Overview

overview

7

Static

static

3

1f88998d67...21.exe

windows7-x64

7

1f88998d67...21.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    161s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2023, 12:46

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    1f88998d6754982c6ffff3b687264821.exe

  • Size

    515KB

  • MD5

    1f88998d6754982c6ffff3b687264821

  • SHA1

    0e672a2738a8626677b8ce6ea97be7747b357aa5

  • SHA256

    a7ef6032c92f5f1284a6cbba65f53b946fa6cd903b1e8da3f4a554a650e1cad4

  • SHA512

    172764009828c0437b51069f4e7336bd8e3a21bfd2ca75cfc443226a6cf48449bf4b7392c5ad98f3e65ff2f5c5e12fc14c5c63eea5d09f68070892d02c47d7b0

  • SSDEEP

    12288:aio8EuMd7IbGKtT2d6OxyLvqDvRRFLsYq4EJnIHe/U+f:89b2GKtTWRDf+xJhGe/rf

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1f88998d6754982c6ffff3b687264821.exe
    "C:\Users\Admin\AppData\Local\Temp\1f88998d6754982c6ffff3b687264821.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2400
    • C:\You Server.exe
      "C:\You Server.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4540
      • C:\Users\Admin\AppData\Local\Temp\You Server.exe
        "C:\Users\Admin\AppData\Local\Temp\You Server.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Checks processor information in registry
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1932
        • C:\WINDOWS\SysWOW64\dlllhost.exe
          C:\WINDOWS\system32\dlllhost.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Checks processor information in registry
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          PID:2712
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 872
        3⤵
        • Program crash
        PID:4380
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4540 -ip 4540
    1⤵
      PID:1276

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\You Server.exe
            Filesize

            130KB

            MD5

            cfa6b941eaef669c5cf786b35b564830

            SHA1

            d8f61f2b54be080031a8a2d7cb7585606e7d6b3d

            SHA256

            05fdcda9dec660e278fe77315876481e314519151732087df057636fe5420c90

            SHA512

            15fc906eb2ef739d393b7d37927c691480b41b3bae7355381bb570936666f755e73c96ae7eb05d2ca8315e2a1ca8b736339640b909b87de29b2911f33af478e9

            Download Submit

          • C:\Windows\SysWOW64\logs.txt
            Filesize

            27B

            MD5

            709191d3408d179db0aff8bbbca7e249

            SHA1

            407ef9fff2bbeb2b85738a39c8bbbaa2dcf9b2fd

            SHA256

            ed8f9de65ce3dc77975224b9d88a38dc6f211b6d9bd9ac1659260f92232fc109

            SHA512

            f7b4087507e3fcf834da069cb97db034be549af8d78874166e990a164f7f9a39baa6492906ac56c3c23d0e2a11d8a2634e1c455ac2facded7c8011244f1e1529

            Download Submit

          • C:\You Server.exe
            Filesize

            316KB

            MD5

            5d40c9da0c217f48759e5ad64c5c74e8

            SHA1

            9071ba850ca25353d80e317312629dc681741f63

            SHA256

            23d1b2235fe779b33d4ac2a10e5cf0821e5e9d93e06b322a878f3400304ddf8b

            SHA512

            83ce5acf5a8eca215019824ddbfb84016cd1c4af8b7fab80d02aef30607b1f4cba300a73ceb178e9d5c6e5e7d542188566b1b030c85d7ece42729ca66c0dbf94

            Download Submit

          • memory/1932-25-0x0000000000400000-0x0000000000483000-memory.dmp

            Filesize

            524KB

            Download

          • memory/1932-29-0x0000000000400000-0x0000000000483000-memory.dmp

            Filesize

            524KB

            Download

          • memory/1932-39-0x0000000000400000-0x0000000000483000-memory.dmp

            Filesize

            524KB

            Download

          • memory/2400-11-0x0000000010000000-0x000000001005F000-memory.dmp

            Filesize

            380KB

            Download

          • memory/2712-50-0x0000000000400000-0x0000000000483000-memory.dmp

            Filesize

            524KB

            Download

          • memory/2712-44-0x0000000000400000-0x0000000000483000-memory.dmp

            Filesize

            524KB

            Download

          • memory/2712-55-0x0000000000400000-0x0000000000483000-memory.dmp

            Filesize

            524KB

            Download

          • memory/2712-61-0x0000000000400000-0x0000000000483000-memory.dmp

            Filesize

            524KB

            Download

          • memory/2712-67-0x0000000000400000-0x0000000000483000-memory.dmp

            Filesize

            524KB

            Download

          • memory/2712-73-0x0000000000400000-0x0000000000483000-memory.dmp

            Filesize

            524KB

            Download

          • memory/2712-79-0x0000000000400000-0x0000000000483000-memory.dmp

            Filesize

            524KB

            Download

          • memory/2712-83-0x0000000000400000-0x0000000000483000-memory.dmp

            Filesize

            524KB

            Download

          • memory/2712-90-0x0000000000400000-0x0000000000483000-memory.dmp

            Filesize

            524KB

            Download

          • memory/2712-96-0x0000000000400000-0x0000000000483000-memory.dmp

            Filesize

            524KB

            Download

          • memory/2712-102-0x0000000000400000-0x0000000000483000-memory.dmp

            Filesize

            524KB

            Download

          • memory/2712-107-0x0000000000400000-0x0000000000483000-memory.dmp

            Filesize

            524KB

            Download