Overview

overview

7

Static

static

3

1d5f4035c0...44.exe

windows7-x64

7

1d5f4035c0...44.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    145s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2023, 17:42

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    1d5f4035c0d44f55226eebfa4e07f0b5e5bf26c8df7ec03a5892e3b86b19c344.exe

  • Size

    198KB

  • MD5

    bb353e231d82f99fbdaf3019016ccc08

  • SHA1

    d100a569f794ec30d9020403533e7a7b50ace53d

  • SHA256

    1d5f4035c0d44f55226eebfa4e07f0b5e5bf26c8df7ec03a5892e3b86b19c344

  • SHA512

    bb2cb9ec7b1df61ba504592d0315ac2ab3241a6012011c0844c211834292593e1a9b1d988bfce6186fe9d90182ef626c82ddac6de46e28f0e39378d39ad03844

  • SSDEEP

    6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCOO:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXX/

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d5f4035c0d44f55226eebfa4e07f0b5e5bf26c8df7ec03a5892e3b86b19c344.exe
    "C:\Users\Admin\AppData\Local\Temp\1d5f4035c0d44f55226eebfa4e07f0b5e5bf26c8df7ec03a5892e3b86b19c344.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5060
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\1D5F40~1.EXE > nul
      2⤵
        PID:1660
    • C:\Windows\Debug\bqchost.exe
      C:\Windows\Debug\bqchost.exe
      1⤵
      • Executes dropped EXE
      • Checks processor information in registry
      PID:4124

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\Debug\bqchost.exe
            Filesize

            198KB

            MD5

            c81d1412a90666bed143934f7c122ce6

            SHA1

            f0a82a23a7ad2792e78789121629a15fd8ee87b3

            SHA256

            bef00d1f56aa7ddd2763b9e4941d281abf87901393ec9c7fadc98552f4b339a0

            SHA512

            4732942f55977de4bd6607387f6b579a0d3a9183d5f406cfeca531740960f45b7412805e5f86027a9af64d6e82d72446effac717b50f8380ebfcbdfec766a065

            Download Submit

          • C:\Windows\debug\bqchost.exe
            Filesize

            198KB

            MD5

            c81d1412a90666bed143934f7c122ce6

            SHA1

            f0a82a23a7ad2792e78789121629a15fd8ee87b3

            SHA256

            bef00d1f56aa7ddd2763b9e4941d281abf87901393ec9c7fadc98552f4b339a0

            SHA512

            4732942f55977de4bd6607387f6b579a0d3a9183d5f406cfeca531740960f45b7412805e5f86027a9af64d6e82d72446effac717b50f8380ebfcbdfec766a065

            Download Submit