9d1505dd645ce4119fd13d80007e3dfa58f08d0bd9feea8b8cf6414aed7790fd

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5afab45c5e16f92e45e0a4eb707d895.exe
Size

430KB
MD5

c5afab45c5e16f92e45e0a4eb707d895
SHA1

4e0062ed64f5b9e5e7a6a487357816c823b6abe4
SHA256

9d1505dd645ce4119fd13d80007e3dfa58f08d0bd9feea8b8cf6414aed7790fd
SHA512

96b6e7e9c3d6d3d289b1b2e12e79fe38631589c9d41455b0ea00adf9f7ce06387d011cd65bd22d2e97f52df687f4b8cd7f3266b600582809af11b844d64e1fc6
SSDEEP

12288:ibee0PGl89WazvzkmMxM+ltxQMAn0Iv1b70ZSf2u:2edGBazvZMHltxtIv1bUS+u

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	c5afab45c5e16f92e45e0a4eb707d895.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Winder.lnk	c5afab45c5e16f92e45e0a4eb707d895.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\c5afab45c5e16f92e45e0a4eb707d895.exe = "C:\\System32\\c5afab45c5e16f92e45e0a4eb707d895.exe"	c5afab45c5e16f92e45e0a4eb707d895.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	c5afab45c5e16f92e45e0a4eb707d895.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4768	c5afab45c5e16f92e45e0a4eb707d895.exe
4768	c5afab45c5e16f92e45e0a4eb707d895.exe
4768	c5afab45c5e16f92e45e0a4eb707d895.exe
4768	c5afab45c5e16f92e45e0a4eb707d895.exe
4768	c5afab45c5e16f92e45e0a4eb707d895.exe
4768	c5afab45c5e16f92e45e0a4eb707d895.exe
4768	c5afab45c5e16f92e45e0a4eb707d895.exe
4768	c5afab45c5e16f92e45e0a4eb707d895.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4768	c5afab45c5e16f92e45e0a4eb707d895.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4768	c5afab45c5e16f92e45e0a4eb707d895.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4768	c5afab45c5e16f92e45e0a4eb707d895.exe
4768	c5afab45c5e16f92e45e0a4eb707d895.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 4360	4768	c5afab45c5e16f92e45e0a4eb707d895.exe	91
PID 4768 wrote to memory of 4360	4768	c5afab45c5e16f92e45e0a4eb707d895.exe	91
PID 4768 wrote to memory of 4360	4768	c5afab45c5e16f92e45e0a4eb707d895.exe	91

C:\Users\Admin\AppData\Local\Temp\c5afab45c5e16f92e45e0a4eb707d895.exe
"C:\Users\Admin\AppData\Local\Temp\c5afab45c5e16f92e45e0a4eb707d895.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS1.vbs"
  2⤵
  PID:4360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS1.vbs

Filesize
653B

MD5
48f326ff09d339aa7098aecf29e833c6

SHA1
332956e4ca9fc34cd915ebd060776b6b389ef8f1

SHA256
acf286e53c5db504461413620cfb21bafe61154489c9b602125f387c86263543

SHA512
5cb4b51d3b40082c1b704618deef994c3576ff363e94dc4cf3cd18c0c60ed5b9dbac770a044c20c2a98c973702231709297bd1ad6ed3fcb74134c847921cf1e3

Download Submit
memory/4768-0-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/4768-1-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/4768-12-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download