Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
07-10-2023 17:01
Static task
static1
Behavioral task
behavioral1
Sample
b0f91c6deb931938b07efe82d94c6a5f1a4c02e88aa363510173d8e03b5693c3.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
b0f91c6deb931938b07efe82d94c6a5f1a4c02e88aa363510173d8e03b5693c3.exe
Resource
win10v2004-20230915-en
General
-
Target
b0f91c6deb931938b07efe82d94c6a5f1a4c02e88aa363510173d8e03b5693c3.exe
-
Size
10.5MB
-
MD5
72779104658603b444660521a7bebe06
-
SHA1
8fe0abe063e9311f3bf71ece6e5a727e7e122e70
-
SHA256
b0f91c6deb931938b07efe82d94c6a5f1a4c02e88aa363510173d8e03b5693c3
-
SHA512
8e4d34cd96f4011ca463852eefa9767f53ea5e32146d78695e9e5fceb3a03da82382359898c27bffababfe8a1b6c41fade78e4bbf6a88877e26529708a058f73
-
SSDEEP
196608:SBBZMk+TOfMUEGxWMLoXSTbISqh3arecbxn5o6Lb8McYLWa32/tjbk0Kw/lCt1yg:SBBl+TdUETMTY7h3UbxnT04KaG/tjw0M
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" b0f91c6deb931938b07efe82d94c6a5f1a4c02e88aa363510173d8e03b5693c3.exe Set value (int) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10" b0f91c6deb931938b07efe82d94c6a5f1a4c02e88aa363510173d8e03b5693c3.exe Set value (int) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" b0f91c6deb931938b07efe82d94c6a5f1a4c02e88aa363510173d8e03b5693c3.exe Set value (int) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" b0f91c6deb931938b07efe82d94c6a5f1a4c02e88aa363510173d8e03b5693c3.exe Key created \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Internet Explorer\International\CpMRU b0f91c6deb931938b07efe82d94c6a5f1a4c02e88aa363510173d8e03b5693c3.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4420 b0f91c6deb931938b07efe82d94c6a5f1a4c02e88aa363510173d8e03b5693c3.exe 4420 b0f91c6deb931938b07efe82d94c6a5f1a4c02e88aa363510173d8e03b5693c3.exe 4420 b0f91c6deb931938b07efe82d94c6a5f1a4c02e88aa363510173d8e03b5693c3.exe 4420 b0f91c6deb931938b07efe82d94c6a5f1a4c02e88aa363510173d8e03b5693c3.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4420 wrote to memory of 3796 4420 b0f91c6deb931938b07efe82d94c6a5f1a4c02e88aa363510173d8e03b5693c3.exe 89 PID 4420 wrote to memory of 3796 4420 b0f91c6deb931938b07efe82d94c6a5f1a4c02e88aa363510173d8e03b5693c3.exe 89 PID 4420 wrote to memory of 3796 4420 b0f91c6deb931938b07efe82d94c6a5f1a4c02e88aa363510173d8e03b5693c3.exe 89 PID 4420 wrote to memory of 3888 4420 b0f91c6deb931938b07efe82d94c6a5f1a4c02e88aa363510173d8e03b5693c3.exe 90 PID 4420 wrote to memory of 3888 4420 b0f91c6deb931938b07efe82d94c6a5f1a4c02e88aa363510173d8e03b5693c3.exe 90 PID 4420 wrote to memory of 3888 4420 b0f91c6deb931938b07efe82d94c6a5f1a4c02e88aa363510173d8e03b5693c3.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0f91c6deb931938b07efe82d94c6a5f1a4c02e88aa363510173d8e03b5693c3.exe"C:\Users\Admin\AppData\Local\Temp\b0f91c6deb931938b07efe82d94c6a5f1a4c02e88aa363510173d8e03b5693c3.exe"1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\*91c6deb931938b07efe82d94c6a5f1a4c02e88aa363510173d8e03b5693c3.exe"2⤵PID:3796
-
-
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\*.dll"2⤵PID:3888
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56ec353517ee53a36ab4300b3f2c81502
SHA1d4c6dac2a8d688a7b0053e72174365beb786e646
SHA256bfe01ab3783a802b7f55356d45f0d37519428de273213f41e93bdcfdd64e0f08
SHA5120bac896294d3fa390ce5f34724ca6e12b6b8a5ff984d3b8f59ef5a1aae7e1e117e1a1708162b8c06f85fd4975f11c218ffeef15a18ec244d01bec6f8bde7d3f7
-
Filesize
1KB
MD5c0d7496332120d41a7e02d3411d9c5dc
SHA1e6ba7a30c5f3f86b57f48e61cfec77861492f223
SHA256538e316246ac4dbba92b1e7af7d195c67e5cdb096ead70f5a795450bfafdab7c
SHA51231f720082fa8c66e04f3ef833acd8073c75ae98ba6ce6eae81b22c422c2fff673a39b9963cc65d9e8ddb144d261c0fcb87ae826979cc28044abda6be9658ef08
-
C:\Users\Admin\AppData\Local\Temp\b0f91c6deb931938b07efe82d94c6a5f1a4c02e88aa363510173d8e03b5693c3.exepack.tmp
Filesize2KB
MD52da3deba5f134c4fffcd557789ff42fe
SHA1eb96ba3ea478e84251b18f0ad77181938075edde
SHA25662056286fbe574327b8fe2b0b899e73b9c155e7af5899ed41acf5550843625f8
SHA512f66988b6be82ada5f27652bed6a807ceea5ba9b1cc57f8e821cd2f912db3ecb99c461d74ca943b29ef0e1b79b0d3f559c5c45047de6d9a399517bff43631574b