Overview

overview

7

Static

static

3

bdbad4a8d5...e6.exe

windows7-x64

7

bdbad4a8d5...e6.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    213s
  • max time network
    215s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-10-2023 02:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bdbad4a8d5ce2537e5884dba7ad76cd1d2ec48a4d0055eca3fd465dbfe9e6ce6.exe

  • Size

    198KB

  • MD5

    8c9df82880d9846a331d39328df93620

  • SHA1

    31d270902172562c7b73548039a0f7944ced8cf3

  • SHA256

    bdbad4a8d5ce2537e5884dba7ad76cd1d2ec48a4d0055eca3fd465dbfe9e6ce6

  • SHA512

    0bf0d66ef937f81767a0766ae2c61596cf9743596f348d69434bad6426d7596ef1184d7603c9e3a83f77cf010fb05ca9ad3ee933c40b15306a54336b12af66df

  • SSDEEP

    6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCOS:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXXL

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bdbad4a8d5ce2537e5884dba7ad76cd1d2ec48a4d0055eca3fd465dbfe9e6ce6.exe
    "C:\Users\Admin\AppData\Local\Temp\bdbad4a8d5ce2537e5884dba7ad76cd1d2ec48a4d0055eca3fd465dbfe9e6ce6.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3640
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\BDBAD4~1.EXE > nul
      2⤵
        PID:4912
    • C:\Windows\Debug\gyehost.exe
      C:\Windows\Debug\gyehost.exe
      1⤵
      • Executes dropped EXE
      • Checks processor information in registry
      PID:4484

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Debug\gyehost.exe
      Filesize

      198KB

      MD5

      e6f917cb37ec5fc1bd28ec2cc36eef68

      SHA1

      2f0e0949e80479da8348f04341aee850a1d12edc

      SHA256

      663a4b6f32d16e55e2f30215188362caf95bfafab679ffee86011fc33f7e00b9

      SHA512

      b8d7e64bec00ff4eb20d577fb5eff41d34af409fbe6d1d4ecfc992514f893cd1acdea1afb58418ca6e3bf4b3f65d5a510ed61c7e9e6c74389d31a71a45a8788d

      Download Submit

    • C:\Windows\debug\gyehost.exe
      Filesize

      198KB

      MD5

      e6f917cb37ec5fc1bd28ec2cc36eef68

      SHA1

      2f0e0949e80479da8348f04341aee850a1d12edc

      SHA256

      663a4b6f32d16e55e2f30215188362caf95bfafab679ffee86011fc33f7e00b9

      SHA512

      b8d7e64bec00ff4eb20d577fb5eff41d34af409fbe6d1d4ecfc992514f893cd1acdea1afb58418ca6e3bf4b3f65d5a510ed61c7e9e6c74389d31a71a45a8788d

      Download Submit