Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29-12-2023 19:38
Static task
static1
Behavioral task
behavioral1
Sample
01fd51c67226376d259c2ce9c8663602.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
01fd51c67226376d259c2ce9c8663602.exe
Resource
win10v2004-20231215-en
General
-
Target
01fd51c67226376d259c2ce9c8663602.exe
-
Size
28KB
-
MD5
01fd51c67226376d259c2ce9c8663602
-
SHA1
6c30e532495d8f945f8bda268172037835cf43ae
-
SHA256
8db1d23bd914fe8699b809cc8712b362d2652d2722a369b1becd225d357329fa
-
SHA512
53e8291a6ab5190a681ac5ab69ac0301d946bf29b473bce4ddc5c3fe7a567eeee1fd84a7e4bf525908d35d904438b75bdbeb3fb3dd0985d7cad084da22dba494
-
SSDEEP
768:7h0X8nKQKJDkSmfjgNlPY6mpru8PNca9mYVHMRzL2qO:G8nKQKC1rqxmu6hVHMRHK
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation 01fd51c67226376d259c2ce9c8663602.exe -
Loads dropped DLL 1 IoCs
pid Process 4356 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Configuring = "rundll32.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\240603921.txt,M" rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4356 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 396 wrote to memory of 4356 396 01fd51c67226376d259c2ce9c8663602.exe 97 PID 396 wrote to memory of 4356 396 01fd51c67226376d259c2ce9c8663602.exe 97 PID 396 wrote to memory of 4356 396 01fd51c67226376d259c2ce9c8663602.exe 97 PID 396 wrote to memory of 4208 396 01fd51c67226376d259c2ce9c8663602.exe 96 PID 396 wrote to memory of 4208 396 01fd51c67226376d259c2ce9c8663602.exe 96 PID 396 wrote to memory of 4208 396 01fd51c67226376d259c2ce9c8663602.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\01fd51c67226376d259c2ce9c8663602.exe"C:\Users\Admin\AppData\Local\Temp\01fd51c67226376d259c2ce9c8663602.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\1.bat2⤵PID:4208
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\240603921.txt,M2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4356
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180B
MD5dd2e7f6b15219fda5863b8dbe54adb50
SHA17656784b8af56be0fded72f2de3b829d18807dab
SHA256b425b65a4ba8d1f3507eaf5a8dcc493187ee6a02647a53ee72ffd65c3153ca7e
SHA51240b9705ef5b646cfb13755c97abe15be083736c0a55ba905596b95540760d73b379b60f03a1a389ebf57eaf8c8fb6541b60b0b1c7d845ed1b9bc5619c7129a33
-
Filesize
20KB
MD5a117e69fad75bea541193b0ddc8e7faf
SHA1e02bd1493cb70bf544db38b1812aa927b781e884
SHA2564b07f38a7a7cca0026ab8f76f80e45112e9b8b2c3e90ae6b66c3ad1abf27ee8f
SHA5124846e370b5d7be57adc93101c3ebcabd2ac5b8dbc72dcf02e2de6fd7dee6ae07ff95ac784e0fefd4a155edbbaff90fe1477f1886cdfdd59237a6b016e83cd05e