cc74a3ab905dae3a6be45c73f5691de1ccd8237a3e103b16dfd24227a9a8f8ba

Analysis

max time kernel
147s
max time network
147s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
28/03/2025, 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

deljack-main/tkskfaaa.exe
Size

27KB
MD5

2ff8e057084b5c180e9b447e08d2d747
SHA1

92b35c1b8f72c18dd3e945743cb93e8531d73e2b
SHA256

accdada8772018e58baa0ecb3e79c507eb09c7d67f22f59e323c74b51eac9072
SHA512

7ae542c6ca36e5ed934ca503f3489144e0ec7d81ad246af88bb525cb494f6725df0aa9131c72afe79ff02364dd65ec7a3ffb01846f99836feff06746193af251
SSDEEP

384:9XKCifuPVcppE4KeEdAl7H0I4GSFdr0NAbybMAf3L+9tHmXel7xI:96CiWPVypE4QalMZmoZ3Hmw7

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000\Control Panel\International\Geo\Nation	tkskfaaa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000\Control Panel\International\Geo\Nation	service.exe

Executes dropped EXE 1 IoCs

pid	Process
4952	service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tkskfaaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5528	schtasks.exe
3124	schtasks.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 6080 wrote to memory of 3276	6080	tkskfaaa.exe	81
PID 6080 wrote to memory of 3276	6080	tkskfaaa.exe	81
PID 6080 wrote to memory of 3276	6080	tkskfaaa.exe	81
PID 3276 wrote to memory of 5528	3276	cmd.exe	83
PID 3276 wrote to memory of 5528	3276	cmd.exe	83
PID 3276 wrote to memory of 5528	3276	cmd.exe	83
PID 4952 wrote to memory of 3104	4952	service.exe	93
PID 4952 wrote to memory of 3104	4952	service.exe	93
PID 4952 wrote to memory of 3104	4952	service.exe	93
PID 3104 wrote to memory of 3124	3104	cmd.exe	95
PID 3104 wrote to memory of 3124	3104	cmd.exe	95
PID 3104 wrote to memory of 3124	3104	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\deljack-main\tkskfaaa.exe
"C:\Users\Admin\AppData\Local\Temp\deljack-main\tkskfaaa.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6080
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /create /tn GoogleUpdaterex /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3276
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn GoogleUpdaterex /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:5528

C:\Users\Admin\AppData\Roaming\service.exe
"C:\Users\Admin\AppData\Roaming\service.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /create /tn GoogleUpdaterex /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3104
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn GoogleUpdaterex /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\service.exe

Filesize
27KB

MD5
2ff8e057084b5c180e9b447e08d2d747

SHA1
92b35c1b8f72c18dd3e945743cb93e8531d73e2b

SHA256
accdada8772018e58baa0ecb3e79c507eb09c7d67f22f59e323c74b51eac9072

SHA512
7ae542c6ca36e5ed934ca503f3489144e0ec7d81ad246af88bb525cb494f6725df0aa9131c72afe79ff02364dd65ec7a3ffb01846f99836feff06746193af251

Download Submit
memory/4952-3-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/6080-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads