Analysis
-
max time kernel
104s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 18:11
Behavioral task
behavioral1
Sample
3accafa6ef42df81f7735a885e3a767aef6ce33e21a56b1b88012120d0b1f381N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3accafa6ef42df81f7735a885e3a767aef6ce33e21a56b1b88012120d0b1f381N.exe
Resource
win10v2004-20241007-en
General
-
Target
3accafa6ef42df81f7735a885e3a767aef6ce33e21a56b1b88012120d0b1f381N.exe
-
Size
209KB
-
MD5
4fe19c2fa04912e5f014563dfbc74800
-
SHA1
7b719de8a3cbf8a5dd0a4972d8b7b1a44bb56342
-
SHA256
3accafa6ef42df81f7735a885e3a767aef6ce33e21a56b1b88012120d0b1f381
-
SHA512
8937e6451bc9b4680b772b1f278da1dd2d1bf04120773ddcea982942aafa345c2c575528c2c7d444342dc15c7147162553308b90abd4b0f8d1fb85853ae198dd
-
SSDEEP
3072:mhMCsw9/w+A4cwP+5OzutpHKGruONM4QuZA+67bi83eILfbq5kmh:5Cswq+AXYu7HGOSuZAlAILjq
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3accafa6ef42df81f7735a885e3a767aef6ce33e21a56b1b88012120d0b1f381N.exeoneetx.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 3accafa6ef42df81f7735a885e3a767aef6ce33e21a56b1b88012120d0b1f381N.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation oneetx.exe -
Executes dropped EXE 3 IoCs
Processes:
oneetx.exeoneetx.exeoneetx.exepid Process 4956 oneetx.exe 2224 oneetx.exe 2988 oneetx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
3accafa6ef42df81f7735a885e3a767aef6ce33e21a56b1b88012120d0b1f381N.exeschtasks.execacls.execacls.exeoneetx.execmd.execmd.execmd.execacls.execacls.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3accafa6ef42df81f7735a885e3a767aef6ce33e21a56b1b88012120d0b1f381N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oneetx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
3accafa6ef42df81f7735a885e3a767aef6ce33e21a56b1b88012120d0b1f381N.exeoneetx.execmd.exedescription pid Process procid_target PID 1520 wrote to memory of 4956 1520 3accafa6ef42df81f7735a885e3a767aef6ce33e21a56b1b88012120d0b1f381N.exe 85 PID 1520 wrote to memory of 4956 1520 3accafa6ef42df81f7735a885e3a767aef6ce33e21a56b1b88012120d0b1f381N.exe 85 PID 1520 wrote to memory of 4956 1520 3accafa6ef42df81f7735a885e3a767aef6ce33e21a56b1b88012120d0b1f381N.exe 85 PID 4956 wrote to memory of 4796 4956 oneetx.exe 87 PID 4956 wrote to memory of 4796 4956 oneetx.exe 87 PID 4956 wrote to memory of 4796 4956 oneetx.exe 87 PID 4956 wrote to memory of 4748 4956 oneetx.exe 89 PID 4956 wrote to memory of 4748 4956 oneetx.exe 89 PID 4956 wrote to memory of 4748 4956 oneetx.exe 89 PID 4748 wrote to memory of 1984 4748 cmd.exe 91 PID 4748 wrote to memory of 1984 4748 cmd.exe 91 PID 4748 wrote to memory of 1984 4748 cmd.exe 91 PID 4748 wrote to memory of 4200 4748 cmd.exe 92 PID 4748 wrote to memory of 4200 4748 cmd.exe 92 PID 4748 wrote to memory of 4200 4748 cmd.exe 92 PID 4748 wrote to memory of 3500 4748 cmd.exe 93 PID 4748 wrote to memory of 3500 4748 cmd.exe 93 PID 4748 wrote to memory of 3500 4748 cmd.exe 93 PID 4748 wrote to memory of 4584 4748 cmd.exe 94 PID 4748 wrote to memory of 4584 4748 cmd.exe 94 PID 4748 wrote to memory of 4584 4748 cmd.exe 94 PID 4748 wrote to memory of 4992 4748 cmd.exe 95 PID 4748 wrote to memory of 4992 4748 cmd.exe 95 PID 4748 wrote to memory of 4992 4748 cmd.exe 95 PID 4748 wrote to memory of 3612 4748 cmd.exe 97 PID 4748 wrote to memory of 3612 4748 cmd.exe 97 PID 4748 wrote to memory of 3612 4748 cmd.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\3accafa6ef42df81f7735a885e3a767aef6ce33e21a56b1b88012120d0b1f381N.exe"C:\Users\Admin\AppData\Local\Temp\3accafa6ef42df81f7735a885e3a767aef6ce33e21a56b1b88012120d0b1f381N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4796
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
- System Location Discovery: System Language Discovery
PID:1984
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"4⤵
- System Location Discovery: System Language Discovery
PID:4200
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E4⤵
- System Location Discovery: System Language Discovery
PID:3500
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
- System Location Discovery: System Language Discovery
PID:4584
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:N"4⤵
- System Location Discovery: System Language Discovery
PID:4992
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:R" /E4⤵
- System Location Discovery: System Language Discovery
PID:3612
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe1⤵
- Executes dropped EXE
PID:2224
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe1⤵
- Executes dropped EXE
PID:2988
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
209KB
MD54fe19c2fa04912e5f014563dfbc74800
SHA17b719de8a3cbf8a5dd0a4972d8b7b1a44bb56342
SHA2563accafa6ef42df81f7735a885e3a767aef6ce33e21a56b1b88012120d0b1f381
SHA5128937e6451bc9b4680b772b1f278da1dd2d1bf04120773ddcea982942aafa345c2c575528c2c7d444342dc15c7147162553308b90abd4b0f8d1fb85853ae198dd