Overview

overview

7

Static

static

3

3f3c744e29...4f.exe

windows7-x64

7

3f3c744e29...4f.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    144s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/11/2023, 20:57

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    3f3c744e29498ddc8586595a7751b4a04406da2a5dd964756aeb1c5c37df0f4f.exe

  • Size

    194KB

  • MD5

    d0ac2224fdca9099d141574a72f79688

  • SHA1

    9f02ebe924e7d02426fb876a7b2fbd54e1ec1047

  • SHA256

    3f3c744e29498ddc8586595a7751b4a04406da2a5dd964756aeb1c5c37df0f4f

  • SHA512

    dbeddf33beab9eda7668e705ef89eb8518ab962f81f5011f52dd2ce89028bf6acb8c634c72ed221340c8c2277ad76ab4aacc45b62673b7cb876af8e7cea56da0

  • SSDEEP

    6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCOE:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXXZ

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3f3c744e29498ddc8586595a7751b4a04406da2a5dd964756aeb1c5c37df0f4f.exe
    "C:\Users\Admin\AppData\Local\Temp\3f3c744e29498ddc8586595a7751b4a04406da2a5dd964756aeb1c5c37df0f4f.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4368
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\3F3C74~1.EXE > nul
      2⤵
        PID:4536
    • C:\Windows\Debug\wmahost.exe
      C:\Windows\Debug\wmahost.exe
      1⤵
      • Executes dropped EXE
      • Checks processor information in registry
      PID:3392

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\Debug\wmahost.exe
            Filesize

            194KB

            MD5

            b0880187568cd2b6764cf894a88354dc

            SHA1

            46233e364e79f6ac87b59667b104bdf589c4932e

            SHA256

            efc9f3b353a57fc676a563bc30ad7086959868074b498b80302074c73ab627fe

            SHA512

            449137bf776622fe5d6f18f38a0103dc868637138db046bc8c49f02182e8382969f443ad2d6d7f8e25a9c68b22ee3b841d20e0e9fd6dfe2ad7323a3b00b4215c

            Download Submit

          • C:\Windows\debug\wmahost.exe
            Filesize

            194KB

            MD5

            b0880187568cd2b6764cf894a88354dc

            SHA1

            46233e364e79f6ac87b59667b104bdf589c4932e

            SHA256

            efc9f3b353a57fc676a563bc30ad7086959868074b498b80302074c73ab627fe

            SHA512

            449137bf776622fe5d6f18f38a0103dc868637138db046bc8c49f02182e8382969f443ad2d6d7f8e25a9c68b22ee3b841d20e0e9fd6dfe2ad7323a3b00b4215c

            Download Submit