Resubmissions
01/07/2025, 06:41
250701-hf9akasp12 1001/07/2025, 06:22
250701-g43bgsdl5v 1010/06/2025, 16:01
250610-tgnk2azqw5 10Analysis
-
max time kernel
105s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
01/07/2025, 06:41
Static task
static1
Behavioral task
behavioral1
Sample
271JaJbQjMLGbcc.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
271JaJbQjMLGbcc.exe
Resource
win10ltsc2021-20250610-en
General
-
Target
271JaJbQjMLGbcc.exe
-
Size
667KB
-
MD5
17043ee76cd32800262fa06cfc3ac690
-
SHA1
0f11ac97736fb42fd30d6c4abf1da4549e8f0101
-
SHA256
6781be8abda50b0cc7d27b9466f7b39572f978cf16151092554e7b4557f0ac06
-
SHA512
0ec8c106a4d55deee49da8a9696f36cbcfb55872d0d2e982416be34ab7e81faa2b2c12f86575e195093d24b78978691c4c242fe7bdf1ab728a68bf92b57d31d7
-
SSDEEP
12288:disP8yffxahqfDGZW17k0+YHPEd8MwP0WAra3OjuBGy1kuOEXuVjCqfkR:n8yffxQqbuWZk9DNWAr6u+3OCq6
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4340 powershell.exe 2788 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3001560346-2020497773-4190896137-1000\Control Panel\International\Geo\Nation 271JaJbQjMLGbcc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 271JaJbQjMLGbcc.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2756 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2116 271JaJbQjMLGbcc.exe 2788 powershell.exe 4340 powershell.exe 4340 powershell.exe 2116 271JaJbQjMLGbcc.exe 2116 271JaJbQjMLGbcc.exe 2116 271JaJbQjMLGbcc.exe 2116 271JaJbQjMLGbcc.exe 2116 271JaJbQjMLGbcc.exe 2116 271JaJbQjMLGbcc.exe 2116 271JaJbQjMLGbcc.exe 2116 271JaJbQjMLGbcc.exe 2116 271JaJbQjMLGbcc.exe 2116 271JaJbQjMLGbcc.exe 4340 powershell.exe 2788 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2116 271JaJbQjMLGbcc.exe Token: SeDebugPrivilege 2788 powershell.exe Token: SeDebugPrivilege 4340 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2116 wrote to memory of 4340 2116 271JaJbQjMLGbcc.exe 97 PID 2116 wrote to memory of 4340 2116 271JaJbQjMLGbcc.exe 97 PID 2116 wrote to memory of 4340 2116 271JaJbQjMLGbcc.exe 97 PID 2116 wrote to memory of 2788 2116 271JaJbQjMLGbcc.exe 99 PID 2116 wrote to memory of 2788 2116 271JaJbQjMLGbcc.exe 99 PID 2116 wrote to memory of 2788 2116 271JaJbQjMLGbcc.exe 99 PID 2116 wrote to memory of 2756 2116 271JaJbQjMLGbcc.exe 101 PID 2116 wrote to memory of 2756 2116 271JaJbQjMLGbcc.exe 101 PID 2116 wrote to memory of 2756 2116 271JaJbQjMLGbcc.exe 101 PID 2116 wrote to memory of 1868 2116 271JaJbQjMLGbcc.exe 103 PID 2116 wrote to memory of 1868 2116 271JaJbQjMLGbcc.exe 103 PID 2116 wrote to memory of 1868 2116 271JaJbQjMLGbcc.exe 103 PID 2116 wrote to memory of 4784 2116 271JaJbQjMLGbcc.exe 104 PID 2116 wrote to memory of 4784 2116 271JaJbQjMLGbcc.exe 104 PID 2116 wrote to memory of 4784 2116 271JaJbQjMLGbcc.exe 104 PID 2116 wrote to memory of 6000 2116 271JaJbQjMLGbcc.exe 105 PID 2116 wrote to memory of 6000 2116 271JaJbQjMLGbcc.exe 105 PID 2116 wrote to memory of 6000 2116 271JaJbQjMLGbcc.exe 105 PID 2116 wrote to memory of 1652 2116 271JaJbQjMLGbcc.exe 106 PID 2116 wrote to memory of 1652 2116 271JaJbQjMLGbcc.exe 106 PID 2116 wrote to memory of 1652 2116 271JaJbQjMLGbcc.exe 106 PID 2116 wrote to memory of 5072 2116 271JaJbQjMLGbcc.exe 107 PID 2116 wrote to memory of 5072 2116 271JaJbQjMLGbcc.exe 107 PID 2116 wrote to memory of 5072 2116 271JaJbQjMLGbcc.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe"C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4340
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xQKiRiS.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xQKiRiS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD755.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2756
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:1868
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:4784
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:6000
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:1652
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:5072
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD58814133bfca93253f1a9eb8fb7bae187
SHA129b755a1091ff5ba918148f99ed96eb8cbff2603
SHA2565de9df6973ba46855e1ea7ebad91ee19f907755a018e3f45c6fcb9391c559efa
SHA51266fed52564da009c4dc93e55cf909581971fba0fccecb459afbc2c889c4d9d8f5eedcc6b75ac26f3518ba7e45a13e2e353fc7fee1193989abbdc4b8f72951352
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD57eae5f2826cef3c441fdcc7a3d2a7d2f
SHA17234b00bab6ff6369e4e6bcb207cbe82d62bb119
SHA2564e8bc60b66dff0c77cdba36d8074016b5932ebfb4959fa5aa89d503243ae17a6
SHA5120ee5f855a04250677d77449bb423eb32cea9612bc78932fb41f1d1161e2eb2ccaee6f070d6a24ff325f654b07817ed9c818e957d0ab20ab5d8168a1739bd3240