Analysis

  • max time kernel
    51s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/07/2023, 04:00

General

  • Target

    e1f944688e00a6753e1dfa4e5d8a7670.exe

  • Size

    3.0MB

  • MD5

    e1f944688e00a6753e1dfa4e5d8a7670

  • SHA1

    bc4ac9ef640a74fcf240f14def4948ec6e9346c4

  • SHA256

    2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9

  • SHA512

    a469ee8b8771b47ef185bacc7853fdf253533725da9e0f19543e5c38a273a344658808de6e10d2802b2548284778575d9a2b60b611a58e292d1a2f0132e04dc6

  • SSDEEP

    24576:V5KrtzH/iYOdy9HQUtiImGqPPUPJp6XdCGQV3JfIR:CrxH/iYV9VeGqPPsT6UvrQR

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e1f944688e00a6753e1dfa4e5d8a7670.exe
    "C:\Users\Admin\AppData\Local\Temp\e1f944688e00a6753e1dfa4e5d8a7670.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Users\Admin\AppData\Local\Temp\e1f944688e00a6753e1dfa4e5d8a7670.exe
      "C:\Users\Admin\AppData\Local\Temp\e1f944688e00a6753e1dfa4e5d8a7670.exe"
      2⤵
        PID:4768
      • C:\Users\Admin\AppData\Local\Temp\chrome.exe
        "C:\Users\Admin\AppData\Local\Temp\chrome.exe"
        2⤵
        • Executes dropped EXE
        PID:4572
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\chrome"
        2⤵
          PID:1556
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\chrome\chrome.exe'" /f
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3148
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\chrome\chrome.exe'" /f
            3⤵
            • Creates scheduled task(s)
            PID:3092
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\e1f944688e00a6753e1dfa4e5d8a7670.exe" "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
          2⤵
            PID:2972
        • C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
          C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
          1⤵
          • Executes dropped EXE
          PID:4964

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\chrome.exe

          Filesize

          2.0MB

          MD5

          b3d8ceb7e2bfbe5f089d81312632b27f

          SHA1

          4cb60364f395dac0fe6b56d3130a9d4ff39d0fc6

          SHA256

          cf00a8bab3af58f4e0809febf8707b6b4c4e67f46140cd273d468425d012c54f

          SHA512

          9e5be6621a4820dd86e1285d0d64283c3bcb70576a1fee0e9bb21c2a4afceed8df363f8537870192397bb6897e0e8160334a01ca97d50cacff6e9d38b2ce259f

        • C:\Users\Admin\AppData\Local\Temp\chrome.exe

          Filesize

          2.0MB

          MD5

          b3d8ceb7e2bfbe5f089d81312632b27f

          SHA1

          4cb60364f395dac0fe6b56d3130a9d4ff39d0fc6

          SHA256

          cf00a8bab3af58f4e0809febf8707b6b4c4e67f46140cd273d468425d012c54f

          SHA512

          9e5be6621a4820dd86e1285d0d64283c3bcb70576a1fee0e9bb21c2a4afceed8df363f8537870192397bb6897e0e8160334a01ca97d50cacff6e9d38b2ce259f

        • C:\Users\Admin\AppData\Local\Temp\chrome.exe

          Filesize

          2.0MB

          MD5

          b3d8ceb7e2bfbe5f089d81312632b27f

          SHA1

          4cb60364f395dac0fe6b56d3130a9d4ff39d0fc6

          SHA256

          cf00a8bab3af58f4e0809febf8707b6b4c4e67f46140cd273d468425d012c54f

          SHA512

          9e5be6621a4820dd86e1285d0d64283c3bcb70576a1fee0e9bb21c2a4afceed8df363f8537870192397bb6897e0e8160334a01ca97d50cacff6e9d38b2ce259f

        • C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

          Filesize

          704KB

          MD5

          9a94488b01ed61b88881dc4bf826cbd1

          SHA1

          5a930ea9fecb209dc86d10464a46cfb3e52ae0bf

          SHA256

          4535759e026c7e106b05e60aeb510fdce098959ea1fe7be52a00bd62a4ec89d5

          SHA512

          b20e190bdc58494becb733b2325516768256cb5ec7a6297aa31f602eb7254a05285a93a69994e1ef6e8d4fd8a6240f61f71e56ffc3d35db245d3d19a3e4231e4

        • C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

          Filesize

          944KB

          MD5

          19ae401a1484e5ee730d5246cef40de5

          SHA1

          c71036731b5811f86abb057627929aa01c311f5a

          SHA256

          6bd5d96e447ca404aeef2d957d15827c2b37107f0342a2bbe2d3c67f25fd8ff0

          SHA512

          3d489ce7956eff2340fc452dc17c7aaaf27ca293c1956738890ac8eec9b0b08d3d724d8502c202ba3f5481917d690b3ba895de17322179d3fdca20bcb7a44162

        • memory/1304-134-0x00000000008A0000-0x0000000000BA4000-memory.dmp

          Filesize

          3.0MB

        • memory/1304-133-0x00000000748B0000-0x0000000075060000-memory.dmp

          Filesize

          7.7MB

        • memory/1304-138-0x0000000001670000-0x0000000001680000-memory.dmp

          Filesize

          64KB

        • memory/1304-161-0x00000000748B0000-0x0000000075060000-memory.dmp

          Filesize

          7.7MB

        • memory/1304-136-0x0000000001670000-0x0000000001680000-memory.dmp

          Filesize

          64KB

        • memory/1304-135-0x0000000005A70000-0x0000000006014000-memory.dmp

          Filesize

          5.6MB

        • memory/1304-137-0x00000000748B0000-0x0000000075060000-memory.dmp

          Filesize

          7.7MB

        • memory/4572-165-0x00000000049F0000-0x0000000004A00000-memory.dmp

          Filesize

          64KB

        • memory/4572-164-0x00000000748B0000-0x0000000075060000-memory.dmp

          Filesize

          7.7MB

        • memory/4572-155-0x0000000000120000-0x000000000014A000-memory.dmp

          Filesize

          168KB

        • memory/4572-156-0x00000000748B0000-0x0000000075060000-memory.dmp

          Filesize

          7.7MB

        • memory/4572-157-0x00000000049F0000-0x0000000004A00000-memory.dmp

          Filesize

          64KB

        • memory/4768-139-0x0000000000B00000-0x0000000000BF8000-memory.dmp

          Filesize

          992KB

        • memory/4768-162-0x00000000748B0000-0x0000000075060000-memory.dmp

          Filesize

          7.7MB

        • memory/4768-163-0x0000000005230000-0x0000000005240000-memory.dmp

          Filesize

          64KB

        • memory/4768-144-0x00000000051E0000-0x00000000051EA000-memory.dmp

          Filesize

          40KB

        • memory/4768-143-0x0000000005230000-0x0000000005240000-memory.dmp

          Filesize

          64KB

        • memory/4768-142-0x0000000005020000-0x00000000050B2000-memory.dmp

          Filesize

          584KB

        • memory/4768-141-0x00000000748B0000-0x0000000075060000-memory.dmp

          Filesize

          7.7MB

        • memory/4964-168-0x00000000748B0000-0x0000000075060000-memory.dmp

          Filesize

          7.7MB