Overview

overview

7

Static

static

3

c256204deb...45.exe

windows7-x64

7

c256204deb...45.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/11/2023, 03:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c256204deb01c77e21ba17b5e2411245.exe

  • Size

    1.5MB

  • MD5

    c256204deb01c77e21ba17b5e2411245

  • SHA1

    95ae7fb9f6710368e44a3c4e839d3d7bebbd4d5e

  • SHA256

    f594822a45b8561a9b7a2e2ecf17558a692b1a193cf231617ba1b222723ca3ab

  • SHA512

    f3e1f38c059ce56801382c6de631d7b90077fa77a2eb997906d2f6eef8dafe38ab041f023a11b27da41b87edb16484fb095e1053e4b01204412f3a586cd34c52

  • SSDEEP

    24576:2TbBv5rUyXVZJQCx441vcF3iE0npCoc1cQhWdB7in6D+6:IBJLQCvvcF3KpSu

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c256204deb01c77e21ba17b5e2411245.exe
    "C:\Users\Admin\AppData\Local\Temp\c256204deb01c77e21ba17b5e2411245.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:400
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\reviewruntimeMonitor\oYwPDBVe3AuHG3t6JLon5FNZVJrzPzwK1qz3t5qd93gftXcSil5zO.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1484
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\reviewruntimeMonitor\XfrEwTdqjpljDpai91jT4EKzapK.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1132
        • C:\reviewruntimeMonitor\BlockrefBrokerperf.exe
          "C:\reviewruntimeMonitor/BlockrefBrokerperf.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3012
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zI0L28MCkt.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4508
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:4724
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:1276

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Recovery\WindowsRE\SearchApp.exe
        Filesize

        1.2MB

        MD5

        295bf8d9b734730efa567c8da9918fe1

        SHA1

        09aabc018da124bd0ebe8e1043860015ac71aa34

        SHA256

        7b17102103af932a56eac5ea51f07a7926be23585d19b1cfe42215ce1a4fa3cc

        SHA512

        c816f7f53f5fb24eb7dcf31b8138e6717c881245d7cc2fbd53f5dc99977f8d1cef4d1afe8235b5ef0ee4397ce32a1a74720349b21d805a7f6ceac8bbc802a59c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\zI0L28MCkt.bat
        Filesize

        212B

        MD5

        c87e8ced6e4523968c90c727bd3ea378

        SHA1

        2af100b3d7f218714c7a3c69611e35c06b169742

        SHA256

        85fd5cd919573b624d67ba838a36d78664f759ed5a1c96e6ee4049e81edde6e1

        SHA512

        9a51757a0d1219b73363eb6834f94c849c980801bb7ba078abfa31c441ca2a6cdb926b191af232439a76d00d8a46aa98193ecbd11beea69a1670daa92f3f9e1e

        Download Submit

      • C:\reviewruntimeMonitor\BlockrefBrokerperf.exe
        Filesize

        1.2MB

        MD5

        295bf8d9b734730efa567c8da9918fe1

        SHA1

        09aabc018da124bd0ebe8e1043860015ac71aa34

        SHA256

        7b17102103af932a56eac5ea51f07a7926be23585d19b1cfe42215ce1a4fa3cc

        SHA512

        c816f7f53f5fb24eb7dcf31b8138e6717c881245d7cc2fbd53f5dc99977f8d1cef4d1afe8235b5ef0ee4397ce32a1a74720349b21d805a7f6ceac8bbc802a59c

        Download Submit

      • C:\reviewruntimeMonitor\BlockrefBrokerperf.exe
        Filesize

        1.2MB

        MD5

        295bf8d9b734730efa567c8da9918fe1

        SHA1

        09aabc018da124bd0ebe8e1043860015ac71aa34

        SHA256

        7b17102103af932a56eac5ea51f07a7926be23585d19b1cfe42215ce1a4fa3cc

        SHA512

        c816f7f53f5fb24eb7dcf31b8138e6717c881245d7cc2fbd53f5dc99977f8d1cef4d1afe8235b5ef0ee4397ce32a1a74720349b21d805a7f6ceac8bbc802a59c

