Analysis

  • max time kernel
    109s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 01:00

General

  • Target

    4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.exe

  • Size

    20.4MB

  • MD5

    044f51347e293ac77de4cd47bdccbacf

  • SHA1

    4c67777228575ac317c62855e6d9dd0a6da48c2d

  • SHA256

    4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2

  • SHA512

    f3976170a7f965f9674712904a0effc8383ea1a7ac5961a746b319d4659f52f82578b5adf4a0ca52f0434a896d310268ac7e40391fb0ea929a2482bb78aa0775

  • SSDEEP

    393216:SiX7fx65E78eL1uwtkbZtqtQEt8+OIbyMl1PiT+KiSn7h6LPr8Y:bTxOEJuw+bP5krOIO3aKiSn7aPIY

Score
10/10

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 14 IoCs
  • Enumerates connected drives 3 TTPs 44 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.exe
    "C:\Users\Admin\AppData\Local\Temp\4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2816
    • C:\Users\Admin\AppData\Local\Temp\is-DMQRV.tmp\4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-DMQRV.tmp\4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmp" /SL5="$80046,20366305,827392,C:\Users\Admin\AppData\Local\Temp\4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2856
      • C:\Users\Admin\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe
        "C:\Users\Admin\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe" -pc0873f648e06c724 -y -o"C:\Users\Admin\AppData\Local\Temp\is-B68GO.tmp\..\52510828593271275376515160\"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1220
      • C:\Users\Admin\AppData\Roaming\611641ae7b4c35da\62b24530.exe
        "C:\Users\Admin\AppData\Roaming\611641ae7b4c35da\62b24530.exe" -p7fe04917 -y -o"C:\Users\Admin\AppData\Local\Temp\is-B68GO.tmp\..\52510828593271275376515160\"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4336
      • C:\Users\Admin\AppData\Local\Temp\52510828593271275376515160\soiucosxz.exe
        "C:\Users\Admin\AppData\Local\Temp\is-B68GO.tmp\..\52510828593271275376515160\soiucosxz.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates connected drives
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:1488
  • C:\Windows\system32\cmd.exe
    cmd /c start "" "C:\Users\Admin\AppData\Local\Temp\is-B68GO.tmp\..\52510828593271275376515160\soiucosxz.exe" 3aede031690535070f390095f2d2 1488 "C:\Users\Admin\AppData\Local\Temp\is-B68GO.tmp\..\52510828593271275376515160\"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:460
    • C:\Users\Admin\AppData\Local\Temp\52510828593271275376515160\soiucosxz.exe
      "C:\Users\Admin\AppData\Local\Temp\is-B68GO.tmp\..\52510828593271275376515160\soiucosxz.exe" 3aede031690535070f390095f2d2 1488 "C:\Users\Admin\AppData\Local\Temp\is-B68GO.tmp\..\52510828593271275376515160\"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      PID:1856
  • C:\Windows\k9poeXYMBbnX\soiucosxz.exe
    "C:\Windows\k9poeXYMBbnX\soiucosxz.exe"
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3316
    • C:\Windows\k9poeXYMBbnX\app-0.89.2\soiucosxz.exe
      "C:\Windows\k9poeXYMBbnX\app-0.89.2\soiucosxz.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3388
      • C:\Windows\k9poeXYMBbnX\app-0.89.2\app-0.89.2\soiucosxz.exe
        "C:\Windows\k9poeXYMBbnX\app-0.89.2\app-0.89.2\soiucosxz.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3464
        • C:\Windows\k9poeXYMBbnX\app-0.89.2\app-0.89.2\soiucosxz.exe
          "C:\Windows\k9poeXYMBbnX\app-0.89.2\app-0.89.2\soiucosxz.exe" "2fb5d34656b943d916e57e9120"
          4⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:4500
          • C:\Windows\system32\fsquirt.exe
            C:\Windows\system32\fsquirt.exe
            5⤵
              PID:536
            • C:\Windows\system32\SystemSettingsAdminFlows.exe
              C:\Windows\system32\SystemSettingsAdminFlows.exe
              5⤵
                PID:5072
                • C:\Windows\k9poeXYMBbnX\app-0.89.2\app-0.89.2\soiucosxz.exe
                  "C:\Windows\k9poeXYMBbnX\app-0.89.2\app-0.89.2\soiucosxz.exe" bcbf6f4 4500
                  6⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Enumerates connected drives
                  • Checks processor information in registry
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4708
      • C:\Windows\system32\cmd.exe
        cmd /c start "" "C:\Windows\k9poeXYMBbnX\app-0.89.2\app-0.89.2\soiucosxz.exe" 6c376dd8a 1488 "C:\Users\Admin\AppData\Local\Temp\is-B68GO.tmp\..\52510828593271275376515160\"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2620
        • C:\Windows\k9poeXYMBbnX\app-0.89.2\app-0.89.2\soiucosxz.exe
          "C:\Windows\k9poeXYMBbnX\app-0.89.2\app-0.89.2\soiucosxz.exe" 6c376dd8a 1488 "C:\Users\Admin\AppData\Local\Temp\is-B68GO.tmp\..\52510828593271275376515160\"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:4084

