Overview

overview

7

Static

static

3

601d9666a7...70.exe

windows7-x64

7

601d9666a7...70.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-10-2023 02:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    601d9666a7ffabf13dddab2945f011aea2f67357a9fc3aff66e19653f0c75970.exe

  • Size

    200KB

  • MD5

    774a9e511f4f5ff4a5635622b69a8667

  • SHA1

    fa3d25ed357d7f3865c8e30d4024d1c0ba2ad6df

  • SHA256

    601d9666a7ffabf13dddab2945f011aea2f67357a9fc3aff66e19653f0c75970

  • SHA512

    e37cddb79e7dca086f126446d59be79fbbd3c38e0ecfc14d7e4c57ede19e51deaa06a48025c890f37a1645f7db87ab332d969d8520f5ad89e631c87b20d6ca66

  • SSDEEP

    6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCO6:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXXf

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\601d9666a7ffabf13dddab2945f011aea2f67357a9fc3aff66e19653f0c75970.exe
    "C:\Users\Admin\AppData\Local\Temp\601d9666a7ffabf13dddab2945f011aea2f67357a9fc3aff66e19653f0c75970.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1476
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\601D96~1.EXE > nul
      2⤵
        PID:1392
    • C:\Windows\Debug\guehost.exe
      C:\Windows\Debug\guehost.exe
      1⤵
      • Executes dropped EXE
      • Checks processor information in registry
      PID:1792

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Debug\guehost.exe
      Filesize

      200KB

      MD5

      a903caeb2278e54c6e568754abbb151d

      SHA1

      39591964dfe44ac48364cc4b6d2c8e1d25d67fac

      SHA256

      8d1a58f599883a316fe4aee16b734a57c9d76e7c6da11596a4864967453bee16

      SHA512

      d352b300ccb58559a121d6e56aba3b42e0c4f9ea5c05dee615fe3a650673c5725abedad9b3626f4db45cbf5c6761a2de3430aaff66b0361900b6774acd6e4923

      Download Submit

    • C:\Windows\debug\guehost.exe
      Filesize

      200KB

      MD5

      a903caeb2278e54c6e568754abbb151d

      SHA1

      39591964dfe44ac48364cc4b6d2c8e1d25d67fac

      SHA256

      8d1a58f599883a316fe4aee16b734a57c9d76e7c6da11596a4864967453bee16

      SHA512

      d352b300ccb58559a121d6e56aba3b42e0c4f9ea5c05dee615fe3a650673c5725abedad9b3626f4db45cbf5c6761a2de3430aaff66b0361900b6774acd6e4923

      Download Submit