2c91c131bf090a6978721dc535ff4b2c1f9b49b5b4aa4c20e161c86324760094

Analysis

max time kernel
179s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40a99fcd54998638cca09589bf846379.exe
Size

293KB
MD5

40a99fcd54998638cca09589bf846379
SHA1

ea1359822eac61743fe49921108640f4759d5edd
SHA256

2c91c131bf090a6978721dc535ff4b2c1f9b49b5b4aa4c20e161c86324760094
SHA512

38f6e342531ec336f8a1a915bcad296925cd480c4d2198c15889559e3ad10582ce9fd04ffd7b8ea40d07e2aafeb71f718c3f6f1ea795ddee1a96b73cc142c55f
SSDEEP

6144:b1dlZro5yjAu4bPqY7SatcqUVKnIKnh8yyge1s+s:b1dlZo5y817jW/hGe1s+s

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	40a99fcd54998638cca09589bf846379.exe

Executes dropped EXE 1 IoCs

pid	Process
4808	11.scr

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\0569920227.bmp	40a99fcd54998638cca09589bf846379.exe
File opened for modification	C:\Program Files\@3=A1<@3=A3=A3=A5@C6AD7BE:DH<GJ<GJ=HK?JN?JN?JN?JN?JN>IL=GM=GM=GM=GM=GM<FL1<A",2	40a99fcd54998638cca09589bf846379.exe
File created	C:\Program Files\11.scr	40a99fcd54998638cca09589bf846379.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1592	4808	WerFault.exe	96

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings	40a99fcd54998638cca09589bf846379.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\@3=A1<@3=A3=A3=A5@C6AD7BE:DH<GJ<GJ=HK?JN?JN?JN?JN?JN>IL=GM=GM=GM=GM=GM<FL1<A",2	40a99fcd54998638cca09589bf846379.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2604	mspaint.exe
2604	mspaint.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2604	mspaint.exe
2604	mspaint.exe
2604	mspaint.exe
2604	mspaint.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 4808	1544	40a99fcd54998638cca09589bf846379.exe	96
PID 1544 wrote to memory of 4808	1544	40a99fcd54998638cca09589bf846379.exe	96
PID 1544 wrote to memory of 4808	1544	40a99fcd54998638cca09589bf846379.exe	96
PID 1544 wrote to memory of 2604	1544	40a99fcd54998638cca09589bf846379.exe	98
PID 1544 wrote to memory of 2604	1544	40a99fcd54998638cca09589bf846379.exe	98
PID 1544 wrote to memory of 2604	1544	40a99fcd54998638cca09589bf846379.exe	98

C:\Users\Admin\AppData\Local\Temp\40a99fcd54998638cca09589bf846379.exe
"C:\Users\Admin\AppData\Local\Temp\40a99fcd54998638cca09589bf846379.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Program Files\11.scr
  "C:\Program Files\11.scr" /S
  2⤵
  - Executes dropped EXE
  PID:4808
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 268
    3⤵
    - Program crash
    PID:1592
- C:\Windows\SysWOW64\mspaint.exe
  "C:\Windows\system32\mspaint.exe" "C:\Program Files\0569920227.bmp"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4808 -ip 4808
1⤵
PID:1208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\0569920227.bmp

Filesize
57KB

MD5
b3e9f9f23d0567fcd8a0294d4862cf6b

SHA1
ef822a15c291383dd0e2a689132f6bbbd0cde4f4

SHA256
ebcdd8b2d5d5f8fc13a2b6ec40ce53e5c7ba8e105e2a98354e7813ce829f72a2

SHA512
5cc0c954eb40d58e2aded6b93c4ebf020dc6b67bb12ef0cd0a0add6134144f2de34e34fb3a605bdec0e38cc0d795b80f6903355e263484919b1a39da60008b4a

Download Submit
C:\Program Files\0569920227.bmp

Filesize
110B

MD5
b5a6d0d70789fcb37538434983411330

SHA1
0eb892c604f8c626a2f8bac3b251b31ed78c4e8f

SHA256
09fc7a595347c23a163567260ba4ae8f6e2c38744fc2ee4e0d5741cfdab3cd10

SHA512
c5357db5bd0ac99cf4b6b451e1df718403c889faea57cdc97362fd3b841d4f733305f8783b5b82ffcb6b2732149e593fbabc0795800e8736bfe4dbcc9d036b62

Download Submit
C:\Program Files\11.scr

Filesize
31KB

MD5
4e3bcca6a0cb488d7c9d82132bb66b9a

SHA1
7e13babe6b0e65bb05877f516d3fe1851c0c55fc

SHA256
64b95a1c61894a87a2d960e3bfaaff6069bddb1a4d0e0c0321b039f092bb56e6

SHA512
08a87ae69889f4e3f65d04ee8f39d4597147741962c2f076139ca1c232b63807f313d9e4d38b7e8ecb1092080d6711d0e437924e6945879520aacaf2df09da99

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfx.ini

Filesize
215B

MD5
ae2f58a86cb375eaf12fd125430fe788

SHA1
67bdb915a9f17af62bf75bafb7e96e335718bbda

SHA256
78c90a603af30ab51ba0398058de4c8be3d9803e92b0a689328ad0259576d3d5

SHA512
8963169f5dfce686d97b7f22567a7b4ac5cafdba3027f12479d7f08c6eccbaeabf146cd050a94f1c16d9472eed3c416f897b5b898d4dc8bd73396d7ccb0e7969

Download Submit
memory/4808-22-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download