9215dc50d072419d5aa2f77cfa83ed6356506362f53dfed46ce859a6870d7420

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

download.exe
Size

180KB
MD5

aa60fcefbae790397407fac5fd30d6f7
SHA1

b016528bed7726c92498c9d91d63fd800d60e016
SHA256

67873407a7836c7359b6e691bd3e719d68a5d778ff6603b98cb0a7a80a186266
SHA512

74ab1596aac43df14561fead295efb26f63dab90d5dd7175ebca222b90617bdfa1bebaf44ea7e515467e30d8959d11e295407d7b8364a9b5f25f20d4aa538f89
SSDEEP

3072:SBAp5XhKpN4eOyVTGfhEClj8jTk+0hj9nPsyVGzRXh:hbXE9OiTGfhEClq9cnUyVGL

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	4656	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	download.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\primarily the African oil palm\Palm oil is an edible vegetable\palm\Elaeioleiferandhemar.ipa	download.exe
File opened for modification	C:\Program Files (x86)\primarily the African oil palm\Palm oil is an edible vegetable\palm\Crudepalmilutures.bat	download.exe
File opened for modification	C:\Program Files (x86)\primarily the African oil palm\Palm oil is an edible vegetable\palm\yellowishfattyilobtained.vbs	download.exe
File opened for modification	C:\Program Files (x86)\primarily the African oil palm\Palm oil is an edible vegetable\palm\conservationistsandother.vbs	download.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	download.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 2196	880	download.exe	25
PID 880 wrote to memory of 2196	880	download.exe	25
PID 880 wrote to memory of 2196	880	download.exe	25
PID 880 wrote to memory of 1540	880	download.exe	27
PID 880 wrote to memory of 1540	880	download.exe	27
PID 880 wrote to memory of 1540	880	download.exe	27
PID 880 wrote to memory of 4656	880	download.exe	26
PID 880 wrote to memory of 4656	880	download.exe	26
PID 880 wrote to memory of 4656	880	download.exe	26

C:\Users\Admin\AppData\Local\Temp\download.exe
"C:\Users\Admin\AppData\Local\Temp\download.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\primarily the African oil palm\Palm oil is an edible vegetable\palm\Crudepalmilutures.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:2196
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\primarily the African oil palm\Palm oil is an edible vegetable\palm\conservationistsandother.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:4656
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\primarily the African oil palm\Palm oil is an edible vegetable\palm\yellowishfattyilobtained.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\primarily the African oil palm\Palm oil is an edible vegetable\palm\Crudepalmilutures.bat

Filesize
657B

MD5
edbb59061fadcd2c91542a7784ebfde3

SHA1
563e56b39796fa31e066ba4a42b777b9ba773e15

SHA256
297a062ab5c4e60c23dc0ed5d39d3b25a8fbfb6e9613e71c5218872f51ceb473

SHA512
c9b53c6308e17211b867876a7303382710e65658100247fd823550d8ea90708dfdcc02b5c5d5a94ee8639dfae55b6b07fffdc0ceecf891aed251ab1e4fc5c1b0

Download Submit
C:\Program Files (x86)\primarily the African oil palm\Palm oil is an edible vegetable\palm\conservationistsandother.vbs

Filesize
499B

MD5
aa50d947717fc8772441a29adea1fb23

SHA1
8ac9678e4024eab203ecc3bbeaaab90100b0814a

SHA256
2d3fbe09f36f606f882a901a1a2954bad3dca89fb37abf8b20652c82fc54d4d5

SHA512
bf2dedce91d0fe0fec879f63393ffb24b7f55cfcd51c76ee3cc0fc0c06870240a22ab4bd531b6ee9863a45e3fe1a8ccf15ce32492e7c4128fd79c508b06293a6

Download Submit
C:\Program Files (x86)\primarily the African oil palm\Palm oil is an edible vegetable\palm\yellowishfattyilobtained.vbs

Filesize
648B

MD5
982a2f099e7c4b8e4f8a114c078a3b18

SHA1
f571635b0c92a70bc210a515f2cd1ee8f31597e1

SHA256
26f66c8a26b404a9bbfd049e0d21ff2273538b82bb4719b940f5b0ee7e167c17

SHA512
70ea830f6a4d8503a4913b5340478835cabf30d877be29d7ce98f49d937a0d7c6ddb6d7917879ed6d8431ca07f3d994ca7f6057de67da335b0f938353f7bb7c7

Download Submit
memory/880-40-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download