Overview

overview

7

Static

static

3

529ea50fb1...05.exe

windows7-x64

7

529ea50fb1...05.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    88s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2023, 04:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    529ea50fb163f9cdf4712ff72c3ce805.exe

  • Size

    325KB

  • MD5

    529ea50fb163f9cdf4712ff72c3ce805

  • SHA1

    ebd3f53c65158a5a2a66a4c1b4e0d6faeb5387e8

  • SHA256

    e5f97620d369f0aea9026410dd7f1bf1ab7ea6d7cfc6978d3944198bcc238055

  • SHA512

    d27b5a645213b4330ced5efabbc35e8b615eaa3229249623fd480aa0fe40eb6dd5eef1a08b76d31286137e7856f7b3da03ecb01fb786963772d4fd17edaced75

  • SSDEEP

    6144:ye34WsD8/AQi6/9sSZkHgRCrIt7nStZFsASnUy2dU+KCsAQhGlmoNjIUpmeAUVBH:xsD8PB/uKPcmS7FsA8Uy2nK3AQYlvNBp

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 5 IoCs
  • Drops file in System32 directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\529ea50fb163f9cdf4712ff72c3ce805.exe
    "C:\Users\Admin\AppData\Local\Temp\529ea50fb163f9cdf4712ff72c3ce805.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1272
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\ŠÂ‹«î•ñ_poisonchain.txt
      2⤵
        PID:5080

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\nsw5739.tmp\DiagSummary.dll
      Filesize

      96KB

      MD5

      a293e99fd5576dc0f91666d4cd905a5c

      SHA1

      77b50d862e06a1eb12c94c5f5d6d7c7c1a3a5360

      SHA256

      123d4c7037deb56842b4199eefede319f0298e1d98e052e60c302cc2b17b2c37

      SHA512

      78bbdce55e60c9760551bee9a76a4115cbe1b004f05992f44f275bbb3416f0ecc0355f805da24561fb113f485b1e13dfc417c93d3842e82e4117f8b52875463f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsw5739.tmp\InstallOptions.dll
      Filesize

      14KB

      MD5

      325b008aec81e5aaa57096f05d4212b5

      SHA1

      27a2d89747a20305b6518438eff5b9f57f7df5c3

      SHA256

      c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

      SHA512

      18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsw5739.tmp\System.dll
      Filesize

      11KB

      MD5

      c17103ae9072a06da581dec998343fc1

      SHA1

      b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

      SHA256

      dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

      SHA512

      d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsw5739.tmp\iocustom.ini
      Filesize

      315B

      MD5

      34e435a988c1dd27eef6583a643338dd

      SHA1

      0e9a0635a438438507a773a592e62706e900d82d

      SHA256

      5fb5344bd032f03389326ac8c5180d379a679f87fb3253a7a81d0e983567e91d

      SHA512

      82c71035c8aec72ad29e6be01cab1d872d3892f77bb99a252f062435de65d0cdb50f73fd7896e9aa805b183662a7cd3edc4caa8c176dbaeba5011d9458ea8a0d

      Download Submit

    • C:\Users\Admin\Documents\ŠÂ‹«î•ñ_poisonchain.txt
      Filesize

      8KB

      MD5

      698944f85d78a0d669ebb77673021ab7

      SHA1

      5f65627d6e4d55ca2de9c2ba242974c2db7279cb

      SHA256

      1b66a8aea1a2e7343955b5bbab4fccafb5e30d9ed4d85e45c5407a72018a2301

      SHA512

      1c7342da4ef49b0ff60ed23caf467214d9e15d64ba1bcf8d84cd51f3186627687f08dc1519b5286b1cd357146d26ca1f387d659957461fbeebe67a84ae9f33f1

      Download Submit

    • memory/1272-93-0x0000000005150000-0x0000000005151000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1272-89-0x0000000005150000-0x0000000005151000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1272-94-0x0000000005150000-0x0000000005151000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1272-88-0x0000000005150000-0x0000000005151000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1272-96-0x0000000005150000-0x0000000005151000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1272-95-0x0000000005150000-0x0000000005151000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1272-98-0x0000000005150000-0x0000000005151000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1272-97-0x0000000005150000-0x0000000005151000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1272-99-0x0000000005150000-0x0000000005151000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1272-87-0x0000000005150000-0x0000000005151000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1272-84-0x0000000004B00000-0x0000000004B1A000-memory.dmp

      Filesize

      104KB

      Download