9f8a98ac4a276e74530dc602f65a909a2f23480f15b7decfc8c2193ff2b8c1b9ede37d00fc25f041a6c8a1e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 13:28
Reported
2024-11-13 13:31
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
157s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk | C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe
"C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ACCApi'
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /tn AccSys /tr "C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 13:34 /du 23:59 /sc daily /ri 1 /f
C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe
"C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA46E.tmp.cmd""
C:\Windows\SysWOW64\timeout.exe
timeout 6
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/4484-0-0x0000000074D7E000-0x0000000074D7F000-memory.dmp
memory/4484-1-0x0000000000160000-0x000000000019E000-memory.dmp
memory/4484-2-0x00000000050A0000-0x0000000005644000-memory.dmp
memory/4484-3-0x0000000004BA0000-0x0000000004C32000-memory.dmp
memory/4972-5-0x0000000002570000-0x00000000025A6000-memory.dmp
memory/4972-9-0x0000000074D70000-0x0000000075520000-memory.dmp
memory/4972-10-0x0000000005100000-0x0000000005728000-memory.dmp
memory/4972-11-0x0000000074D70000-0x0000000075520000-memory.dmp
C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe
| MD5 | 50d015016f20da0905fd5b37d7834823 |
| SHA1 | 6c39c84acf3616a12ae179715a3369c4e3543541 |
| SHA256 | 36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5 |
| SHA512 | 55f639006a137732b2fa0527cd1be24b58f5df387ce6aa6b8dd47d1419566f87c95fc1a6b99383e8bd0bcba06cc39ad7b32556496e46d7220c6a7b6d8390f7fc |
memory/4972-19-0x0000000004DD0000-0x0000000004DF2000-memory.dmp
memory/4972-20-0x0000000004F70000-0x0000000004FD6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wx0g10bm.4fp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4972-26-0x00000000058A0000-0x0000000005906000-memory.dmp
memory/2096-38-0x0000000074D70000-0x0000000075520000-memory.dmp
memory/4972-37-0x0000000005A10000-0x0000000005D64000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpA46E.tmp.cmd
| MD5 | 06150987c8e237fa402481b7ae512af2 |
| SHA1 | 6f7d9a112980748d6b9bdaeeba6fd93116f41df3 |
| SHA256 | f2e52c18d9f592f8a52e2d2fd33a691b80f71c9f07c96a4cd707f64fd099188e |
| SHA512 | 520827125a0478dc2a55d1c28eec25a7bade0b68b17da5a1c83e83c159d4ced88d53b83f4a726d77c9721aac4a9404ace6ddbd14204743aea5d177b454b9806f |
memory/4972-40-0x0000000005E60000-0x0000000005E7E000-memory.dmp
memory/4972-41-0x0000000005EB0000-0x0000000005EFC000-memory.dmp
memory/4972-42-0x0000000006450000-0x0000000006482000-memory.dmp
memory/4972-43-0x0000000072500000-0x000000007254C000-memory.dmp
memory/4972-53-0x0000000006490000-0x00000000064AE000-memory.dmp
memory/4972-54-0x0000000007070000-0x0000000007113000-memory.dmp
memory/2096-55-0x00000000061F0000-0x00000000061FA000-memory.dmp
memory/4972-56-0x00000000077F0000-0x0000000007E6A000-memory.dmp
memory/4972-57-0x00000000071B0000-0x00000000071CA000-memory.dmp
memory/4972-58-0x0000000007220000-0x000000000722A000-memory.dmp
memory/4972-59-0x0000000007430000-0x00000000074C6000-memory.dmp
memory/4972-60-0x00000000073B0000-0x00000000073C1000-memory.dmp
memory/4972-61-0x00000000073E0000-0x00000000073EE000-memory.dmp
memory/4972-62-0x00000000073F0000-0x0000000007404000-memory.dmp
memory/4972-63-0x00000000074F0000-0x000000000750A000-memory.dmp
memory/4972-64-0x00000000074D0000-0x00000000074D8000-memory.dmp
memory/4972-67-0x0000000074D70000-0x0000000075520000-memory.dmp
memory/2096-68-0x0000000074D70000-0x0000000075520000-memory.dmp