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\AB819CA4478D450CF3B95B908C7AD475

        Filesize

        520B

        MD5

        3bbc5c61738670f678069d57635f49bc

        SHA1

        b8ac6936d144d00de7cc15943032338e85abe198

        SHA256

        86bfa279afaf7b1db1f9aac02fb478e799b13f3386281b0b631314075db4f13c

        SHA512

        6160313e8b328b0da1b25e6cb369a7b617937b87bb1db7aaef5f662637c030cc8850553c1e07560b20c1c84bf754c674d826dfb1a87e319f7b60cc0e69e9b8cd

      • C:\Users\Admin\AppData\Local\Temp\52510828593271275376515160\8FF3EF380313034D8D84BAF59.cat

        Filesize

        10.9MB

        MD5

        9ea898b2095b6f751b020c3e294f2482

        SHA1

        09380f3924a961c7899b4bfa5f5f91515f9221a5

        SHA256

        3c0a526440055c1140cd62d1942c5035bb378b99c6f48f7dec0207e4791fa8e1

        SHA512

        e6a01f7d5e45ad65988b81107f10c15bce37221ef1da1d890fe2d1453efc8c1c2b33fd5de6c51bd72e18e9286c0ff06bd55d7fe2f068324aa15b0d34353476c5

      • C:\Users\Admin\AppData\Local\Temp\52510828593271275376515160\libcurl.dll

        Filesize

        556KB

        MD5

        6b2548cc404f3dd55634efa291fa98d0

        SHA1

        a076a60d99d70fd8aa7664a2534445a502febe27

        SHA256

        7ae384b8695d7a9c2b6640927cb6ac592229aef9ebeeb80b91d556777c6dfb5d

        SHA512

        14068e9e7d5f7e4494ffa75d369068234cdb050286d3356298e0387cf13d7681c0d68b57b6b299958c86ee3ae1dc3e54adc4c376e7b869d7d76fc2e91ed95009

      • C:\Users\Admin\AppData\Local\Temp\52510828593271275376515160\soiucosxz.exe

        Filesize

        2.2MB

        MD5

        6cf29dbf1fa710cccf6ba1c4c01f6b85

        SHA1

        a1debdb076c8c655e3d78c6ae82f1beba386a2ba

        SHA256

        f85ce4492e1354f8310027c5f70ef73aae654fcd8fd9a58034e4f82a41a9826b

        SHA512

        ebcc6599c33a80bb3e5c627a5f861fc9742d8558c4551544109288f80155885791a3f701af1aa7a4513cc5d121b77678a4cd46ca38a7bdd3cf7288e58e01f4f5

