Overview

overview

10

Static

static

3

2fe4e82fb8...95.exe

windows7-x64

10

2fe4e82fb8...95.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2023, 17:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2fe4e82fb8505a4cbc62ca4aabb61e95.exe

  • Size

    156KB

  • MD5

    2fe4e82fb8505a4cbc62ca4aabb61e95

  • SHA1

    9236f8956550b485b92946917d782f9e97c4a99c

  • SHA256

    6ca38c1314069b980b5d2909c66da5aa85dda1dfb72bc3b673d218c8ab7ad8cd

  • SHA512

    c1365a6b85f1956d728568c13ae4eee9acaa81d8e394608732438a6e77c7cfc0c8ef21a3e5128f820096fc269b9cc5ad7baa9464515c892175bb2c2beca07c34

  • SSDEEP

    3072:4hoG1vvf963zW2FFWj8mXXvNrkUpBdasFhSFJmoq2vXqkyzGsNry9/9P9w9BVgI7:1G1vvf963zW2FFWImXXvNrkUpBdasFhH

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 51 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2fe4e82fb8505a4cbc62ca4aabb61e95.exe
    "C:\Users\Admin\AppData\Local\Temp\2fe4e82fb8505a4cbc62ca4aabb61e95.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3640
    • C:\Users\Admin\guoafuc.exe
      "C:\Users\Admin\guoafuc.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4056

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\guoafuc.exe
    Filesize

    156KB

    MD5

    89651932a1dd5b03fd2fbf508f972759

    SHA1

    927d3134b1d3ff06b75629d0f359baa70c3f3577

    SHA256

    197b51845fca90947b6304bec02d96340d3e66687c9288b61db39c41c7ff3784

    SHA512

    5f42ab1a570c9cc2e4fe429547c308b0c7744f7c23c6613e70972cb5b40519fa44bfcccb05f2e66d372271f8c0fd23e74d27b78e5a2f258f917d1355ad6d631e

    Download Submit