Overview

overview

8

Static

static

3

fe2f0e26f6...61.exe

windows7-x64

7

fe2f0e26f6...61.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    1s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-12-2023 22:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fe2f0e26f68c1c9bdb2b37b962e13761.exe

  • Size

    125KB

  • MD5

    fe2f0e26f68c1c9bdb2b37b962e13761

  • SHA1

    1c1f7d91c7981dc4ab312361e6d709383082f731

  • SHA256

    79141b65df2998bd3ca9ae23779963466a753a0aaf88549c2337949dc9f149dc

  • SHA512

    2d5710741415c758b4af2e1b1b076ecb2ded31abe5cfbd24b70d0c777fe56381d132462fdbaa9e63013beb3937370617ad707f9d7203ab118f6694ae695eb925

  • SSDEEP

    3072:EGu9BlfzWIbXWm+w0JF5omFV5aT72PUEABiyxj7BygUnn:E/0uopVkT7SUnRygK

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe2f0e26f68c1c9bdb2b37b962e13761.exe
    "C:\Users\Admin\AppData\Local\Temp\fe2f0e26f68c1c9bdb2b37b962e13761.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2936
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\¸´¼þ5~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\¸´¼þ5~1.EXE
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:908
      • C:\program files\common files\microsoft shared\msinfo\¸´¼þ Server.exe
        "C:\program files\common files\microsoft shared\msinfo\¸´¼þ Server.exe"
        3⤵
          PID:3540
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3088 -ip 3088
      1⤵
        PID:4700
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 12
        1⤵
        • Program crash
        PID:3208
      • C:\Windows\SysWOW64\userinit.exe
        "C:\Windows\system32\userinit.exe"
        1⤵
          PID:3088
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Windows\system32\KMe.bat
          1⤵
            PID:4348
          • C:\Windows\SysWOW64\System64.exe
            "C:\Windows\system32\System64.exe"
            1⤵
              PID:3656
            • C:\Windows\system32\BackgroundTransferHost.exe
              "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
              1⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in System32 directory
              PID:3540

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files\Common Files\microsoft shared\MSInfo\¸´¼þ Server.exe
              Filesize

              12KB

              MD5

              699b15d5136fc77fdaa358d088b7cff3

              SHA1

              eda01927c8b274e4abf1e502f5e89e576f24b309

              SHA256

              34b408cc7387e8aa505ac9f4f997a806178baad51ecc9593f381658edbe752cd

              SHA512

              b9eaf779f6a9dc327ae42a77fe8efb17431ffb4c35b7622c072dc69862cb5c5e76921d1418553f2c3fda75a77f89cf125fe61d68aede7f3d462eab7ee369376b

              Download Submit

            • C:\Program Files\Common Files\microsoft shared\MSInfo\¸´¼þ Server.exe
              Filesize

              50KB

              MD5

              bd6d8d56d93e724ddf63e7e54f721641

              SHA1

              f85297df11bb6f96be9c22dbbd3be50e7f0d1ac3

              SHA256

              299b8bd412df3fa8e84b3be802e7b6e5b2053a95084cbf6d87244e27cd326a22

              SHA512

              68319fc20ef446ad94e1c096fc78b9f83e084cbeec031379ef33d80ab82d50c1e2fe768180b29d265b1456ee66d40cb071d63cf57aa5ba9460ec86280edaba0f

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\¸´¼þ5~1.EXE
              Filesize

              67KB

              MD5

              c1855d4f6b941746398995d2c5f1e4eb

              SHA1

              0df966138bf596487519eb1fe7a1c1f2fc9f816f

              SHA256

              e31e99ffa22085623e26bc5701716ea81a6d149e58e25762f953fde46a8583a6

              SHA512

              17e77dd374c5732f3d558fd4d7a31d12f5f237d24ed2db243fa78eb940f9766785176036472e61e183611c369553a4a01c5fc6b687080f96afcd4799193f2b29

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\¸´¼þ5~1.EXE
              Filesize

              33KB

              MD5

              34bee1a290496dad6190fa0f0c1df6c8

              SHA1

              4e07fda1390dde5e9d317c414edfb4c7b9be96fa

              SHA256

              34681e0a4f7d6e5d26e9fbef1a9f2d82ad8b34aad39efb8effc3bac798beb0bd

              SHA512

              0c391721769e222304181a3e9ee1bd54f14ab7496d27aabdd25008bde434c59514a16675bf5ad49d4e18e7120208d83564c9bc1def73d00864030d6fd5026bec

