Analysis
-
max time kernel
1s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2023, 20:58
Static task
static1
Behavioral task
behavioral1
Sample
f7c31f9bbf574bc22b058cc67ad503f9.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
f7c31f9bbf574bc22b058cc67ad503f9.exe
Resource
win10v2004-20231222-en
General
-
Target
f7c31f9bbf574bc22b058cc67ad503f9.exe
-
Size
908KB
-
MD5
f7c31f9bbf574bc22b058cc67ad503f9
-
SHA1
1581e7f3b778303068451d1eaa3e309fdd9d188b
-
SHA256
f619484090ebbe96ee99eac61b5ba76acf3063a114b5ff1d8f1464ef98553adf
-
SHA512
6bacd170f5ac04617df5466677ef13963a7db4c0e5196a3716c789fc4b3cbb0b24c5a4262a52d6836fb30940fcaf419364cc1bcf309c9c9f51bcf79a9f05c366
-
SSDEEP
24576:8/NiRWfP4WOfJ/418E3X4ur1FYM0/5b3MomTlZx:uYUtOfJFE3X4urY5hAoY7
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation f7c31f9bbf574bc22b058cc67ad503f9.exe -
Executes dropped EXE 1 IoCs
pid Process 2284 nzy4linWjhqSjOVfKdCq.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini f7c31f9bbf574bc22b058cc67ad503f9.exe File opened for modification C:\Windows\assembly\Desktop.ini f7c31f9bbf574bc22b058cc67ad503f9.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\assembly f7c31f9bbf574bc22b058cc67ad503f9.exe File created C:\Windows\assembly\Desktop.ini f7c31f9bbf574bc22b058cc67ad503f9.exe File opened for modification C:\Windows\assembly\Desktop.ini f7c31f9bbf574bc22b058cc67ad503f9.exe File created C:\Windows\nzy4linWjhqSjOVfKdCq.exe f7c31f9bbf574bc22b058cc67ad503f9.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new f7c31f9bbf574bc22b058cc67ad503f9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process 1784 2284 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2480 wrote to memory of 2284 2480 f7c31f9bbf574bc22b058cc67ad503f9.exe 37 PID 2480 wrote to memory of 2284 2480 f7c31f9bbf574bc22b058cc67ad503f9.exe 37 PID 2480 wrote to memory of 2284 2480 f7c31f9bbf574bc22b058cc67ad503f9.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7c31f9bbf574bc22b058cc67ad503f9.exe"C:\Users\Admin\AppData\Local\Temp\f7c31f9bbf574bc22b058cc67ad503f9.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\nzy4linWjhqSjOVfKdCq.exe"C:\Windows\nzy4linWjhqSjOVfKdCq.exe"2⤵
- Executes dropped EXE
PID:2284
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2284 -ip 22841⤵PID:4724
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 9041⤵
- Program crash
PID:1784
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5018415a98e5de3a99b3acbaa220bdb9e
SHA191b0019f341b677078860fc06ab0318d4b6d9c96
SHA2560fd114c97be0de5633afffef793015809b0c977681a141f733c239f2452c88bd
SHA512616959c5661dfe42091402ebf023b8cbfa412187b7dc8818ef64eb81974646895636f9507ac8288716f59791bc2f297a39fbc438d45c2bb88015acda93bebb68
-
Filesize
93KB
MD5c1e130d088323a7e3b771186ca411fca
SHA1cb4add2c3d6f647633a895af8d6382e99809ce5c
SHA25689a3127cc64dbdca37074ba941f095c339b24e72e35fddcf8677f2cd47058f06
SHA512e821a55f0bb0ba3bba055d36b002e6558e55a95861091d3b1667a12a305916e722bf4203a95686e48b453d3feca72258b7616b72fcecf26f781e466619ec80fe