Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
24/12/2023, 19:32
General
-
Target
0dbbbfda3be63153770863cc8ee46759.exe
-
Size
70KB
-
MD5
0dbbbfda3be63153770863cc8ee46759
-
SHA1
db3f259ae39428b221b73714313c5b1552c4bd6b
-
SHA256
f01e8bc34f521a846f58072c86f22eb920e4389244fa7eccae973b2bdc5781aa
-
SHA512
42f1e1aa6ba81de25eb5c8e8967fc4e90990ba34eae9a763e042a965fc6204cb78202b4f27dfa30557b23d4a12625c2fe4e21006845983e66f50085d0f7e3ef7
-
SSDEEP
1536:oRyTmpjkbXzcY9gXKpremrCIsZJ1EZ62lXbO3dRTBsl6+:czp8j0cremGIG/2lC3NM6+
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
UPX packed file 8 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0dbbbfda3be63153770863cc8ee46759.exe"C:\Users\Admin\AppData\Local\Temp\0dbbbfda3be63153770863cc8ee46759.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0dbbbfda3be63153770863cc8ee46759.exeC:\Users\Admin\AppData\Local\Temp\0dbbbfda3be63153770863cc8ee46759.exe2⤵
- Modifies firewall policy service
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\msnl.exe"C:\Users\Public\msnl.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\msnl.exeC:\Users\Public\msnl.exe4⤵
- Executes dropped EXE
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5178534346465bb809abf9e95858962d4
SHA13dce3b5f28b4062c6528bc405ec1ed8da2049d41
SHA25646ee619fd612990d6e138d1469722ca9d73818353de0e6811e5dab426aaf17c0
SHA512ceb594807292f1d084b0827bca7cc4c00c09d281e976183cb923d814ff76ac1828d982dc79521c1b2284591b3c0e834df87b264c154461253f515e31a143eb3e
-
Filesize
53KB
MD59603360df2065bd8e5345f8e32544d6c
SHA196281e7f6d4e2fb58bedbb40288739ca6b3a2a7c
SHA256a87015b4957903e1832dea6f734085da56528fab043e15b2c626c04ce35ac79f
SHA51294ef2b63908894bac09d50e787e4e8bf67e577a95a63614b9af68fa76b131c86b010c18fd2f162a9948885d8ce6e577bf7987909231bbe34544fe1ff10a93be6
-
Filesize
41KB
MD53eeed41a748e6c760f7f72e06c4d4d1a
SHA158abe8292ca8a094b5a7b5684cf0892f03678849
SHA2568d21eb596955042c3d09af8ade55ab3fb57bb4f2b2cbcc066120fa3e4835bba6
SHA5124715806468351120c192cab496cb529f9a83f2490644ea322b2631cc54055fcc65e0e71cd0a67d5f1778f1576d303fda7cb4791fbf4014e17176931c7f19cdbf
-
Filesize
70KB
MD50dbbbfda3be63153770863cc8ee46759
SHA1db3f259ae39428b221b73714313c5b1552c4bd6b
SHA256f01e8bc34f521a846f58072c86f22eb920e4389244fa7eccae973b2bdc5781aa
SHA51242f1e1aa6ba81de25eb5c8e8967fc4e90990ba34eae9a763e042a965fc6204cb78202b4f27dfa30557b23d4a12625c2fe4e21006845983e66f50085d0f7e3ef7
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
804KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
92KB
-
Filesize
92KB