Overview

overview

7

Static

static

3

b144fa996d...6f.exe

windows7-x64

6

b144fa996d...6f.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2023 13:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b144fa996dfbdb305cc673fecd8e806f.exe

  • Size

    63KB

  • MD5

    b144fa996dfbdb305cc673fecd8e806f

  • SHA1

    d97c8939bed314bde89ccdd552ccb728148a10bd

  • SHA256

    7819c6af1b36870d15b4b954936837b5c5a8ba57ebdee462772bd6fb9f66afc9

  • SHA512

    72a8e177bc926143482556cb3c0b35a98436279daf98753ba80da52361e1480644006f318b821d2497492a3d803faf3520e551405bfb9db4c3283b8c1f1d7759

  • SSDEEP

    1536:JJl0x2vMziE9caRZglZSP+QIOPnToIfwEFy:JJa0vM+la0iP+GfTBfwEFy

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b144fa996dfbdb305cc673fecd8e806f.exe
    "C:\Users\Admin\AppData\Local\Temp\b144fa996dfbdb305cc673fecd8e806f.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2816
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1\68AD.bat C:\Users\Admin\AppData\Local\Temp\b144fa996dfbdb305cc673fecd8e806f.exe"
      2⤵
      • Enumerates connected drives
      • Suspicious use of WriteProcessMemory
      PID:704
  • C:\Windows\system32\Robocopy.exe
    Robocopy C:\users\Admin\Desktop L:\Admin\Desktop /MIR /FFT /Z /XA:SH /W:5 /XJ /Xf *.jpg *.png *.mp3 *.mp4 *.exe *.avi *.mkv *.mov *.wma *.wmv *.flv *.mpg *.divx *.wave *.m4a *.swf *.dov *.app *.bat *.com *.jar *.wsf *.iso *.dmg *.bin *.mdf *.bcd *.bak *.tmp
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3488
  • C:\Windows\system32\Robocopy.exe
    Robocopy C:\users\Admin\Documents L:\Admin\Documents /MIR /FFT /Z /XA:SH /W:5 /XJ /Xf *.jpg *.png *.mp3 *.mp4 *.exe *.avi *.mkv *.mov *.wma *.wmv *.flv *.mpg *.divx *.wave *.m4a *.swf *.dov *.app *.bat *.com *.jar *.wsf *.iso *.dmg *.bin *.mdf *.bcd *.bak *.tmp
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2516

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1\68AD.bat
    Filesize

    689B

    MD5

    cbe07fa128cc33463cca9926ea3cd5cf

    SHA1

    22376f5b9cc408937418546e4005a7cc0f5dd8a7

    SHA256

    a21fa4e242ecfdecfd30189504ea030045e054faec2aba32cf2eb87649c56f8f

    SHA512

    b7f2f35f6710ab41cbb3f5ecc858371f1a6acb03139f97b8daf7f829391236283d2eb85c1cf376cd6ce5747e19f4676f8aca08cf6bdabe9763388400fe06b2de

    Download Submit