Overview

overview

7

Static

static

3

ae09d492ad...70.exe

windows7-x64

ae09d492ad...70.exe

windows10-2004-x64

Analysis

  • max time kernel
    20s
  • max time network
    27s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-07-2023 12:54

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    ae09d492ad1f9c8589dd93af19d7655051fb890d1710259bba0453515d701470.exe

  • Size

    690KB

  • MD5

    e12dc94a46521e39e3555972381650d7

  • SHA1

    526ec5384befc08a85cf5c32e992d2bf078fe354

  • SHA256

    ae09d492ad1f9c8589dd93af19d7655051fb890d1710259bba0453515d701470

  • SHA512

    4f611f4c0cccb8e2fbd015487352220507e7157822922dd20609dc30c6ad70029e055d101d3f5739a83419923d5a33222b5c0103c6e1f5133e3460e3c825e79c

  • SSDEEP

    12288:jZKzOxunS7PnHbFwU+QhG6puk8mjI03zFF5dG2PNW9xkzWTjkejSOmTdzToeD1pU:jZKG7l6XAWTjkejlmZnppd2

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ae09d492ad1f9c8589dd93af19d7655051fb890d1710259bba0453515d701470.exe
    "C:\Users\Admin\AppData\Local\Temp\ae09d492ad1f9c8589dd93af19d7655051fb890d1710259bba0453515d701470.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3344
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ExpHajzu.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1288
      • C:\Windows\system32\cscript.exe
        cscript C:\Users\Admin\AppData\Local\Temp\AgOkdv.vbs
        3⤵
        • Drops startup file
        PID:4404
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Roaming\GBSDSUCH.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3900
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\GBSDSUCH.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3616
        • C:\Windows\system32\timeout.exe
          timeout /t 10
          4⤵
          • Delays execution with timeout.exe
          PID:540
        • C:\Windows\system32\shutdown.exe
          shutdown /r /t 0
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:5064
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa3946855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:4308

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\AgOkdv.vbs
    Filesize

    260B

    MD5

    5473c8215eb8e778da4231249a9fd412

    SHA1

    3ef43bd1e5aa001f41e4e26c2aa0ce347c8931b0

    SHA256

    48d28fcdb058e82fbbbcdbb1a6df42c11d519e0bf7f2fa75f267492ead300a50

    SHA512

    99a769fe92e151800a483863ff3f692dea95fca56991848ef5f9888180fcb84cb804c179f1da24013a26f234d09fe55deaee7776b4b1787556a133b55543812d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ExpHajzu.bat
    Filesize

    573B

    MD5

    6286926a4c6a47962dd695594d505e3b

    SHA1

    2788d794ef110ed919dc85ebe10517bd7379a46a

    SHA256

    b534abb2ce9e0c0241175c879e1d515e6805523836740a7d119ed3f5a58881f4

    SHA512

    2fda7cf14b2fe101f4788b80a72904f76f700c0e767a7e66b91ef493a49c454ccd793d0f4cae090d966aa15de81ae7941dafa9114e508f0a77c7e55eacbf797c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\GBSDSUCH.bat
    Filesize

    44B

    MD5

    e04f000c162860777360b3c135dcb86f

    SHA1

    dcfaa535a33309cf3c435a6a4eaa3737d1eb7ad5

    SHA256

    66ad9e8bd3303f0865f43f275865c18969c83cd7162b540e5cde753aca9e4e58

    SHA512

    e73b3605dfa0fc3e2f9c5bb80e47abcf47361effed09f1e2efcb01e9799f900d594908d6e731056540817b1b9b8deaf47510b1f92a8e25c86e6b207e3a995ea9

    Download Submit