        Download Submit

      • C:\reviewruntimeMonitor\XfrEwTdqjpljDpai91jT4EKzapK.bat
        Filesize

        90B

        MD5

        027418c1f52c54c2519a267460bf1214

        SHA1

        f8e2f6af10f7e8bf8a94daf8ea953e18637c52d6

        SHA256

        9b0becac125e51675754b4363a01cf1619854897aa2b72fce6ecd4bae074b286

        SHA512

        93baf1b964bf3219b45a08ff52eed669389e634b67e39fe8ac3eb913d86824074192794790802e2acba2b1e9119da4520a123584d43b9bea780bb5060711bf49

        Download Submit

      • C:\reviewruntimeMonitor\oYwPDBVe3AuHG3t6JLon5FNZVJrzPzwK1qz3t5qd93gftXcSil5zO.vbe
        Filesize

        226B

        MD5

        7d4bd2b9160e289aa7b92b5f13e5000f

        SHA1

        ff50208f3523239764f6397b1d19909f4e0c45a8

        SHA256

        ba473c76f44d3537addd866eb8b5e59cf3bac1776fba6e0131b69e914eb706c4

        SHA512

        a5cc9e9c40208e2243bbf35990fa143f02ee62b6ae7eb65d5a89d8994e60378acd497e71e76ae18709214871b91cefde18b38e7377be2aa750e053b8b69ec1c5

        Download Submit

      • memory/3012-36-0x00007FFF733F0000-0x00007FFF733F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3012-42-0x00007FFF55BC0000-0x00007FFF56681000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3012-18-0x00007FFF73450000-0x00007FFF73451000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3012-16-0x0000000001310000-0x000000000131E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3012-20-0x0000000002B10000-0x0000000002B2C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/3012-21-0x00007FFF73440000-0x00007FFF73441000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3012-22-0x000000001B6D0000-0x000000001B720000-memory.dmp

        Filesize

        320KB

        Download

      • memory/3012-25-0x0000000002B30000-0x0000000002B48000-memory.dmp

        Filesize

        96KB

        Download

      • memory/3012-23-0x00007FFF73430000-0x00007FFF73431000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3012-26-0x00007FFF73420000-0x00007FFF73421000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3012-28-0x0000000001320000-0x0000000001330000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3012-31-0x00007FFF73410000-0x00007FFF73411000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3012-30-0x0000000001330000-0x000000000133E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3012-33-0x0000000002CD0000-0x0000000002CE6000-memory.dmp

        Filesize

        88KB

        Download

      • memory/3012-34-0x00007FFF73400000-0x00007FFF73401000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3012-35-0x0000000001350000-0x0000000001360000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3012-14-0x0000000001350000-0x0000000001360000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3012-38-0x000000001B720000-0x000000001B732000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3012-39-0x000000001BC70000-0x000000001C198000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3012-17-0x00007FFF735A0000-0x00007FFF7365E000-memory.dmp

        Filesize

        760KB

        Download

      • memory/3012-41-0x0000000001340000-0x000000000134E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3012-43-0x00007FFF733E0000-0x00007FFF733E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3012-45-0x0000000002B90000-0x0000000002BA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3012-46-0x00007FFF733D0000-0x00007FFF733D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3012-47-0x0000000001350000-0x0000000001360000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3012-50-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3012-49-0x00007FFF733C0000-0x00007FFF733C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3012-53-0x00007FFF735A0000-0x00007FFF7365E000-memory.dmp

        Filesize

        760KB

        Download

      • memory/3012-54-0x00007FFF733B0000-0x00007FFF733B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3012-52-0x0000000002BB0000-0x0000000002BBE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3012-56-0x000000001B760000-0x000000001B778000-memory.dmp

        Filesize

        96KB

        Download

      • memory/3012-57-0x00007FFF72FA0000-0x00007FFF72FA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3012-58-0x00007FFF72F90000-0x00007FFF72F91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3012-60-0x000000001B740000-0x000000001B74C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/3012-13-0x00007FFF55BC0000-0x00007FFF56681000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3012-12-0x0000000000910000-0x0000000000A54000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/3012-77-0x00007FFF55BC0000-0x00007FFF56681000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3012-78-0x00007FFF735A0000-0x00007FFF7365E000-memory.dmp

        Filesize

        760KB

        Download