280268db673f66dc31e54d86de101cf8b5d52c583a9282d9c7ccb4475612a8e0

Analysis

max time kernel
94s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe
Size

16KB
MD5

ffe4f9b654ff2900c2361444e1b8cc11
SHA1

e19af8a7a59f36f6dc60fccf3fed14558485400c
SHA256

05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb
SHA512

0c6b6103ec9666dd55549e9825d1b22705eb113ca3e323f4d39ef375ab58280467bc0b2677345929f46f1d558a58d356a8e469b020bb184710b18ee1220a3413
SSDEEP

384:CaeADspZKz4N+D8eoeH2uA1L7P+TPXHTBO:/spIz4N+9F2uA1nqP3g

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3500	powershell.exe
3500	powershell.exe
1816	powershell.exe
5024	powershell.exe
5024	powershell.exe
1728	powershell.exe
1816	powershell.exe
1728	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3500	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	5024	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe

description	pid	process	target process
PID 4480 wrote to memory of 3500	4480	05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe	powershell.exe
PID 4480 wrote to memory of 3500	4480	05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe	powershell.exe
PID 4480 wrote to memory of 5024	4480	05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe	powershell.exe
PID 4480 wrote to memory of 5024	4480	05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe	powershell.exe
PID 4480 wrote to memory of 1816	4480	05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe	powershell.exe
PID 4480 wrote to memory of 1816	4480	05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe	powershell.exe
PID 4480 wrote to memory of 1728	4480	05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe	powershell.exe
PID 4480 wrote to memory of 1728	4480	05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe
"C:\Users\Admin\AppData\Local\Temp\05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemProperty -Path Registry::HKEY_CURRENT_USER\Software
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-ItemProperty -Path Registry::HKEY_CURRENT_USER\Software -Name 'ISUSED' -PropertyType String -Value 'True'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-ItemProperty -Path Registry::HKEY_CURRENT_USER\Software -Name 'SYS1' -PropertyType String -Value 'M8cdwSViEEn+BZpa3eTafy72TydkM6Hr'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-ItemProperty -Path Registry::HKEY_CURRENT_USER\Software -Name 'SYS2' -PropertyType String -Value '+WeFco132Ds='
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oj0bw0zm.tab.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
5d15173b959fc44f9f7d0f6267e1ac6f

SHA1
e313e3f77f1b39dd3526b76b46f39b8d6a4542b0

SHA256
02f773989e9bc9c47e276c9e9059ec0f29c5dbf94ffa891120e7e939faed2770

SHA512
eca2025ef6f39a36dd2b9802d94169e31788f903a8142b9efd21e4452bd2010615d1b8bfa67a083d7f648e198b9a9e65475bcd8910638e42754a52ef36b2a64e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
b3eac365fc193ccd411f9a5af1e33f8b

SHA1
df59ed50ee21db18a458a7b255f2d7d2267384b4

SHA256
2392bcb8200fc585afab90bb9d9ba0284be25fe2ea65c860221c8e8020358f05

SHA512
23abcb73acf2303c80c0a99d0c046c87d5ebd9e41ebeb26070218097e358028a9cbdecb887895744e007bffccc853ff34989d16ce816dadcc843564bb5e57359

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
b6e503744e0f32783eeb750594cbcc3d

SHA1
dd3b6b77ff860d6b22494493b22a9cf0381a6874

SHA256
98af92253a97ee7d79fdaae0f5fbc75d2246b11ba98466fa99a3672df79a7592

SHA512
feb525129aec882a4f68adcd4db7a3b11d628feda9c38989e838900bd15831ef440a4419a9750f9fd7a1c1b03ec78bbf7bd2180a0e0db9b26e53add50541b97d

Download Submit
C:\Users\Admin\Desktop\WHAT_HAPPEND.text

Filesize
819B

MD5
72b47d154e48cd3ba2c34dc22780d7f3

SHA1
150cb795b88c6a48601f56fba99715abfe3d812b

SHA256
0757c374065ef622cbf487e875f2ebabd91503bc7b1d5909c609bc4a4a54ca8e

SHA512
381332bc3e0ed1428c1b2fd6f077b0ddcf57ccdf172831ac953b713d0709511616e960db8fa758f02e150fbb8f6df75177d18871814af14de8c253d3d8d2e538

Download Submit
memory/3500-12-0x00007FFEFB170000-0x00007FFEFBC31000-memory.dmp

Filesize
10.8MB

Download
memory/3500-17-0x00007FFEFB170000-0x00007FFEFBC31000-memory.dmp

Filesize
10.8MB

Download
memory/3500-16-0x00007FFEFB170000-0x00007FFEFBC31000-memory.dmp

Filesize
10.8MB

Download
memory/3500-13-0x00007FFEFB170000-0x00007FFEFBC31000-memory.dmp

Filesize
10.8MB

Download
memory/3500-7-0x000002837DE20000-0x000002837DE42000-memory.dmp

Filesize
136KB

Download
memory/4480-20-0x00007FFEFB170000-0x00007FFEFBC31000-memory.dmp

Filesize
10.8MB

Download
memory/4480-43-0x00007FFEFB170000-0x00007FFEFBC31000-memory.dmp

Filesize
10.8MB

Download
memory/4480-0-0x00007FFEFB173000-0x00007FFEFB175000-memory.dmp

Filesize
8KB

Download
memory/4480-1-0x0000000000F60000-0x0000000000F6A000-memory.dmp

Filesize
40KB

Download