Overview

overview

7

Static

static

3

document1.exe

windows7-x64

7

document1.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    168s
  • max time network
    194s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/10/2023, 00:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    document1.exe

  • Size

    400.0MB

  • MD5

    910f1487d983f7852948765edb527952

  • SHA1

    481f0fd4ba70f3d8ff0aade90805ed1ecd8d9571

  • SHA256

    d104644bef2cb054832ca683d47b1a975a4cb82fde249c3f4afc0b36dff2e81a

  • SHA512

    5d2071d0652c53413d5ccb8d778fbbc7e73faa19ba7699c474cd684a5e39a0047fa3bbfbba08441e98a2e8c7818c11dd5f6efb7a119fa3d16301279829a1cc9a

  • SSDEEP

    12288:L1llcJM1rRhQTN64LOfJDHBMYyLOCxatsaR:L1llkMvSNzEZhMYSOCxa2G

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\document1.exe
    "C:\Users\Admin\AppData\Local\Temp\document1.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4564
    • C:\Users\Admin\AppData\Local\Temp\document1.exe
      "C:\Users\Admin\AppData\Local\Temp\document1.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1968
    • C:\Users\Admin\AppData\Local\Temp\RedLineClipperStub.exe
      "C:\Users\Admin\AppData\Local\Temp\RedLineClipperStub.exe"
      2⤵
      • Executes dropped EXE
      PID:1380
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3572
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        3⤵
        • Creates scheduled task(s)
        PID:4604
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
      2⤵
        PID:4112
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\document1.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        2⤵
          PID:4744
      • C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
        C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
        1⤵
        • Executes dropped EXE
        PID:1528

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RedLineClipperStub.exe
        Filesize

        76KB

        MD5

        6741d00c206f685140fd9cd0957aaaa8

        SHA1

        8e2da1453a6001aef807661db6940b1703846890

        SHA256

        8c21274f725299022fbf415925210da65702198913c4713dfe5dda09ceb2d38a

        SHA512

        9ea9656b2a54d7f3482d4625d52aa0c51e788ece799de5bb35e821efe138cce49e0d091e4ba683ef49d727d01ff9b912f58f5a96dac3f57441709318c364f527

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RedLineClipperStub.exe
        Filesize

        76KB

        MD5

        6741d00c206f685140fd9cd0957aaaa8

        SHA1

        8e2da1453a6001aef807661db6940b1703846890

        SHA256

        8c21274f725299022fbf415925210da65702198913c4713dfe5dda09ceb2d38a

        SHA512

        9ea9656b2a54d7f3482d4625d52aa0c51e788ece799de5bb35e821efe138cce49e0d091e4ba683ef49d727d01ff9b912f58f5a96dac3f57441709318c364f527

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RedLineClipperStub.exe
        Filesize

        76KB

        MD5

        6741d00c206f685140fd9cd0957aaaa8

        SHA1

        8e2da1453a6001aef807661db6940b1703846890

        SHA256

        8c21274f725299022fbf415925210da65702198913c4713dfe5dda09ceb2d38a

        SHA512

        9ea9656b2a54d7f3482d4625d52aa0c51e788ece799de5bb35e821efe138cce49e0d091e4ba683ef49d727d01ff9b912f58f5a96dac3f57441709318c364f527

        Download Submit

      • C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
        Filesize

        400.0MB

        MD5

        910f1487d983f7852948765edb527952

        SHA1

        481f0fd4ba70f3d8ff0aade90805ed1ecd8d9571

        SHA256

        d104644bef2cb054832ca683d47b1a975a4cb82fde249c3f4afc0b36dff2e81a

        SHA512

        5d2071d0652c53413d5ccb8d778fbbc7e73faa19ba7699c474cd684a5e39a0047fa3bbfbba08441e98a2e8c7818c11dd5f6efb7a119fa3d16301279829a1cc9a

        Download Submit

      • C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
        Filesize

        400.0MB

        MD5

        910f1487d983f7852948765edb527952

        SHA1

        481f0fd4ba70f3d8ff0aade90805ed1ecd8d9571

        SHA256

        d104644bef2cb054832ca683d47b1a975a4cb82fde249c3f4afc0b36dff2e81a

        SHA512

        5d2071d0652c53413d5ccb8d778fbbc7e73faa19ba7699c474cd684a5e39a0047fa3bbfbba08441e98a2e8c7818c11dd5f6efb7a119fa3d16301279829a1cc9a

        Download Submit

      • memory/1380-38-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1380-37-0x0000000075090000-0x0000000075840000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1380-28-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1380-26-0x0000000075090000-0x0000000075840000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1380-25-0x0000000000590000-0x00000000005A8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1528-44-0x0000000075090000-0x0000000075840000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1528-43-0x0000000075090000-0x0000000075840000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1968-7-0x0000000000400000-0x0000000000438000-memory.dmp

        Filesize

        224KB

        Download

      • memory/1968-33-0x0000000075090000-0x0000000075840000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1968-12-0x0000000005700000-0x0000000005710000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1968-11-0x0000000005710000-0x00000000057A2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1968-9-0x0000000005660000-0x00000000056FC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/1968-10-0x0000000075090000-0x0000000075840000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1968-35-0x0000000006D60000-0x0000000006D78000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1968-34-0x0000000005700000-0x0000000005710000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1968-30-0x00000000069A0000-0x0000000006A06000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1968-13-0x00000000058A0000-0x00000000058AA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4564-0-0x0000000000860000-0x000000000092C000-memory.dmp

        Filesize

        816KB

        Download

      • memory/4564-27-0x0000000075090000-0x0000000075840000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4564-6-0x0000000001080000-0x00000000010CA000-memory.dmp

        Filesize

        296KB

        Download

      • memory/4564-5-0x00000000052A0000-0x00000000052B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4564-4-0x0000000075090000-0x0000000075840000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4564-3-0x00000000052A0000-0x00000000052B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4564-2-0x0000000005860000-0x0000000005E04000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4564-1-0x0000000075090000-0x0000000075840000-memory.dmp

        Filesize

        7.7MB

        Download