Resubmissions
10-10-2023 19:06
231010-xr48baaa72 710-10-2023 18:57
231010-xmdvkahh85 711-12-2020 07:11
201211-8rk4l8xrye 10Analysis
-
max time kernel
140s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
10-10-2023 18:57
Static task
static1
Behavioral task
behavioral1
Sample
107fe810309d392811fb898622aa607c.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
107fe810309d392811fb898622aa607c.exe
Resource
win10-20230915-en
Behavioral task
behavioral3
Sample
107fe810309d392811fb898622aa607c.exe
Resource
win10v2004-20230915-en
General
-
Target
107fe810309d392811fb898622aa607c.exe
-
Size
265KB
-
MD5
107fe810309d392811fb898622aa607c
-
SHA1
da82f9894db9b0a9b3cc9565a0c71e3e851cf98b
-
SHA256
d03c84a13b8e6274f7353fd98e35f73c194938b61690a9a8a83c594a40994dec
-
SHA512
1def7eff04fac2e9ce8f8f54655ade9640dfe81d0bf957762d173b13ef5d6681ef212418f8fd0e72d0d40fa0d2b0e1c1a3f05805ab0009bf2db3f175cd3d7d84
-
SSDEEP
1536:vU+AIFt7FeLuMI8Orz99qsOCGMfZovSCC:vU+Aet0aZ3RHovW
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
107fe810309d392811fb898622aa607c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation 107fe810309d392811fb898622aa607c.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
107fe810309d392811fb898622aa607c.execmd.exedescription pid process target process PID 4592 wrote to memory of 1648 4592 107fe810309d392811fb898622aa607c.exe cmd.exe PID 4592 wrote to memory of 1648 4592 107fe810309d392811fb898622aa607c.exe cmd.exe PID 4592 wrote to memory of 1648 4592 107fe810309d392811fb898622aa607c.exe cmd.exe PID 1648 wrote to memory of 2412 1648 cmd.exe PING.EXE PID 1648 wrote to memory of 2412 1648 cmd.exe PING.EXE PID 1648 wrote to memory of 2412 1648 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\107fe810309d392811fb898622aa607c.exe"C:\Users\Admin\AppData\Local\Temp\107fe810309d392811fb898622aa607c.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\107fe810309d392811fb898622aa607c.exe" >> NUL2⤵
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2412