Overview

overview

7

Static

static

3

cd3df0bd52...0a.exe

windows7-x64

cd3df0bd52...0a.exe

windows10-2004-x64

Analysis

  • max time kernel
    21s
  • max time network
    28s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-07-2023 12:55

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    cd3df0bd520d36d373c7105c67577b92cd11ddd8a40c29044e6d4fe12b20f50a.exe

  • Size

    696KB

  • MD5

    efbe5feb1bfef5d5b37cb5717c956f93

  • SHA1

    6c58db16e9b6d41119761863c531a7c61fa63d84

  • SHA256

    cd3df0bd520d36d373c7105c67577b92cd11ddd8a40c29044e6d4fe12b20f50a

  • SHA512

    fe7390ab5be40fe6188fcd2371b4b7c8c87f3a314ff3ebb2f2fe52f1cb87bcbbf9ec07781132f37ad175f25faace5a7ff3c0bedab5b50de780b389dbfb9824e6

  • SSDEEP

    12288:jZKzOxunS7PnHbFwU+QhG6puk8mjI03zFF5dG2PNW9xkzWTjkejSOmTdzToeD1pW:jZKG7l6XAWTjkejlmZnppIl/

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cd3df0bd520d36d373c7105c67577b92cd11ddd8a40c29044e6d4fe12b20f50a.exe
    "C:\Users\Admin\AppData\Local\Temp\cd3df0bd520d36d373c7105c67577b92cd11ddd8a40c29044e6d4fe12b20f50a.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\oOEUF.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4988
      • C:\Windows\system32\cscript.exe
        cscript C:\Users\Admin\AppData\Local\Temp\mFmAhoH.vbs
        3⤵
        • Drops startup file
        PID:1368
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Roaming\BIHQJRXS.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2748
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\BIHQJRXS.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4240
        • C:\Windows\system32\timeout.exe
          timeout /t 10
          4⤵
          • Delays execution with timeout.exe
          PID:4948
        • C:\Windows\system32\shutdown.exe
          shutdown /r /t 0
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4936
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa394a855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:4288

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\mFmAhoH.vbs
    Filesize

    270B

    MD5

    724af705cc6a205505e76231a4c01421

    SHA1

    23b7ff0cfec2cb4cb70e93195bc1bbb7d5d7490e

    SHA256

    534cfb0a27a351b290d9503cd718954468627c9132d8b749a2422856d5e63d57

    SHA512

    840e3d10ee773e37bf2ebd4cb3b04dafcfdbd68967ebe87aa144efa604afef14469ecec2b6a1cffe8d2eb22e329b6da69e1bc525873669482d2c8b961b17bb03

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\oOEUF.bat
    Filesize

    589B

    MD5

    6336f24e20b0c039d2127446afdfbd39

    SHA1

    4969466e9b0a7ec8856d4ee258e79ac8a04954fc

    SHA256

    203a32f51bc9b0f1e6ef905cc6c27f7b7eb964be5f97c2a306eaae9dcd6945bf

    SHA512

    acefa293cd1b87c213c1e91b04bf7e2f0b4a069e22ebd1bcd656e91c346da50c20117ea3af338ac023b214dd5dc0d8de2b1271941e70ab34295523b2aea67f84

    Download Submit

  • C:\Users\Admin\AppData\Roaming\BIHQJRXS.bat
    Filesize

    44B

    MD5

    e04f000c162860777360b3c135dcb86f

    SHA1

    dcfaa535a33309cf3c435a6a4eaa3737d1eb7ad5

    SHA256

    66ad9e8bd3303f0865f43f275865c18969c83cd7162b540e5cde753aca9e4e58

    SHA512

    e73b3605dfa0fc3e2f9c5bb80e47abcf47361effed09f1e2efcb01e9799f900d594908d6e731056540817b1b9b8deaf47510b1f92a8e25c86e6b207e3a995ea9

    Download Submit