              Download Submit

            • C:\Windows\SysWOW64\KMe.bat
              Filesize

              85B

              MD5

              6715f0eb80f4bb9dd4f3fef821bc4c44

              SHA1

              3ede4eda0561b53882facc0d82666082c2ec5d0b

              SHA256

              c59869fb189a95c56e48066501ac654ad461e517a9c91bb021803a2a968c1fa8

              SHA512

              4073571509d92104e53c1a3377c341856d85e06102eace2bfe75c7a6cf0ebb0031bc950a355059be65fb9d5c75e17d6b46274f7c4befa2a3bf845e7f0fed1e38

              Download Submit

            • C:\Windows\SysWOW64\System64.exe
              Filesize

              40KB

              MD5

              2062587c5b99a01046232a26617e3204

              SHA1

              3ca7ced2059160db843cf97fb50d5e274cc5cf26

              SHA256

              26d6d398b28d3cc37024bcc01e81dc7bd065f0520bb361ac3e91db1ed96961f1

              SHA512

              fcf1b853c0445ae8986fc0fb3c59d9c20e3bdec443594794e62bc44ef1df0d3b6e3a900b76f09a788d7926faa058f8c46b0b1985580b5f038a5e68f02f0b5e3c

              Download Submit

            • C:\Windows\SysWOW64\System64.exe
              Filesize

              23KB

              MD5

              d133b08ab31ef733169ce8117146b767

              SHA1

              25eb5d4f6b8d5ba44ee9f4af1171d196807e93b2

              SHA256

              df178b5c15bab05cafcb705d0f5bc8a6cfdc1a0550f968cb0d611526108a5e68

              SHA512

              0da499444ccda3d85f068f17e3fb26d42440a8bea6f201034dc5f36ef8222b13ddc522f84fe82985fe712c101c3b3a09a59b6d85732cf812f1fbc491261d4020

              Download Submit

            • C:\Windows\SysWOW64\System64.exe
              MD5

              d41d8cd98f00b204e9800998ecf8427e

              SHA1

              da39a3ee5e6b4b0d3255bfef95601890afd80709

              SHA256

              e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

              SHA512

              cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

              Download Submit

            • C:\Windows\SysWOW64\System64.exe
              Filesize

              28KB

              MD5

              dab84332f56f504c2f829d3dbbdac87e

              SHA1

              36eb8649696e3fa4c9400496d973e1a803e8c125

              SHA256

              71f0a0ec7893f7a4782013f4a7ff9a137bbab322a273419d5e0b4c4aa374b65e

              SHA512

              38860bdb42fa025f4088ba3b93d1578b057a3b8b50116985c5a29e41ca86811e1cf96d8cf56c797f13ac2db068f873123c5490fd8429fc9b9f0968948f29b43a

              Download Submit

            • C:\program files\common files\microsoft shared\msinfo\¸´¼þ Server.exe
              Filesize

              55KB

              MD5

              5c4465db267c20280494b199c094f778

              SHA1

              b58c93584aeb13f4b88b1d76cbe857bae4f4769c

              SHA256

              d4e78e6921aa41b0770405edd2378184e84bbccd0d23494edbfd9ab97bd44b0a

              SHA512

              6fdf898baf56e45fda65ad6d4060f9f4af5f72099dd14e1baba50e41b39ee32924bcddc5d5e317d1f1645a205b925d30f1824e30ee30764eec10dfb0ee5790d6

              Download Submit

            • memory/908-16-0x0000000000400000-0x000000000041E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/3088-45-0x0000000000400000-0x0000000000446000-memory.dmp

              Filesize

              280KB

              Download

            • memory/3088-46-0x0000000000400000-0x0000000000446000-memory.dmp

              Filesize

              280KB

              Download

            • memory/3088-51-0x0000000000B50000-0x0000000000B50000-memory.dmp

              Download

            • memory/3540-42-0x0000000000400000-0x0000000000446000-memory.dmp

              Filesize

              280KB

              Download

            • memory/3540-21-0x0000000000500000-0x0000000000501000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3540-22-0x0000000000500000-0x0000000000501000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3540-20-0x0000000000400000-0x0000000000446000-memory.dmp

              Filesize

              280KB

              Download

            • memory/3540-18-0x0000000000400000-0x0000000000446000-memory.dmp

              Filesize

              280KB

              Download

            • memory/3656-49-0x0000000000400000-0x0000000000446000-memory.dmp

              Filesize

              280KB

              Download

            • memory/3656-41-0x0000000000590000-0x00000000005C2000-memory.dmp

              Filesize

              200KB

              Download

            • memory/3656-38-0x0000000000590000-0x0000000000591000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3656-43-0x0000000002010000-0x0000000002056000-memory.dmp

              Filesize

              280KB

              Download

            • memory/3656-37-0x0000000000400000-0x0000000000446000-memory.dmp

              Filesize

              280KB

              Download

            • memory/3656-44-0x0000000002010000-0x0000000002056000-memory.dmp

              Filesize

              280KB

              Download