      • C:\Users\Admin\AppData\Local\Temp\52510828593271275376515160\zlibwapi.dll

        Filesize

        3.1MB

        MD5

        4d05d940fa3851c6322f11463f76fb85

        SHA1

        5502f7bf7bdaed6861044cb34cff08656c963775

        SHA256

        01f062fa5f11aebf8c2cd57fc148c3b4b1a64e97dcf68194c0545361973d6e94

        SHA512

        5cf57118e70228afad77368277bd2fc8de71172d9317b44b2147e68dd8dcbfaf3dcc052fcdf430870484ef281ffddbeaef96a9d00acb8de29b0d03bba01ae34c

      • C:\Users\Admin\AppData\Local\Temp\is-B68GO.tmp\_isetup\_isdecmp.dll

        Filesize

        34KB

        MD5

        c6ae924ad02500284f7e4efa11fa7cfc

        SHA1

        2a7770b473b0a7dc9a331d017297ff5af400fed8

        SHA256

        31d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26

        SHA512

        f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae

      • C:\Users\Admin\AppData\Local\Temp\is-DMQRV.tmp\4ca9da66d04a5f68deb0bab55aca5d64b8d8307c58f2943d6a67a3b584855ee2.tmp

        Filesize

        3.2MB

        MD5

        dc63a4763a59d647c3d0c4480eae0329

        SHA1

        8d687e717ace0d7d83a1eaa1c5b9eaec168744e7

        SHA256

        6b9ab11e1a2a79b1a3d211422ac1e603578e7bcaba2917747d57cf8bedac238f

        SHA512

        39069e76dee870831e1240315f61a9060920ab2de85d1fec0d789eee8882e204414e0934681132ebbc5322d674b068471043859ccbdb869fb62bfa6fc5b741eb

      • C:\Users\Admin\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe

        Filesize

        3.7MB

        MD5

        545274ea5d70ff8beb929cda02be53de

        SHA1

        b06f26c7cd5cda7bf1b8b04778dd157d1e499c35

        SHA256

        480c2895caee1029ed1160b69c68ca2838ca4fe113466d84dc8064ad28c012c2

        SHA512

        94924a8d39458bb57b6fe1a908b6e0796bbe6d4c6010505f185a7d89d057d73c707f4074b6589ba5b708bce2afb9f4dbaffd2ad482ff49e31cdf3c2e40dddfd1

      • C:\Users\Admin\AppData\Roaming\611641ae7b4c35da\62b24530.exe

        Filesize

        14.9MB

        MD5

        cb8267b4b34f49626eaf67b562dc4c87

        SHA1

        45f12cdad060b99d52345c3174afb2a8014b67ab

        SHA256

        fa7fe6c1dec39e41f15135abb057aaa81d8c8aeee56dffda46abd2c0d9269643

        SHA512

        e8364be88e66e3978ddc4841fbada73ea052425a6b134cf96330d665d757dff21df6ab0d0f72b0feede792de2b59626dc5e132c8d22153fde28e32f9e135ddc7

      • C:\Windows\k9poeXYMBbnX\app-0.89.2\app-0.89.2\zlibwapi.dll

        Filesize

        1.0MB

        MD5

        24cb34cacc6e1c539e58bd5cda620a29

        SHA1

        c6aaf4ce2b51ec487632b41d16b812cbf6b240d9

        SHA256

        5e4b57f8b3d39cc6f90e0e17b7d12d9f3eea67d1a1f2ee73c428c1388a7e65c3

        SHA512

        83d097955af0844280ee2b6df3173cb06275ed6be085089e2898cacedfc769c10c0870d2782f0180bec4f0c32c02b418b34a8082c29784393a3a4b7c8aa834ba

      • C:\Windows\k9poeXYMBbnX\soiucosxz.exe

        Filesize

        586KB

        MD5

        f6f6ff4e9b359bc005a25fadb3a0aa61

        SHA1

        831fe06ce2015e2d66467d04f2d46ec3e96524d3

        SHA256

        6eb2a5f8ba7b7e2438a9608b7a2d5eefa1f8b66aaf7060c208678e47c3565324

        SHA512

        db29271f28a3bff4bd3f4073b522c662f70865cc1067e0de2c11ef284d8d88fe9ca165485da6fe52372bf3db33764f195853b883d8fdab1b502e960b0915da14

