Overview

overview

10

Static

static

3

08c0d133a2...32.exe

windows7-x64

10

08c0d133a2...32.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2023 17:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    08c0d133a2544ebb66f863fe8070d232.exe

  • Size

    152KB

  • MD5

    08c0d133a2544ebb66f863fe8070d232

  • SHA1

    21031ea95166946c2d66b28d3f75b1c2fe657c1e

  • SHA256

    0471bf52c2102e0740cfe3dbd3c9066d86ed99b40348913c6465e5a276b01321

  • SHA512

    3676536fae141d1348cb084c84dbdb231e49d33b9d74b6e82cefdac622abc7d20e6e2eb180aa9ea5ba382b99a016efa89c6bb1ebbc1ae36219c50ac82fb26e9c

  • SSDEEP

    3072:V5EGBHCzwrCaHHvhtbz0wXtV2eZDEUXni7fo7KSif8xWM33r3k1jTCZU4oQZiEI6:sGxCzwrCW/0AHa8nuo7KSif8xWM33r3f

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 50 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\08c0d133a2544ebb66f863fe8070d232.exe
    "C:\Users\Admin\AppData\Local\Temp\08c0d133a2544ebb66f863fe8070d232.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Users\Admin\jeolu.exe
      "C:\Users\Admin\jeolu.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4612

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\jeolu.exe
    Filesize

    152KB

    MD5

    fe2fa9bc5beeae1d9bb9a822c9216f50

    SHA1

    847c959fa5184d9809dc70c61579663acdd5d08c

    SHA256

    dcc2f29578eecd4aa1db4a4d7e8895a1d6350b9feda0ae3ef7b03a2b0dd52823

    SHA512

    03bf593d786a2c9c4690df2ad1833dce93fea04b8a999139911cb32a445e129678ed7afa75196b1eec10ccf11aaf8cf9d68da57a3d122a97e6879d4435aece79

    Download Submit