Overview

overview

7

Static

static

3

8503010b68...dc.exe

windows7-x64

7

8503010b68...dc.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    125s
  • max time network
    53s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231130-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/12/2023, 03:59

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    8503010b68d55bdebac7638d9f7924b5e23049992e57e0d29cd31679f3b0bedc.exe

  • Size

    2.2MB

  • MD5

    5efedeff0f59d9ba656ff89744495529

  • SHA1

    9142a2f38ea4f6fccb9e43aefcd9f548006c24a5

  • SHA256

    8503010b68d55bdebac7638d9f7924b5e23049992e57e0d29cd31679f3b0bedc

  • SHA512

    8122b278b3dfd9cb17a22b968827ce819faf97de5f595ca51f2dbc1af9308e85bcc0ed86e38b2210275f4078c9e81e36292c5336ffd9fc26046a7557d4cbfe90

  • SSDEEP

    49152:sBuZrEUZrn+SFIDuc6SKIy029s4C1eH9l:ykLZrn5FlIt29s4C1eH9l

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8503010b68d55bdebac7638d9f7924b5e23049992e57e0d29cd31679f3b0bedc.exe
    "C:\Users\Admin\AppData\Local\Temp\8503010b68d55bdebac7638d9f7924b5e23049992e57e0d29cd31679f3b0bedc.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4108
    • C:\Users\Admin\AppData\Local\Temp\is-58MR4.tmp\8503010b68d55bdebac7638d9f7924b5e23049992e57e0d29cd31679f3b0bedc.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-58MR4.tmp\8503010b68d55bdebac7638d9f7924b5e23049992e57e0d29cd31679f3b0bedc.tmp" /SL5="$60054,1464243,832512,C:\Users\Admin\AppData\Local\Temp\8503010b68d55bdebac7638d9f7924b5e23049992e57e0d29cd31679f3b0bedc.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4484
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c taskkill /f /t /im steam.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3900
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /t /im steam.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3160

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\is-58MR4.tmp\8503010b68d55bdebac7638d9f7924b5e23049992e57e0d29cd31679f3b0bedc.tmp
          Filesize

          57KB

          MD5

          f9587993982bc763643ee91627833a53

          SHA1

          1bf60b18923fc5023b22ab1371fa055d662ebf65

          SHA256

          3c7ada3f29a01093949e658e061e53d68c0d6be07c73395905513f3d3b8a191a

          SHA512

          72de128816d22196937b2ce0d539e5d39c9f9395268e0a66384804abf4394103703ba68b0890f77f3768d7f3691a27d21d88c6c152a1621f438a28f76b0c0baf

          Download Submit

        • memory/4108-0-0x0000000000400000-0x00000000004D8000-memory.dmp

          Filesize

          864KB

          Download

        • memory/4108-10-0x0000000000400000-0x00000000004D8000-memory.dmp

          Filesize

          864KB

          Download

        • memory/4484-5-0x0000000000D20000-0x0000000000D21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4484-8-0x0000000000400000-0x000000000071C000-memory.dmp

          Filesize

          3.1MB

          Download