Analysis
-
max time kernel
51s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
25/07/2023, 04:00
Static task
static1
Behavioral task
behavioral1
Sample
e1f944688e00a6753e1dfa4e5d8a7670.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
e1f944688e00a6753e1dfa4e5d8a7670.exe
Resource
win10v2004-20230703-en
General
-
Target
e1f944688e00a6753e1dfa4e5d8a7670.exe
-
Size
3.0MB
-
MD5
e1f944688e00a6753e1dfa4e5d8a7670
-
SHA1
bc4ac9ef640a74fcf240f14def4948ec6e9346c4
-
SHA256
2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9
-
SHA512
a469ee8b8771b47ef185bacc7853fdf253533725da9e0f19543e5c38a273a344658808de6e10d2802b2548284778575d9a2b60b611a58e292d1a2f0132e04dc6
-
SSDEEP
24576:V5KrtzH/iYOdy9HQUtiImGqPPUPJp6XdCGQV3JfIR:CrxH/iYV9VeGqPPsT6UvrQR
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation e1f944688e00a6753e1dfa4e5d8a7670.exe -
Executes dropped EXE 2 IoCs
pid Process 4572 chrome.exe 4964 chrome.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1304 set thread context of 4768 1304 e1f944688e00a6753e1dfa4e5d8a7670.exe 93 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3092 schtasks.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1304 wrote to memory of 4768 1304 e1f944688e00a6753e1dfa4e5d8a7670.exe 93 PID 1304 wrote to memory of 4768 1304 e1f944688e00a6753e1dfa4e5d8a7670.exe 93 PID 1304 wrote to memory of 4768 1304 e1f944688e00a6753e1dfa4e5d8a7670.exe 93 PID 1304 wrote to memory of 4768 1304 e1f944688e00a6753e1dfa4e5d8a7670.exe 93 PID 1304 wrote to memory of 4768 1304 e1f944688e00a6753e1dfa4e5d8a7670.exe 93 PID 1304 wrote to memory of 4768 1304 e1f944688e00a6753e1dfa4e5d8a7670.exe 93 PID 1304 wrote to memory of 4768 1304 e1f944688e00a6753e1dfa4e5d8a7670.exe 93 PID 1304 wrote to memory of 4768 1304 e1f944688e00a6753e1dfa4e5d8a7670.exe 93 PID 1304 wrote to memory of 4572 1304 e1f944688e00a6753e1dfa4e5d8a7670.exe 94 PID 1304 wrote to memory of 4572 1304 e1f944688e00a6753e1dfa4e5d8a7670.exe 94 PID 1304 wrote to memory of 4572 1304 e1f944688e00a6753e1dfa4e5d8a7670.exe 94 PID 1304 wrote to memory of 1556 1304 e1f944688e00a6753e1dfa4e5d8a7670.exe 95 PID 1304 wrote to memory of 1556 1304 e1f944688e00a6753e1dfa4e5d8a7670.exe 95 PID 1304 wrote to memory of 1556 1304 e1f944688e00a6753e1dfa4e5d8a7670.exe 95 PID 1304 wrote to memory of 3148 1304 e1f944688e00a6753e1dfa4e5d8a7670.exe 98 PID 1304 wrote to memory of 3148 1304 e1f944688e00a6753e1dfa4e5d8a7670.exe 98 PID 1304 wrote to memory of 3148 1304 e1f944688e00a6753e1dfa4e5d8a7670.exe 98 PID 3148 wrote to memory of 3092 3148 cmd.exe 99 PID 3148 wrote to memory of 3092 3148 cmd.exe 99 PID 3148 wrote to memory of 3092 3148 cmd.exe 99 PID 1304 wrote to memory of 2972 1304 e1f944688e00a6753e1dfa4e5d8a7670.exe 100 PID 1304 wrote to memory of 2972 1304 e1f944688e00a6753e1dfa4e5d8a7670.exe 100 PID 1304 wrote to memory of 2972 1304 e1f944688e00a6753e1dfa4e5d8a7670.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1f944688e00a6753e1dfa4e5d8a7670.exe"C:\Users\Admin\AppData\Local\Temp\e1f944688e00a6753e1dfa4e5d8a7670.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Users\Admin\AppData\Local\Temp\e1f944688e00a6753e1dfa4e5d8a7670.exe"C:\Users\Admin\AppData\Local\Temp\e1f944688e00a6753e1dfa4e5d8a7670.exe"2⤵PID:4768
-
-
C:\Users\Admin\AppData\Local\Temp\chrome.exe"C:\Users\Admin\AppData\Local\Temp\chrome.exe"2⤵
- Executes dropped EXE
PID:4572
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\chrome"2⤵PID:1556
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\chrome\chrome.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\chrome\chrome.exe'" /f3⤵
- Creates scheduled task(s)
PID:3092
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\e1f944688e00a6753e1dfa4e5d8a7670.exe" "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"2⤵PID:2972
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exeC:\Users\Admin\AppData\Roaming\chrome\chrome.exe1⤵
- Executes dropped EXE
PID:4964
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD5b3d8ceb7e2bfbe5f089d81312632b27f
SHA14cb60364f395dac0fe6b56d3130a9d4ff39d0fc6
SHA256cf00a8bab3af58f4e0809febf8707b6b4c4e67f46140cd273d468425d012c54f
SHA5129e5be6621a4820dd86e1285d0d64283c3bcb70576a1fee0e9bb21c2a4afceed8df363f8537870192397bb6897e0e8160334a01ca97d50cacff6e9d38b2ce259f
-
Filesize
2.0MB
MD5b3d8ceb7e2bfbe5f089d81312632b27f
SHA14cb60364f395dac0fe6b56d3130a9d4ff39d0fc6
SHA256cf00a8bab3af58f4e0809febf8707b6b4c4e67f46140cd273d468425d012c54f
SHA5129e5be6621a4820dd86e1285d0d64283c3bcb70576a1fee0e9bb21c2a4afceed8df363f8537870192397bb6897e0e8160334a01ca97d50cacff6e9d38b2ce259f
-
Filesize
2.0MB
MD5b3d8ceb7e2bfbe5f089d81312632b27f
SHA14cb60364f395dac0fe6b56d3130a9d4ff39d0fc6
SHA256cf00a8bab3af58f4e0809febf8707b6b4c4e67f46140cd273d468425d012c54f
SHA5129e5be6621a4820dd86e1285d0d64283c3bcb70576a1fee0e9bb21c2a4afceed8df363f8537870192397bb6897e0e8160334a01ca97d50cacff6e9d38b2ce259f
-
Filesize
704KB
MD59a94488b01ed61b88881dc4bf826cbd1
SHA15a930ea9fecb209dc86d10464a46cfb3e52ae0bf
SHA2564535759e026c7e106b05e60aeb510fdce098959ea1fe7be52a00bd62a4ec89d5
SHA512b20e190bdc58494becb733b2325516768256cb5ec7a6297aa31f602eb7254a05285a93a69994e1ef6e8d4fd8a6240f61f71e56ffc3d35db245d3d19a3e4231e4
-
Filesize
944KB
MD519ae401a1484e5ee730d5246cef40de5
SHA1c71036731b5811f86abb057627929aa01c311f5a
SHA2566bd5d96e447ca404aeef2d957d15827c2b37107f0342a2bbe2d3c67f25fd8ff0
SHA5123d489ce7956eff2340fc452dc17c7aaaf27ca293c1956738890ac8eec9b0b08d3d724d8502c202ba3f5481917d690b3ba895de17322179d3fdca20bcb7a44162