Resubmissions

21-11-2024 10:17

241121-mbp4ca1mft 10

21-11-2024 10:13

241121-l89ctawjak 10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 10:13

General

  • Target

    Octo Free Tweaking Utility V1.0.bat

  • Size

    32KB

  • MD5

    8392add3fcbeded059c0788e13305148

  • SHA1

    aabebd21818beb9d92354a26bff3b091f6d33070

  • SHA256

    bd035666f01df67518bf6a7976e58d019fe4281b7cc959bc623b5bbc8cb6aa31

  • SHA512

    454321ad19d4544632c51d02a2cd9adb48d856a982e45afdf2c2abd06412a212bb4ee60075ceee1f46370ecb722ed73d0749fd9cae1f627cfd3013d221728774

  • SSDEEP

    384:5TFAFXvNHSuTB4VPVVpZzBYqvRBzalRL/TJ:5TqXDSPVVpZzclRL/TJ

Malware Config

Signatures

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2992
      • C:\Windows\system32\findstr.exe
        findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
        3⤵
          PID:2324
      • C:\Windows\SysWOW64\OneDriveSetup.exe
        C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3088
        • C:\Windows\SysWOW64\OneDriveSetup.exe
          "C:\Windows\SysWOW64\OneDriveSetup.exe" C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /permachine /childprocess /silent /enableOMCTelemetry /enableExtractCabV2 /cusid:S-1-5-21-940901362-3608833189-1915618603-1000
          3⤵
          • System Location Discovery: System Language Discovery
          PID:540
        • C:\Windows\SysWOW64\OneDriveSetup.exe
          C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /peruser /childprocess /enableOMCTelemetry /enableExtractCabV2
          3⤵
          • Modifies system executable filetype association
          • Drops desktop.ini file(s)
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3628
          • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe
            "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe" /uninstall
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            PID:3208
      • C:\Windows\system32\reg.exe
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d 0 /f
        2⤵
          PID:3924
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
        1⤵
        • System Location Discovery: System Language Discovery
        PID:400
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:3708
        • C:\Windows\system32\LogonUI.exe
          "LogonUI.exe" /flags:0x4 /state0:0xa38f6855 /state1:0x41c64e6d
          1⤵
          • Modifies data under HKEY_USERS
          • Suspicious use of SetWindowsHookEx
          PID:1328

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\aria-debug-3628.log

          Filesize

          470B

          MD5

          6540ee2a99516739ecd9db9f78c2c68b

          SHA1

          e86a40069df43477beb4e822943fed245f0785d1

          SHA256

          31da80e66cebe5877300025e7359c284b76d2ba1499ed57de0eeca300b2b7bad

          SHA512

          26723550eb5a1960fbae52511f6c6f1a63f648c480d4c61ea0023236ff882639f19d5e921408bc47dd1b63062ac6b222e7cd8a5c10a3ddf9a9a0ddb4ef49fcfd

        • C:\Users\Admin\AppData\Local\Temp\aria-debug-540.log

          Filesize

          470B

          MD5

          7bdd7515b439bb9a809a9e0d06d51632

          SHA1

          229e637ee453c8a129f1e576f0df892433f163f2

          SHA256

          657707ad226a4476a9875d1cfefc6fa963f6c24a9886c5a122f0aabfd12bef51

          SHA512

          c41c7dda28d32e7e5671b268cf84a115e19c57e1e05ce2515359d1751c533e2334ff33febe21a87d5401efa1ebaa886f1ba98a2ed2063795fe305a4ecda2decb

        • C:\Users\Admin\AppData\Local\Temp\tmpC09C.tmp

          Filesize

          25.9MB

          MD5

          bd2866356868563bd9d92d902cf9cc5a

          SHA1

          c677a0ad58ba694891ef33b54bb4f1fe4e7ce69b

          SHA256

          6676ba3d4bf3e5418865922b8ea8bddb31660f299dd3da8955f3f37961334ecb

          SHA512

          5eccf7be791fd76ee01aafc88300b2b1a0a0fb778f100cbc37504dfc2611d86bf3b4c5d663d2b87f17383ef09bd7710adbe4ece148ec12a8cfd2195542db6f27