      • memory/1488-51-0x0000029834020000-0x0000029834B77000-memory.dmp

        Filesize

        11.3MB

      • memory/1488-48-0x0000029831EE0000-0x00000298329CB000-memory.dmp

        Filesize

        10.9MB

      • memory/1488-49-0x0000029834020000-0x0000029834B77000-memory.dmp

        Filesize

        11.3MB

      • memory/1488-117-0x0000029835300000-0x0000029835573000-memory.dmp

        Filesize

        2.4MB

      • memory/1488-62-0x0000029835300000-0x0000029835573000-memory.dmp

        Filesize

        2.4MB

      • memory/1488-61-0x0000029835300000-0x0000029835573000-memory.dmp

        Filesize

        2.4MB

      • memory/1488-64-0x0000029835300000-0x0000029835573000-memory.dmp

        Filesize

        2.4MB

      • memory/1856-68-0x000001AE65E50000-0x000001AE669A7000-memory.dmp

        Filesize

        11.3MB

      • memory/1856-66-0x000001AE65E50000-0x000001AE669A7000-memory.dmp

        Filesize

        11.3MB

      • memory/2816-46-0x0000000000650000-0x0000000000728000-memory.dmp

        Filesize

        864KB

      • memory/2816-0-0x0000000000650000-0x0000000000728000-memory.dmp

        Filesize

        864KB

      • memory/2816-2-0x0000000000651000-0x00000000006F9000-memory.dmp

        Filesize

        672KB

      • memory/2856-44-0x0000000000CB0000-0x0000000000FE7000-memory.dmp

        Filesize

        3.2MB

      • memory/2856-6-0x00000000016B0000-0x00000000016B1000-memory.dmp

        Filesize

        4KB

      • memory/3464-103-0x00000239C6AA0000-0x00000239C75F7000-memory.dmp

        Filesize

        11.3MB

      • memory/3464-94-0x00007FFD35060000-0x00007FFD35168000-memory.dmp

        Filesize

        1.0MB

      • memory/3464-105-0x00000239C6AA0000-0x00000239C75F7000-memory.dmp

        Filesize

        11.3MB

      • memory/4084-100-0x00007FFD35060000-0x00007FFD35168000-memory.dmp

        Filesize

        1.0MB

      • memory/4084-113-0x0000025FA5610000-0x0000025FA6167000-memory.dmp

        Filesize

        11.3MB

      • memory/4084-115-0x0000025FA5610000-0x0000025FA6167000-memory.dmp

        Filesize

        11.3MB

      • memory/4500-121-0x000001871D610000-0x000001871E167000-memory.dmp

        Filesize

        11.3MB

      • memory/4500-111-0x00007FFD35060000-0x00007FFD35168000-memory.dmp

        Filesize

        1.0MB

      • memory/4500-123-0x000001871D610000-0x000001871E167000-memory.dmp

        Filesize

        11.3MB

      • memory/4708-129-0x00007FFD35060000-0x00007FFD35168000-memory.dmp

        Filesize

        1.0MB

      • memory/4708-131-0x0000027254090000-0x0000027254BE7000-memory.dmp

        Filesize

        11.3MB

      • memory/4708-133-0x0000027254090000-0x0000027254BE7000-memory.dmp

        Filesize

        11.3MB

      • memory/4708-135-0x0000027254090000-0x0000027254BE7000-memory.dmp

        Filesize

        11.3MB

      • memory/4708-137-0x0000027255490000-0x0000027255703000-memory.dmp

        Filesize

        2.4MB

      • memory/4708-138-0x0000027255490000-0x0000027255703000-memory.dmp

        Filesize

        2.4MB

      • memory/4708-140-0x0000027255490000-0x0000027255703000-memory.dmp

        Filesize

        2.4MB