Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/12/2023, 22:11

General

  • Target

    05469e24bd9fc5b10271cca5ab1e9b4e.exe

  • Size

    323KB

  • MD5

    05469e24bd9fc5b10271cca5ab1e9b4e

  • SHA1

    4a836f602bda13243ce69776c5343255e8690bbd

  • SHA256

    e4fb7d3f5437f91f4159bb0c8e10addf1d775c5ff5374fc4cd0328064e663ad7

  • SHA512

    fd2eff1f7a079e92006bdf7850cacf2d06aca3d0c4ef1529d257bc4957f67e9285b817dd220843973a76e8e96156d92a7b46331f172ff66930489d138916c1bd

  • SSDEEP

    1536:FkoVgaYJLFfLJEUI1qeXxyGA3N5eyD8SlNDSzvHFRiCCVGCWPGeSe+eooOoaoCok:/tYJLFfLoWGA3N5ecYxo

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\05469e24bd9fc5b10271cca5ab1e9b4e.exe
    "C:\Users\Admin\AppData\Local\Temp\05469e24bd9fc5b10271cca5ab1e9b4e.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Modifies Internet Explorer start page
    • Suspicious use of WriteProcessMemory
    PID:1364
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\system32\wscript.exe" /nologo C:\WINDOWS\ddhnj.vbs
      2⤵
        PID:1976
      • C:\Users\Admin\AppData\Local\Temp\Del492E.tmp
        C:\Users\Admin\AppData\Local\Temp\Del492E.tmp 1084 "C:\Users\Admin\AppData\Local\Temp\05469e24bd9fc5b10271cca5ab1e9b4e.exe"
        2⤵
        • Checks computer location settings
        • Deletes itself
        • Executes dropped EXE
        • Drops file in Windows directory
        • Modifies Internet Explorer start page
        • Suspicious use of WriteProcessMemory
        PID:2148
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\system32\wscript.exe" /nologo C:\WINDOWS\ddhnj.vbs
      1⤵
        PID:1836

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads