Overview

overview

10

Static

static

3

41d252b23b...d1.exe

windows7-x64

10

41d252b23b...d1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-12-2023 23:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    41d252b23b8cbf3a68e88f4fde81edd1.exe

  • Size

    132KB

  • MD5

    41d252b23b8cbf3a68e88f4fde81edd1

  • SHA1

    72d95fb479adaa8697fcdce251ab6b1c51ac6dd7

  • SHA256

    5b39ca0f6f3ba545394ad3e11e00ab3724659cfb5a4dcd37a16bc18bc2c5d93c

  • SHA512

    796508e3df59e9aa7d633671977e458677dec0cb438d886cde1b1ba36cec17ba0246e54810b8030a5c0dcb0ad84d999900cd99378911661e4d71eb567a0f5f8b

  • SSDEEP

    1536:vwWmIgYu9+7gWbrimfWSeJFzkRcTwdEQdIumgDL0FfxTGWpip5UhHR:vwlT8gWi2eJFzkRswUumgDLOfbiHWHR

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\41d252b23b8cbf3a68e88f4fde81edd1.exe
    "C:\Users\Admin\AppData\Local\Temp\41d252b23b8cbf3a68e88f4fde81edd1.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4612
    • C:\Users\Admin\kjfeg.exe
      "C:\Users\Admin\kjfeg.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3776

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\kjfeg.exe
    Filesize

    132KB

    MD5

    930e2cd2207fe6a2ba127ad6a3ad4f86

    SHA1

    3668bc3ae7a8993bacb7f9d958f28a6814be1635

    SHA256

    e947df9c7f4d86704090f7c3f12d34f33d5e637cbd18a99f0e56da3ad842f570

    SHA512

    dcb252126324b8d1b57a7d340bc64cde6099c815bbd6d467487d79855906df04c0e865b6cd588b9e6280cdb8aed0022b66b1ce2470bb246461878e6dce6109ad

    Download Submit