Analysis
-
max time kernel
127s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
-
submitted
12/11/2023, 08:55
General
-
Target
e0556c1454a4ab35dcd016945376fc43f8fc1555ef99985014c38c7ac9247866.exe
-
Size
1.5MB
-
MD5
14b767301d26dd2dc9d507b8aeaa4841
-
SHA1
32054ef0212186497a6fe936faeb992b03446a48
-
SHA256
e0556c1454a4ab35dcd016945376fc43f8fc1555ef99985014c38c7ac9247866
-
SHA512
3a6f84eddae25fd82dd7cd1f905fbd5a73f70e40f1c0127a67e723b48167b17cf1618996b2c63f81bfe5ac2ad494d634b2dada1ea1c58f4823ea44a87131371d
-
SSDEEP
24576:DUFHwm4CtRmio7XmKFID/kZECDx00Nltv/LQ57bJs8yqJsJk:DcwMmiwmQITiECLtvDQBbCqJA
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 1 IoCs
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0556c1454a4ab35dcd016945376fc43f8fc1555ef99985014c38c7ac9247866.exe"C:\Users\Admin\AppData\Local\Temp\e0556c1454a4ab35dcd016945376fc43f8fc1555ef99985014c38c7ac9247866.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.exeC:\Windows\svchost.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\434.vbs"3⤵
-
-
-
C:\Program Files (x86)\Microsoft Oeuqie\svchost.exe"C:\Program Files (x86)\Microsoft Oeuqie\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Oeuqie\svchost.exe"C:\Program Files (x86)\Microsoft Oeuqie\svchost.exe" Win72⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
-
-
C:\Program Files (x86)\Microsoft Oeuqie\svchost.exe"C:\Program Files (x86)\Microsoft Oeuqie\svchost.exe" Win72⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 3922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3192 -ip 31921⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
500B
MD550a08ac434f85249aeb4480f11d0b174
SHA13785e37a0702a74bd9752169c0395807a744a1b5
SHA2567cb5b0b029f00d79c0262941520b54391f838f91fdba887d220e984f0572b382
SHA512c42bf506e43c57961d2962a2d7ecf14a713a685d806086d8e4c9764eadb18ab12749eb19621b389a17bee6acd22ad4f6ab3ad4efa1d511e241512fafd5af4049
-
Filesize
68KB
MD55395328696453d78c565bfd81e8d3f99
SHA13c1c265e277d47af7ad7ace0ba45d682bd0f24e3
SHA256b005ced9ff2c6c997a693064132b6567282c9dc440968020a880a4a193fc5b92
SHA51269c02ac7cfb7e4f27436aeba637e78b1be58d1bf2a1d3643afb8c443a348c444dd6f0e44ea6a2c795eae21e93315a34f6cd07f986fc57b2e2289d917076a825e
-
Filesize
68KB
MD55395328696453d78c565bfd81e8d3f99
SHA13c1c265e277d47af7ad7ace0ba45d682bd0f24e3
SHA256b005ced9ff2c6c997a693064132b6567282c9dc440968020a880a4a193fc5b92
SHA51269c02ac7cfb7e4f27436aeba637e78b1be58d1bf2a1d3643afb8c443a348c444dd6f0e44ea6a2c795eae21e93315a34f6cd07f986fc57b2e2289d917076a825e
-
Filesize
68KB
MD55395328696453d78c565bfd81e8d3f99
SHA13c1c265e277d47af7ad7ace0ba45d682bd0f24e3
SHA256b005ced9ff2c6c997a693064132b6567282c9dc440968020a880a4a193fc5b92
SHA51269c02ac7cfb7e4f27436aeba637e78b1be58d1bf2a1d3643afb8c443a348c444dd6f0e44ea6a2c795eae21e93315a34f6cd07f986fc57b2e2289d917076a825e
-
Filesize
68KB
MD55395328696453d78c565bfd81e8d3f99
SHA13c1c265e277d47af7ad7ace0ba45d682bd0f24e3
SHA256b005ced9ff2c6c997a693064132b6567282c9dc440968020a880a4a193fc5b92
SHA51269c02ac7cfb7e4f27436aeba637e78b1be58d1bf2a1d3643afb8c443a348c444dd6f0e44ea6a2c795eae21e93315a34f6cd07f986fc57b2e2289d917076a825e
-
Filesize
832KB
MD546eb6c37460b1a9115edd9d6b1c279a6
SHA16c43291fdb934f9e9424c8ecde8d1a554ee3735b
SHA25617ef93e0f8f09b9b97ceb9deaac145011669e64f768e184e17db345a128895d7
SHA512a381f26deed1e5aa2217939fc37f3467bd4eb850310973978cf8d5d23cf41071856ef98fcc12b9541a521b1ed1266cc1516bacbf61c164a752b993a8024ad18b
-
Filesize
68KB
MD55395328696453d78c565bfd81e8d3f99
SHA13c1c265e277d47af7ad7ace0ba45d682bd0f24e3
SHA256b005ced9ff2c6c997a693064132b6567282c9dc440968020a880a4a193fc5b92
SHA51269c02ac7cfb7e4f27436aeba637e78b1be58d1bf2a1d3643afb8c443a348c444dd6f0e44ea6a2c795eae21e93315a34f6cd07f986fc57b2e2289d917076a825e
-
Filesize
68KB
MD55395328696453d78c565bfd81e8d3f99
SHA13c1c265e277d47af7ad7ace0ba45d682bd0f24e3
SHA256b005ced9ff2c6c997a693064132b6567282c9dc440968020a880a4a193fc5b92
SHA51269c02ac7cfb7e4f27436aeba637e78b1be58d1bf2a1d3643afb8c443a348c444dd6f0e44ea6a2c795eae21e93315a34f6cd07f986fc57b2e2289d917076a825e