Overview

overview

8

Static

static

3

5890798F97...11.exe

windows11-21h2-x64

8

Analysis

  • max time kernel
    124s
  • max time network
    124s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    13/01/2025, 18:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5890798F97F9144206499433A5DB3011.exe

  • Size

    701KB

  • MD5

    5890798f97f9144206499433a5db3011

  • SHA1

    1c9c488123a81bf8d2216ac57c089e056f899433

  • SHA256

    69be5428a0e939a5bf4453b34aad1a86791ab75411b6a339d727197f82bc8411

  • SHA512

    964f340060a67abed11d06ac40cb8cb2577f985e8815cc12f306e37a716792ae8edac02645d0cddeea5d81f72ef402363c909b6f510eb2a37c76f1cf56caada9

  • SSDEEP

    6144:57A/MmghsENIsRctX5rUvQSNj0LZOWM8yucn:5U/Mv0rU1Nj0LZOd8yus

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 25 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 24 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\5890798F97F9144206499433A5DB3011.exe
    "C:\Users\Admin\AppData\Local\Temp\5890798F97F9144206499433A5DB3011.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3904
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:4100
    • C:\Users\Admin\AppData\Local\Temp\5890798F97F9144206499433A5DB3011.exe
      "C:\Users\Admin\AppData\Local\Temp\5890798F97F9144206499433A5DB3011.exe"
      2⤵
        PID:4432
      • C:\Users\Admin\AppData\Local\Temp\5890798F97F9144206499433A5DB3011.exe
        "C:\Users\Admin\AppData\Local\Temp\5890798F97F9144206499433A5DB3011.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:4716
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:388
    • C:\Windows\system32\BackgroundTransferHost.exe
      "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
      1⤵
      • Modifies registry class
      PID:3988
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1448
      • C:\Users\Admin\Desktop\5890798F97F9144206499433A5DB3011.exe
        "C:\Users\Admin\Desktop\5890798F97F9144206499433A5DB3011.exe"
        1⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2664
        • C:\Windows\explorer.exe
          "C:\Windows\explorer.exe"
          2⤵
          • Modifies registry class
          PID:4684
        • C:\Users\Admin\Desktop\5890798F97F9144206499433A5DB3011.exe
          "C:\Users\Admin\Desktop\5890798F97F9144206499433A5DB3011.exe"
          2⤵
          • System Location Discovery: System Language Discovery
          PID:1272
      • C:\Users\Admin\Desktop\5890798F97F9144206499433A5DB3011.exe
        "C:\Users\Admin\Desktop\5890798F97F9144206499433A5DB3011.exe"
        1⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1568
        • C:\Windows\explorer.exe
          "C:\Windows\explorer.exe"
          2⤵
          • Modifies registry class
          PID:4660
        • C:\Users\Admin\Desktop\5890798F97F9144206499433A5DB3011.exe
          "C:\Users\Admin\Desktop\5890798F97F9144206499433A5DB3011.exe"
          2⤵
            PID:1104
          • C:\Users\Admin\Desktop\5890798F97F9144206499433A5DB3011.exe
            "C:\Users\Admin\Desktop\5890798F97F9144206499433A5DB3011.exe"
            2⤵
            • System Location Discovery: System Language Discovery
            PID:3008
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /0
          1⤵
          • Checks SCSI registry key(s)
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:428
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
          1⤵
            PID:1652
          • C:\Windows\System32\oobe\UserOOBEBroker.exe
            C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
            1⤵
            • Drops file in Windows directory
            PID:3008
          • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
            C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
            1⤵
            • System Location Discovery: System Language Discovery
            PID:3992

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5890798F97F9144206499433A5DB3011.exe.log
            Filesize

            1KB

            MD5

            7e1ed0055c3eaa0bbc4a29ec1ef15a6a

            SHA1

            765b954c1adbb6a6ecc4fe912fdaa6d0fba0ae7d

            SHA256

            4c17576f64dea465c45a50573ee41771f7be9962ab2d07f961af4df5589bdcce

            SHA512

            de7c784c37d18c43820908add88f08ab4864c0ef3f9d158cc2c9d1bab120613cb093dd4bfc5d7ed0c289414956cfe0b213c386f8e6b5753847dec915566297c8

            Download Submit

          • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\bc9c55b4-659c-4b0d-bd9d-e0b2a5c150fe.down_data
            Filesize

            555KB

            MD5

            5683c0028832cae4ef93ca39c8ac5029

            SHA1

            248755e4e1db552e0b6f8651b04ca6d1b31a86fb

            SHA256

            855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

            SHA512

            aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

            Download Submit

          • memory/428-34-0x0000029AF9820000-0x0000029AF9821000-memory.dmp

            Filesize

            4KB

            Download

          • memory/428-24-0x0000029AF9820000-0x0000029AF9821000-memory.dmp

            Filesize

            4KB

            Download

          • memory/428-29-0x0000029AF9820000-0x0000029AF9821000-memory.dmp

            Filesize

            4KB

            Download

          • memory/428-30-0x0000029AF9820000-0x0000029AF9821000-memory.dmp

            Filesize

            4KB

            Download

          • memory/428-31-0x0000029AF9820000-0x0000029AF9821000-memory.dmp

            Filesize

            4KB

            Download

          • memory/428-32-0x0000029AF9820000-0x0000029AF9821000-memory.dmp

            Filesize

            4KB

            Download

          • memory/428-33-0x0000029AF9820000-0x0000029AF9821000-memory.dmp

            Filesize

            4KB

            Download

          • memory/428-35-0x0000029AF9820000-0x0000029AF9821000-memory.dmp

            Filesize

            4KB

            Download

          • memory/428-23-0x0000029AF9820000-0x0000029AF9821000-memory.dmp

            Filesize

            4KB

            Download

          • memory/428-25-0x0000029AF9820000-0x0000029AF9821000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3904-2-0x0000000005560000-0x0000000005B06000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/3904-1-0x0000000000360000-0x0000000000416000-memory.dmp

            Filesize

            728KB

            Download

          • memory/3904-17-0x00000000743F0000-0x0000000074BA1000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3904-0-0x00000000743FE000-0x00000000743FF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3904-3-0x00000000743F0000-0x0000000074BA1000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3904-6-0x0000000006770000-0x000000000680C000-memory.dmp

            Filesize

            624KB

            Download

          • memory/3904-5-0x0000000005020000-0x000000000502A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/3904-4-0x0000000005050000-0x00000000050E2000-memory.dmp

            Filesize

            584KB

            Download

          • memory/4716-15-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download