Analysis
-
max time kernel
127s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
22-11-2024 02:09
General
-
Target
2jkq6pqh4du44qj7.exe
-
Size
48KB
-
MD5
452bd74c6deedb5eefcfe3332424ba1b
-
SHA1
3736c43df60f7a402622d07f8c47ad62f6fefb30
-
SHA256
82cfe1298f8c4cf047fe1c737deb16b22e8e05d3de81d896f4b30b7923d9c53d
-
SHA512
17e752284d5e6a9cd7e0c8f9163464b51e58ebb2aaf90d4736e4136a11962164c984be505f5fc0a66e8fa52b7a33dca1fe52060cf94d9cf0b24e6688a6a55d48
-
SSDEEP
768:o+pbB1ZIDV83MhPvF7TBuJkTvObyCEwWPMHV9w3NGuDgtIrYi3xs:DB1ZIDV8uPGm7Obl3kMHV9cGusIr73xs
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 13 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Start PowerShell.
-
Drops file in Windows directory 14 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 26 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 18 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2jkq6pqh4du44qj7.exe"C:\Users\Admin\AppData\Local\Temp\2jkq6pqh4du44qj7.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\CMD.exe"CMD" netsh advfirewall firewall add rule name="?'$2E!CME$J}EH" dir=in action=allow program="C:\Windows\windows" enable=yes & exit2⤵
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\windowsC:\Windows\windows1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\tmp2188.tmp.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\tmp2188.tmp.exe"'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp2188.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2188.tmp.exe"4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- System policy modification
-
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\windowsC:\Windows\windows1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\windowsC:\Windows\windows1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\windowsC:\Windows\windows1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\windowsC:\Windows\windows1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\windowsC:\Windows\windows1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\windowsC:\Windows\windows1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\windowsC:\Windows\windows1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\windowsC:\Windows\windows1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\windowsC:\Windows\windows1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\windowsC:\Windows\windows1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\windowsC:\Windows\windows1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\windows" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f26118d675c61402c218ac6794d90a63
SHA1ffc8d592f3ca8255ca5119eff5b576eb16ac7fac
SHA256d049789c187b2f58c900eab10205bc037740dca8640ab40c314790fefaab66ff
SHA5126f14b71dae095131053a1b590e60ccec4e14c47c745bf9d52de48988d7b93b1f50bbb6bac0222dc49e3e45def052b20be2d34e116991027718da2e0fb8eb45d0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
30KB
MD576a23f9205a346895aa2f08a5c79eb57
SHA15c2e88a043d0639cdb022bd76cf9ef50c79504ba
SHA25675cca00bbf6d90ce711db4f52387ec4b017c2fb356930f5a1baa0cc6eebd10c7
SHA51206c529a178c42081cea59e4d838679d33737e4a61c6bd995e051e03e4d85a74453320f1de153778219c72c618c8bceeb9bf61e2d77048efe11b8250b5f926649
-
Filesize
56KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB