Overview

overview

10

Static

static

3

0a601d0f3c...87.exe

windows7-x64

10

0a601d0f3c...87.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2023, 01:39

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    0a601d0f3c9489f0fcafb2e745ee3687.exe

  • Size

    84KB

  • MD5

    0a601d0f3c9489f0fcafb2e745ee3687

  • SHA1

    7338d3ff773cfc7a49d73dabb79515c4dd61942a

  • SHA256

    02e7b50f01aeb7753ed04ef92daf0a52153e862a3d82760ff00830659fd9cf90

  • SHA512

    586a0042670070b8726b548564a94af85f4729a95be99582b39d6431e5016da13f3a3c2b2e4eff689118c7c9e1b4001c8fae55553c2db4ff21218c8d670cedeb

  • SSDEEP

    768:p0Oglemuec4OdJNUC1x2avPPpykILkGuIBLP3nxD7TONoap55VSFJ0T72mZCcLX:pPglnZOdUCJwVuYipwFJ0T72mocT

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 27 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a601d0f3c9489f0fcafb2e745ee3687.exe
    "C:\Users\Admin\AppData\Local\Temp\0a601d0f3c9489f0fcafb2e745ee3687.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:492
    • C:\Users\Admin\nuaotit.exe
      "C:\Users\Admin\nuaotit.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2352

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\nuaotit.exe
          Filesize

          44KB

          MD5

          76eb81a5046216cf003c26beeb039279

          SHA1

          eee8273bd379c49676d61ab794cc7a4f78745800

          SHA256

          19dc14fb2dc81b12ee3d8390b79270724094f48b21403d1e79f31d22ccbae3ba

          SHA512

          2afe6e8aa3d345ab6dc086707e2abe7a3f2188bf414db26108c4beb9c14e9cabc0e1ccb759393fcd993c327ed0452b2cb915fe341e5ab1abb982e704cd52a327

          Download Submit

        • C:\Users\Admin\nuaotit.exe
          Filesize

          84KB

          MD5

          b8ba2a0dd3c29295fff38285d1173cf7

          SHA1

          01a95fa759799ca890d671aa94dc879df561bb8b

          SHA256

          a825b1d04bf8670f79162f199006e2faea1c5489b21b8a592cf74ea7a180b334

          SHA512

          24c23f639090f3cdee2be8e9f9b539a14ef6febac33f21efe1b3923b14db1e74f0d376dea19b870480334cee2ba36e55b58f42d988afa4b0842a13c763ee9c3d

          Download Submit