Analysis
-
max time kernel
144s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 09:13
Static task
static1
Behavioral task
behavioral1
Sample
8064cb2d6272e464ae5962292422152c.exe
Resource
win7-20231215-en
General
-
Target
8064cb2d6272e464ae5962292422152c.exe
-
Size
349KB
-
MD5
8064cb2d6272e464ae5962292422152c
-
SHA1
47bad41a2192dc9392e70ce8118d4028b79655fb
-
SHA256
282d2563e428a52e763353b3f2155984f9e0f483d6386300822f8da86f023750
-
SHA512
e2eff22eec6dd9e3aa41d338d0cde642c975c0ee2dfa46f4fe6c9b480306d3ad7af5b87d4758c66877a79e4d6df7c95323d953bf8a8e42078c5c2bab5237de88
-
SSDEEP
6144:48IFCVf+vT9N2g/f4+HYVFn9u53jU4A8llwr9sEpDQC0Ta+:jVWvZcg/N+ni3jUUlwtpD90Ta
Malware Config
Extracted
gootkit
163
api.gallantlystreaming.org
asapgetnode.club
pop3.verihostname.work
-
vendor_id
163
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation 8064cb2d6272e464ae5962292422152c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4072 wrote to memory of 212 4072 8064cb2d6272e464ae5962292422152c.exe 92 PID 4072 wrote to memory of 212 4072 8064cb2d6272e464ae5962292422152c.exe 92 PID 4072 wrote to memory of 212 4072 8064cb2d6272e464ae5962292422152c.exe 92 PID 212 wrote to memory of 5096 212 cmd.exe 94 PID 212 wrote to memory of 5096 212 cmd.exe 94 PID 212 wrote to memory of 5096 212 cmd.exe 94 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 5096 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8064cb2d6272e464ae5962292422152c.exe"C:\Users\Admin\AppData\Local\Temp\8064cb2d6272e464ae5962292422152c.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240622500.bat" "C:\Users\Admin\AppData\Local\Temp\8064cb2d6272e464ae5962292422152c.exe""2⤵
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\8064cb2d6272e464ae5962292422152c.exe"3⤵
- Views/modifies file attributes
PID:5096
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76B
MD587feb5f39f1124cf814c8c3a3c6950b3
SHA183487372b3cea4b18abdac260b85f69c0444ec59
SHA256b6097138995a0b358c605b5df56d47e628ce2cab948280e16d93e82a5aa97f40
SHA51212ff12733c811258f704ab79ff62f5f84d1bc36f31b72646f991ad11255ae7f1ecd9791a1ef754691df9337d8c64dc6ab24905061a13f44ded88b76812a11e17