Overview

overview

7

Static

static

3

13e794bd09...d6.exe

windows7-x64

7

13e794bd09...d6.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/12/2023, 21:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    13e794bd094779cebd455a03ca744ed6.exe

  • Size

    1.9MB

  • MD5

    13e794bd094779cebd455a03ca744ed6

  • SHA1

    84cbee14c5e4f7a9a5cde993c737d7dcb294be27

  • SHA256

    71fa7d93cfb8dc84d792906e9b547dff02b8dccaf8a90f3f63f56f3fe058f809

  • SHA512

    ebef1f18d0e9a4d2c3717b96facd5f787621afc2895bc425ece55a2defe34af1e100328b31b094a566faf9987f32fbbf28332f7e8a76688d4cefbe9b2417afba

  • SSDEEP

    24576:NZAjphUYz2zEi5ZoFRw9hQtrda7mg3ksJ4vAzs58pxAW0BMfQ+3arWuvzzIny:XkjpFvwgwo+3arWNny

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\13e794bd094779cebd455a03ca744ed6.exe
    "C:\Users\Admin\AppData\Local\Temp\13e794bd094779cebd455a03ca744ed6.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3888
    • C:\Users\Admin\AppData\Local\Temp\~DP4AD5.exe
      "C:\Users\Admin\AppData\Local\Temp\~DP4AD5.exe"
      2⤵
      • Executes dropped EXE
      PID:696
    • C:\Users\Admin\AppData\Local\Temp\~DP49EA.exe
      "C:\Users\Admin\AppData\Local\Temp\~DP49EA.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:3352
      • C:\Windows\winlogon.exe
        C:\Windows\winlogon.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetWindowsHookEx
        PID:1272

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\~DP49EA.exe
    Filesize

    92KB

    MD5

    43594029a876dc14c57660916c1959ba

    SHA1

    d7b951a1d89093a43a7d1b671fa430f0f4520cbe

    SHA256

    4e60272d0dc5ebe6ac562b7b6884eae2c7fc68ea6f7224436bf96cff39b2de4e

    SHA512

    252d69e41345ca276ae08f79b34e14b22a07cfbbcfcf8ef255751b3ff347347aa1a8d7fcb8ab1a54ec2d726e865b051531ce141beba99f6a75da7e9875045635

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\~DP49EA.exe
    Filesize

    156KB

    MD5

    b6d86545f6d07c059edfcfbf6e7e2bb1

    SHA1

    7783341895cc24d1e29a9a0f12bf0c8551a4d790

    SHA256

    85fa635c3b491e8fdd69eec199dd99cfe1f0a8309b21d0ff528b8ab172062cf1

    SHA512

    0406daf1f7f1e0bd74b27aae5a13095af43da91c7c827b367059c456dd8d6c30f27604abd4c8dcbc1164706ecbef47b73eb9f2bd0708ad4035957535636cf9ce

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\~DP4AD5.exe
    Filesize

    96KB

    MD5

    0ea8cb733d77a226513eab550a1c48af

    SHA1

    2375692bcaf10babb427ab840d312e26bd4f5286

    SHA256

    09ffcbf7bf6ec9d9ba598e8827f01ce34dd942da3280bf06c65b512277e3b019

    SHA512

    7feb4a42c8b20c49e6b013d720b0479f3466d6a17d994b1e91ba2b6d118f70aa74121a54a137634976e44ab110af3355284cb04e0e13a06776f5b564e8499816

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\~DP4AD5.exe
    Filesize

    93KB

    MD5

    990f76250eb7c44272018cbf57fa714c

    SHA1

    1d3cc97e30967003d03273b9f5908b15700af504

    SHA256

    0545a5ee497e8de5eaa080fa7282cb3627d370de1abe003cac767377d7ba0a7a

    SHA512

    90a94248d63e88e99a8cbd13188b0d332c182d9cf7fe56215276f79079c2bcc07b6b6e334b5475e560dfc399b4eeb83b088d2d791beaab424146fb0711e6e52e

    Download Submit

  • memory/1272-26-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

    Download

  • memory/3352-11-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

    Download

  • memory/3352-25-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

    Download

  • memory/3888-19-0x0000000000400000-0x00000000005F7000-memory.dmp

    Filesize

    2.0MB

    Download