e4fb7d3f5437f91f4159bb0c8e10addf1d775c5ff5374fc4cd0328064e663ad7

Analysis

max time kernel
142s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 04:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05469e24bd9fc5b10271cca5ab1e9b4e.exe
Size

323KB
MD5

05469e24bd9fc5b10271cca5ab1e9b4e
SHA1

4a836f602bda13243ce69776c5343255e8690bbd
SHA256

e4fb7d3f5437f91f4159bb0c8e10addf1d775c5ff5374fc4cd0328064e663ad7
SHA512

fd2eff1f7a079e92006bdf7850cacf2d06aca3d0c4ef1529d257bc4957f67e9285b817dd220843973a76e8e96156d92a7b46331f172ff66930489d138916c1bd
SSDEEP

1536:FkoVgaYJLFfLJEUI1qeXxyGA3N5eyD8SlNDSzvHFRiCCVGCWPGeSe+eooOoaoCok:/tYJLFfLoWGA3N5ecYxo

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	05469e24bd9fc5b10271cca5ab1e9b4e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	Del4352.tmp

Deletes itself 1 IoCs

pid	Process
1452	Del4352.tmp

Executes dropped EXE 1 IoCs

pid	Process
1452	Del4352.tmp

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\ddhnj.vbs	05469e24bd9fc5b10271cca5ab1e9b4e.exe
File opened for modification	C:\WINDOWS\ddhnj.vbs	Del4352.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "hao.thehh.info"	Del4352.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "hao.thehh.info"	05469e24bd9fc5b10271cca5ab1e9b4e.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 3880	3396	05469e24bd9fc5b10271cca5ab1e9b4e.exe	46
PID 3396 wrote to memory of 3880	3396	05469e24bd9fc5b10271cca5ab1e9b4e.exe	46
PID 3396 wrote to memory of 3880	3396	05469e24bd9fc5b10271cca5ab1e9b4e.exe	46
PID 3396 wrote to memory of 1452	3396	05469e24bd9fc5b10271cca5ab1e9b4e.exe	48
PID 3396 wrote to memory of 1452	3396	05469e24bd9fc5b10271cca5ab1e9b4e.exe	48
PID 3396 wrote to memory of 1452	3396	05469e24bd9fc5b10271cca5ab1e9b4e.exe	48
PID 1452 wrote to memory of 220	1452	Del4352.tmp	49
PID 1452 wrote to memory of 220	1452	Del4352.tmp	49
PID 1452 wrote to memory of 220	1452	Del4352.tmp	49

C:\Users\Admin\AppData\Local\Temp\05469e24bd9fc5b10271cca5ab1e9b4e.exe
"C:\Users\Admin\AppData\Local\Temp\05469e24bd9fc5b10271cca5ab1e9b4e.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies Internet Explorer start page
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo C:\WINDOWS\ddhnj.vbs
  2⤵
  PID:3880
- C:\Users\Admin\AppData\Local\Temp\Del4352.tmp
  C:\Users\Admin\AppData\Local\Temp\Del4352.tmp 740 "C:\Users\Admin\AppData\Local\Temp\05469e24bd9fc5b10271cca5ab1e9b4e.exe"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer start page
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\system32\wscript.exe" /nologo C:\WINDOWS\ddhnj.vbs
    3⤵
    PID:220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Del4352.tmp

Filesize
108KB

MD5
c93a4b808376e86e31524709f2dbeffc

SHA1
349d49fffe3774fc12b879ebcabd39782d244b30

SHA256
e792095dc2d8a91910ac91761f845794befed97bbd436c2439a27751b8bb978b

SHA512
8bb22eaa11d2819a6a08f089ad40d4f4033cfb58adb929efb60dcb01b811ab9958f43386cf3315acc7e40fa64c1245b5e88ced40845f253c849970128a11e041

Download Submit
C:\Users\Admin\AppData\Local\Temp\Del4352.tmp

Filesize
112KB

MD5
35b320c331996d10a47ef93afd9f926d

SHA1
f4cd872ba278af521a987211a3ac9c9dcaba74ca

SHA256
1d499c7035fd084a42f1cca95d767a3ea49c215d2225f7cbfa7540de3b3f44ee

SHA512
11ba3f82a8133ce09329c26391bde00305ba9f1893545ba0d9f2c49bcba86815439945354c632d622e4c8582e4e34eb9c04aa58b2947f1374783bcee327c4b30

Download Submit
C:\WINDOWS\ddhnj.vbs

Filesize
114KB

MD5
7626c49ca7278d9bb1872c7f765d7b79

SHA1
3b6bfdae812b495b738cce81e72fb35365a6c7b2

SHA256
041c7ab38133d696d308759063960f9992c0b3543cdf817d09547007cc08401d

SHA512
825e72bf1630aa76cadc0fbba6b98ed51bd964570e95fee8a40740a51e311016d2f598163eee39becda0f7c67ad1e7c2dcf2bf1388669609a2d418091b7d1c87

Download Submit
C:\WINDOWS\ddhnj.vbs

Filesize
93KB

MD5
05ec397c63b148b4cbf58a559a60232a

SHA1
1ee1c6427121a3c54ef1e640f668c7f6a8de15d4

SHA256
8cc362f8ab2f2f798ac041874af2890b4799d2c74e0cff5051c7b057a81a0ce9

SHA512
1fbdef61adf5a3de66426140fd6b49f8ab76292f52fae996a884173a2b09333613349371b308d2e3b7164a6031a999e2341e579d79ab35667c48b92241b1d6c5

Download Submit