Overview

overview

7

Static

static

3

0835d81542...4d.exe

windows7-x64

7

0835d81542...4d.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    81s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-12-2023 10:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0835d81542acc50b9579f99eca83a64d.exe

  • Size

    430KB

  • MD5

    0835d81542acc50b9579f99eca83a64d

  • SHA1

    fc30d49e99f4be296d0feac5ef25bd3967b8161f

  • SHA256

    ad2526deb219d4c2707553763eb672e5839b685434e2970c93bfe6551d43e18a

  • SHA512

    f6f602009ddbd2b65ac69d6a05dd47167f96076f2cfcd3c87cd0951169be483bbda1848aa719a2f23c6de708e649665c5a5b0227edd71c4c5acfc4562efa1e63

  • SSDEEP

    12288:ibee0PGl89WazvzkmMxM+ltxQMAn0Iv1b70ZSf2R:2edGBazvZMHltxtIv1bUS+R

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0835d81542acc50b9579f99eca83a64d.exe
    "C:\Users\Admin\AppData\Local\Temp\0835d81542acc50b9579f99eca83a64d.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1308
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS1.vbs"
      2⤵
        PID:3836
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS1.vbs"
        2⤵
          PID:2320

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\VBS1.vbs
        Filesize

        653B

        MD5

        cfb5a7a975ee090d9736850ddc3b03a7

        SHA1

        55d71f8280c9aeb276f2172a3c4fa2f3d2f39def

        SHA256

        599d0992f59d367afe406f79f194d5c13f299d9037c10eb23637dc4b4749f07e

        SHA512

        673d66c44cdfa1f899a6c360a46679c15cb11f65feb728559dc982163fa655029b5267d06f6cd2c8c3034598002d188e0367eb6631fc26b704136f9a8347c239

        Download Submit

      • memory/1308-0-0x0000000000400000-0x0000000000575000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/1308-1-0x0000000000400000-0x0000000000575000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/1308-14-0x0000000000400000-0x0000000000575000-memory.dmp

        Filesize

        1.5MB

        Download