Overview

overview

7

Static

static

3

76778a14c8...ec.exe

windows7-x64

6

76778a14c8...ec.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    173s
  • max time network
    186s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2023, 14:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    76778a14c8c926b8ba9a210b4b88faec.exe

  • Size

    94KB

  • MD5

    76778a14c8c926b8ba9a210b4b88faec

  • SHA1

    39e082b2dd2c50aae6195f33191d8be2344e7f08

  • SHA256

    818c3ebc9d264b7f19444a9c0aadc04980b05969f2ed41da7ae6fa4c1d33384f

  • SHA512

    624cbeb3ed9a72076093a73ef07b951a8e2fc645b2ec02669934c34f3cb2a14417c918c673f09baf9f95991a5830da88726191c1b6139ebeb9cccfbc00724584

  • SSDEEP

    1536:kWq8QUsRxkA6ln1mf9EE1+ThAcr0yNMbrAnL6zS27xsXS4KIYu+RlsgyQ87F4sNH:N9qxqw9bwTh30yyMnL6zS27xsX3Kp/LC

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 3 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\76778a14c8c926b8ba9a210b4b88faec.exe
    "C:\Users\Admin\AppData\Local\Temp\76778a14c8c926b8ba9a210b4b88faec.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\syscheck.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4292
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V packageinfo /D "\"packageinfo \"" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3440
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V packageinfo /D "\"packageinfo \"" /f
          4⤵
          • Adds Run key to start application
          • Modifies registry key
          PID:3380
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:468
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\syscheck.bat
    Filesize

    125B

    MD5

    b76e95682010f57bfdb402a0f49e44f6

    SHA1

    0441c5140b02d42e2e5e6d01742d1d186de54063

    SHA256

    d14f16d2d48a2e76211d01d5ba623ad03a59994f7bd0dccaba9c507588778e38

    SHA512

    3c92519a446ae4578cdb0cceeff6dd63121d3875034ee56379591d2f529250054be29c5bbef4f5cddef41b2dfbb2db1f879f89932e69384e4e0200c87dc49847

    Download Submit

  • memory/1668-0-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1668-3-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1668-10-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download