Overview

overview

8

Static

static

3

01f087e438...73.exe

windows7-x64

8

01f087e438...73.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    71s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2023 19:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    01f087e43808d90925ec99ccb7154773.exe

  • Size

    203KB

  • MD5

    01f087e43808d90925ec99ccb7154773

  • SHA1

    aa7a69980f2a49ada5bcf162d43bd2b8958fb4b6

  • SHA256

    eeb7c4af49e7e5daad96703dd2aa97e5c66cd7b94930ec4ba7cc011ffe8fa0ae

  • SHA512

    9305109385bad4338bc6a6dd5a46561c789cac54d9fb42d45ccf3bdb9eebd3bf620e0c6e133f5c1d97d50f46c7f89bb7329c33d3032a5d94fe70f07a31e5102b

  • SSDEEP

    6144:838XpOAhmmMKnKrrAoyOWK3dt7bQ0KSRCh8x:COpjnKgkWKtt7ySRCh8

Score
8/10
persistence

Malware Config

Signatures

  • Modifies AppInit DLL entries 2 TTPs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\01f087e43808d90925ec99ccb7154773.exe
    "C:\Users\Admin\AppData\Local\Temp\01f087e43808d90925ec99ccb7154773.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4428
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" "C:\Windows\system32\autosync64.dll",CreateProcessNotify
      2⤵
        PID:1072
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240680328.bat" "C:\Users\Admin\AppData\Local\Temp\01f087e43808d90925ec99ccb7154773.exe""
        2⤵
          PID:4620
          • C:\Windows\SysWOW64\attrib.exe
            attrib -s -r -h"C:\Users\Admin\AppData\Local\Temp\01f087e43808d90925ec99ccb7154773.exe"
            3⤵
            • Views/modifies file attributes
            PID:4404
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 524
            3⤵
            • Program crash
            PID:376
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 532
            3⤵
            • Program crash
            PID:1784
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4428 -ip 4428
        1⤵
          PID:3944
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4620 -ip 4620
          1⤵
            PID:3228
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4620 -ip 4620
            1⤵
              PID:228

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\240680328.bat
              Filesize

              97B

              MD5

              d226a657b279c5fc0a892748230a56ff

              SHA1

              fa7e4fb6d6de3c4769001cbfce0a00ba02ef28a5

              SHA256

              9dae2767b8e3499d37418a75ddd04d457c7ec8d6c8f312ee109c95a8a97e7761

              SHA512

              07d55ccf3b511c3be64f6dcd05cea3feaafb286196e5d7ba30016ab6d9c0d656fb7cde8eb1ce0ef28a41f1f3f00f0e29020c92479619fd43e4ed47b829f8bf2a

              Download Submit

            • C:\Windows\SysWOW64\autosync.dll
              Filesize

              68KB

              MD5

              a75036d01acc9d616197f438210f65fd

              SHA1

              61c520f525d683c326ec0b9ae965c3ae5461bb06

              SHA256

              3f883c91668d85446f87b0d6162756afdcc5dc77125830bb7b9cd26efa8fdd43

              SHA512

              40e3304a3efa1a273f3313ad7223a0cac27cd18c652e7496cdaf9f88c5da0e62215b4ef865e4dbd2bc884a644a5dbdc13a95e1940f130046dda66a8fc8e3152e

              Download Submit

            • C:\Windows\SysWOW64\autosync.dll
              Filesize

              67KB

              MD5

              aeb605cfc960db2e17656dd67c015552

              SHA1

              e7197d4c49766eb86ad17f8843f728f1ebc09f5a

              SHA256

              1edefbb52c687d79bc0353b244c40aca5becbf66904d4951e136dd7ec5e62494

              SHA512

              b89933b8975f2496ed0d74b758284a874d0d784c3d632cb5de0286d240f9715b09bf9fa8304968799908e4d0c561f8e9c2dfea91652294387e7279a8b7cfe9f1

              Download Submit

            • C:\Windows\System32\autosync64.dll
              Filesize

              28KB

              MD5

              c30f8b99c38add747866e64f08581f92

              SHA1

              d7509022308c44fb65a6e43d191217624bb98bcf

              SHA256

              506ee50c506be8617f6229667960c1616b3083edbb5f1223588e86585e9d9a7f

              SHA512

              609a6990a47984bb3ba6397d852acadddafad7fc55be97ce7f5b1d06df75025f06ba14c1666ea3431c2efe5ae76f761f4adffafcf72b4e85a3f2a45c7f2504af

              Download Submit

            • C:\Windows\System32\autosync64.dll
              Filesize

              74KB

              MD5

              0f6ada608f5b44d2ab9985451bf3e7ad

              SHA1

              3362a15c6107eb6f54bee7a679653edefc94fbc5

              SHA256

              021669f2daa816dd76882bb89b825a9a31b204499669efb44280c80077b1e7a5

              SHA512

              f62aeaad64904172eb4b637ae00e11d9683722e695290610c2911b77d0aac532fb2d174614950686fae5ad9bd6b4e77a544488709425edcc86992ad298699484

              Download Submit

            • memory/1072-16-0x000001E7EF260000-0x000001E7EF261000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4428-7-0x00000000036E0000-0x00000000036E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4428-11-0x0000000010000000-0x0000000010015000-memory.dmp

              Filesize

              84KB

              Download

            • memory/4428-8-0x0000000010000000-0x0000000010015000-memory.dmp

              Filesize

              84KB

              Download

            • memory/4428-6-0x0000000001000000-0x0000000001035000-memory.dmp

              Filesize

              212KB

              Download

            • memory/4428-19-0x0000000001000000-0x0000000001035000-memory.dmp

              Filesize

              212KB

              Download

            • memory/4428-0-0x00000000001D0000-0x00000000001D1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4428-1-0x0000000001000000-0x0000000001035000-memory.dmp

              Filesize

              212KB

              Download

            • memory/4620-23-0x0000000010000000-0x0000000010015000-memory.dmp

              Filesize

              84KB

              Download

            • memory/4620-24-0x0000000010000000-0x0000000010015000-memory.dmp

              Filesize

              84KB

              Download