Overview

overview

10

Static

static

7

4936106666...6a.exe

windows7-x64

10

4936106666...6a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2023, 01:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    493610666610bb568fb1fb2a29dfc86a.exe

  • Size

    531KB

  • MD5

    493610666610bb568fb1fb2a29dfc86a

  • SHA1

    96364789f310a0d3747e538d88cf38bd89cd7eba

  • SHA256

    98c830e1f593c1eae961b44822ac2990df90e214aad17cc9c3caf19b09005f7e

  • SHA512

    a5bb73054286b49f208267bcfff8cc0794b2fce111a159229c72e1f7dcb37a91d4d47a92925364b2fa3875e3807cc9424b87c22623a75d19e8d7b2ad866a0167

  • SSDEEP

    12288:2Qv0eBwZPTf7+y1dKluklBIy/8YwA7GH4:H82Wb7+SEP/RJG4

Score
10/10
persistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\493610666610bb568fb1fb2a29dfc86a.exe
    "C:\Users\Admin\AppData\Local\Temp\493610666610bb568fb1fb2a29dfc86a.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2284
    • C:\Windows\SysWOW64\riodrv.exe
      "C:\Windows\system32\riodrv.exe"
      2⤵
      • Executes dropped EXE
      PID:2480

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\riodrv.exe
    Filesize

    93KB

    MD5

    251dcc031a535081661bd38f496d48fe

    SHA1

    42d4d48d346ec995c406eef5b1c1fbfd5d3b79ae

    SHA256

    bb2319676e06cc005e373ec7e672558ad700043b92100ca33ff691e82d0bade1

    SHA512

    a640eec4221fa0655fc9447ec8fd535e708e86940357d35c387520d6156a38b7541efe6b35435b9d6c860f4adcb35f9a760aafb9585e3a385056976cc68c05df

    Download Submit

  • C:\Windows\SysWOW64\riodrv.exe
    Filesize

    531KB

    MD5

    f68d82da4f4b2b1f15afeea90e56bfdd

    SHA1

    8693d895f432b2081049f6eb0b0c80bc98f44075

    SHA256

    899f1dc0a52fa15d19ba45ce58a9fcae8409540d277c83f2d4e19df00bd5c6dd

    SHA512

    7bcf2646f6d4da611985936c2955e61d93a5ac9052b1cf0c7e9ccbc5f6749ae4cbdc0fed4a9d36e829819b454d0c8b60b2d9414b39f836e00bc5acd66dd7b91e

    Download Submit

  • memory/2284-0-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2284-1-0x0000000000680000-0x0000000000681000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2284-11-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2480-12-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2480-13-0x0000000002100000-0x0000000002101000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2480-14-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download