Overview

overview

7

Static

static

3

209902b42c...c6.exe

windows7-x64

209902b42c...c6.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    152s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-12-2023 23:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    209902b42cc1a1c954e33dcf9b9ff1c6.exe

  • Size

    758KB

  • MD5

    209902b42cc1a1c954e33dcf9b9ff1c6

  • SHA1

    29c1c50990969d853edd58c6914f8fe5cb0a2a02

  • SHA256

    35a75c18834c42ed9e9af92f838c34dba4c18c96139f74b2780067c86ced194e

  • SHA512

    f1198a928cd85347821f49037441adcbd68bdfe2f94db21b8b839af975fc44194d126e00eb28c7a5af61b43c5cafecb9e28b5288ebb1322e0149f8bf42cfe29c

  • SSDEEP

    12288:KTiTUAkDSclnhpT4mfc9OVQsxUs4ihvLOARsVQXMGhl+w9dmumq9c2s0hHsmyf/:jUj4UcOQ+dhvLrXMGhlVgq9c2sWW/

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\209902b42cc1a1c954e33dcf9b9ff1c6.exe
    "C:\Users\Admin\AppData\Local\Temp\209902b42cc1a1c954e33dcf9b9ff1c6.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1376
    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\Server.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3340
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
        3⤵
          PID:1828
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_xiaran.bat" "
        2⤵
          PID:2704
      • C:\Windowsini
        C:\Windowsini
        1⤵
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:4000
        • C:\Program Files\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
          2⤵
            PID:372

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Server.exe
          Filesize

          743KB

          MD5

          c1268041205c984383cd6d4f413a2925

          SHA1

          68e4b4dc2b9c77168937a44bdc3188d16fb13687

          SHA256

          34fcd261250a2f38b6ab5467d8981a4c06d58fa3fd04b7b0ef334fc8913a64ca

          SHA512

          c411bf38022f0da1f5b59ff4fb4954d944e82cee49dbecdff3bfc4d2b90bd04a44352a1507ab27e088d81a2b5652fa0415a8118c513a15fa349c23e2cd6cd645

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\_xiaran.bat
          Filesize

          184B

          MD5

          ad524baa1b16462b1ad30e32038ef4a5

          SHA1

          f4d8a1a949a8c4ce8af0b0e7f6b49a7b7639f651

          SHA256

          b975e97794b12cbd638380fd76dc6aea084977377ef1aafd9f81f5f6f1cc0706

          SHA512

          b01fb595ef27377e54b2116a4d8eaf020eb041eed17fb1ee32ea94626fa19265d79ef871c721ed2ee6ea766ac6e5721fd9457f4567a00d8d364b2c0fecdcd78f

          Download Submit

        • C:\Windows\uninstal.bat
          Filesize

          138B

          MD5

          108384deb7a65165fecad26c7a858e73

          SHA1

          72c2c562d4d2ce1ff9e09f89cffb21e8826b6aa0

          SHA256

          0a1c04dc426f3545e0a34a9a919dcd8203af726bf8cd1b7516b39f8faf43ada9

          SHA512

          6bee8f82c61e906a767f6710ca81d05961e8d1790c14447312721a09742a462751c860e483fad6ce89edc0018bcbeab021e882eae181c8cfbef23f7bc97fbff4

          Download Submit

        • memory/1376-0-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

          Download

        • memory/1376-1-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

          Download

        • memory/1376-2-0x0000000002160000-0x0000000002260000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/1376-20-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

          Download

        • memory/3340-11-0x00000000022A0000-0x00000000022A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3340-24-0x0000000000400000-0x00000000004C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/4000-18-0x0000000000770000-0x0000000000771000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4000-26-0x0000000000770000-0x0000000000771000-memory.dmp

          Filesize

          4KB

          Download