Analysis
-
max time kernel
93s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
13-12-2024 01:20
General
-
Target
aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe
-
Size
2.7MB
-
MD5
8b744166eecace320158f4d0f704b13e
-
SHA1
b92636084b3bd914514bc44556c4803933d667a3
-
SHA256
aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9
-
SHA512
641b3065e30186ccf9ba84ce6d345565763bbdb5fc1b1201c3f08fce5466c2384250b85b4c0220d2b9e21c5a51ff5ef60e9b910e07107e2b7e06f97b4e429d27
-
SSDEEP
24576:l+O4GuNVHU+AH2FWxOYIOlIZBrlsQBYI63DSyve5fG:s3N5IO6OtsMYIxS
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Drops file in System32 directory 7 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe"C:\Users\Admin\AppData\Local\Temp\aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Default\Saved Games\MusNotification.exe"C:\Users\Default\Saved Games\MusNotification.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\ConhostV1\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\MusNotification.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\bootim\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\SettingsHandlers_StorageSense\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD58b744166eecace320158f4d0f704b13e
SHA1b92636084b3bd914514bc44556c4803933d667a3
SHA256aa7a05956ca47e164a10a94d0bdbe01123b84eb01fad5e581e1e72b10d93d5a9
SHA512641b3065e30186ccf9ba84ce6d345565763bbdb5fc1b1201c3f08fce5466c2384250b85b4c0220d2b9e21c5a51ff5ef60e9b910e07107e2b7e06f97b4e429d27
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
2.7MB
-
Filesize
10.8MB
-
Filesize
10.8MB