667cb510540d8e7a6cd30007d30a8ca11110dde57bd03d2cbf87ca6b7868bdb9

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efbf15e364864659166a08e05a57ab9442dff6c9ae950a3171de120c49dd0542.exe
Size

50.8MB
MD5

272ac1334eee433b37db2477cf45b100
SHA1

3a0f26e058b1cad27accfcb0f8cdc58d5ebb1146
SHA256

efbf15e364864659166a08e05a57ab9442dff6c9ae950a3171de120c49dd0542
SHA512

4565c9b13522dd619c36b8df04f5ff873a89ee559fbe97cd7f53d4db24b9e6c125dbaa5e87178241de07ad2d2f2fd98e5ecff8c233e730ff6031545d4b600869
SSDEEP

1572864:VeWso3p+etILvQobxYcU6oBOHH94dpDyNcdJxkU2d:VHss+h3QZOHH8yCm5d

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	efbf15e364864659166a08e05a57ab9442dff6c9ae950a3171de120c49dd0542.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nobodywife.lnk	efbf15e364864659166a08e05a57ab9442dff6c9ae950a3171de120c49dd0542.exe

Executes dropped EXE 2 IoCs

pid	Process
2440	Answer Away.exe
2344	Answer Away.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2440 set thread context of 2344	2440	Answer Away.exe	107

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\ProgramData\Moment Tree\Answer Away.exe:ZONE.identifier	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efbf15e364864659166a08e05a57ab9442dff6c9ae950a3171de120c49dd0542.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Answer Away.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Answer Away.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\ProgramData\Moment Tree\Answer Away.exe:ZONE.identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3200	efbf15e364864659166a08e05a57ab9442dff6c9ae950a3171de120c49dd0542.exe
2440	Answer Away.exe
2440	Answer Away.exe
2440	Answer Away.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3200	efbf15e364864659166a08e05a57ab9442dff6c9ae950a3171de120c49dd0542.exe
Token: SeDebugPrivilege	2440	Answer Away.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2344	Answer Away.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3200 wrote to memory of 3144	3200	efbf15e364864659166a08e05a57ab9442dff6c9ae950a3171de120c49dd0542.exe	94
PID 3200 wrote to memory of 3144	3200	efbf15e364864659166a08e05a57ab9442dff6c9ae950a3171de120c49dd0542.exe	94
PID 3200 wrote to memory of 3144	3200	efbf15e364864659166a08e05a57ab9442dff6c9ae950a3171de120c49dd0542.exe	94
PID 3200 wrote to memory of 2440	3200	efbf15e364864659166a08e05a57ab9442dff6c9ae950a3171de120c49dd0542.exe	96
PID 3200 wrote to memory of 2440	3200	efbf15e364864659166a08e05a57ab9442dff6c9ae950a3171de120c49dd0542.exe	96
PID 3200 wrote to memory of 2440	3200	efbf15e364864659166a08e05a57ab9442dff6c9ae950a3171de120c49dd0542.exe	96
PID 2440 wrote to memory of 2344	2440	Answer Away.exe	107
PID 2440 wrote to memory of 2344	2440	Answer Away.exe	107
PID 2440 wrote to memory of 2344	2440	Answer Away.exe	107
PID 2440 wrote to memory of 2344	2440	Answer Away.exe	107
PID 2440 wrote to memory of 2344	2440	Answer Away.exe	107

C:\Users\Admin\AppData\Local\Temp\efbf15e364864659166a08e05a57ab9442dff6c9ae950a3171de120c49dd0542.exe
"C:\Users\Admin\AppData\Local\Temp\efbf15e364864659166a08e05a57ab9442dff6c9ae950a3171de120c49dd0542.exe"
1⤵
- Checks computer location settings
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3200
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Moment Tree\Answer Away.exe":ZONE.identifier
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:3144
- C:\ProgramData\Moment Tree\Answer Away.exe
  "C:\ProgramData\Moment Tree\Answer Away.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\ProgramData\Moment Tree\Answer Away.exe
    "C:\ProgramData\Moment Tree\Answer Away.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Moment Tree\Answer Away.exe:ZONE.identifier

Filesize
27B

MD5
130a75a932a2fe57bfea6a65b88da8f6

SHA1
b66d7530d150d45c0a390bb3c2cd4ca4fc404d1c

SHA256
f2b79cae559d6772afc1c2ed9468988178f8b6833d5028a15dea73ce47d0196e

SHA512
6cd147c6f3af95803b7b0898e97ec2ed374c1f56a487b50e3d22003a67cec26a6fa12a3920b1b5624bde156f9601469ae3c7b7354fa8cf37be76c84121767eed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Answer Away.exe.log

Filesize
580B

MD5
c508c91793c7ec10c1d0236a53339f9d

SHA1
9e8d62de92d0fd271ab5dae97ed631643108cb9d

SHA256
e4feac0dbfbaa82564a0bc0c05ceb5d5e989717f4048e151e891c56ebcf1ae26

SHA512
487729fff78f58776e07a4cdc3798df6a44c252205f6d23a20cbb93fc0e08a3cef3533a181d47fb33797d69ffb42d0e38686d67fa91b8ba25cbef60f506c4011

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nobodywife.lnk

Filesize
900B

MD5
ab90e99fb1d1995de24e5cec6442c3df

SHA1
68a0983a0d8dae578ce4cc045e021b481f5e6283

SHA256
499b8373848153a175d8aad590b83003aee030f579367978a9ed8e58412d580e

SHA512
85fef1781709bca9fced34ccc2531b4ced20af8855cd948775ee2ef0867bbf1a8494bb96204699c2e149248e6876a358076d4237530752c1665ed75f307fcf5e

Download Submit
memory/2344-32-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/2344-29-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/2344-28-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/2344-26-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/2344-22-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2440-19-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/2440-18-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/2440-20-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/2440-27-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/2440-17-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/3200-0-0x0000000074FF2000-0x0000000074FF3000-memory.dmp

Filesize
4KB

Download
memory/3200-16-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/3200-4-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/3200-3-0x0000000074FF2000-0x0000000074FF3000-memory.dmp

Filesize
4KB

Download
memory/3200-2-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/3200-1-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download