Overview

overview

7

Static

static

3

AWB 5290160308.exe

windows7-x64

7

AWB 5290160308.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/07/2023, 13:12

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    AWB 5290160308.exe

  • Size

    291KB

  • MD5

    1a0c4ae0300480337ba38f533cb5af18

  • SHA1

    9c1fa21bb5aae368ecf84bd3843495da7f5c837e

  • SHA256

    2cc3c1b87813c1f2562f73c417fcaac945fff4696048f8cc5003e8127c457081

  • SHA512

    6655596e1220c71198298189ed8c444d4e9f869b8bdea90318bda8c405032a48133e4d6f468a56371ff18587c9126bb76bc34ed8d1c22ca4105ceac48cc77069

  • SSDEEP

    6144:/Ya6oveyONi0uwCcArEPMrqqCj/Vatg+sF/aZReO7qIFkUB:/YmGfNi02rTrqqu0tbsJ0UIFkUB

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AWB 5290160308.exe
    "C:\Users\Admin\AppData\Local\Temp\AWB 5290160308.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Users\Admin\AppData\Local\Temp\AWB 5290160308.exe
      "C:\Users\Admin\AppData\Local\Temp\AWB 5290160308.exe"
      2⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4004

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\nsg7B6C.tmp\hziyf.dll
          Filesize

          83KB

          MD5

          619b0410b5295b7305fa9fc784309136

          SHA1

          deb7b203813587e727d67db362d0920f17ed5df5

          SHA256

          9b48585ed6426a331db8f4ccb511610ad3fc7fae06ec441fc03acc093a1d2c59

          SHA512

          612a39361acdd066467270222eaeff1d77db00aa5ec2bc9cab1b6b99fdbe1d82af91cacf1ee62904a0f3050c595c5a6ca9947b65b586af6c37773f442fb32bd8

          Download Submit

        • memory/4004-139-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4004-140-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4004-141-0x0000000000B80000-0x0000000000ECA000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/4004-142-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download