Overview

overview

7

Static

static

3

0a0c91cee9...98.exe

windows7-x64

7

0a0c91cee9...98.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    155s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-12-2023 01:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0a0c91cee9cc9c7d2f17aef3f6abe798.exe

  • Size

    44KB

  • MD5

    0a0c91cee9cc9c7d2f17aef3f6abe798

  • SHA1

    3bd9be2b5d11ba43fd5637c04eb882bcf146fcfd

  • SHA256

    301c9b16a7310bb7c9c8d310a3c8c73e78f057162fd4924df9f7b9d8b897faa4

  • SHA512

    bd6dc78d5fd0092bf81a44640ec6915c207c9e33eb231b6ea7c2850c09435d9f08ae8aa46156b9de0fe46b866da5386ca8fdb22ca7149269d88d0fb70cc7ff04

  • SSDEEP

    768:OsJqbK2BlJ9Lz9EOQcnlXt0lZ8uDVbrf3OfV+c8Eb2MqyYQbeR:OsJqbxZz9EOQcnQZf//CV+clSM0Mk

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 49 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a0c91cee9cc9c7d2f17aef3f6abe798.exe
    "C:\Users\Admin\AppData\Local\Temp\0a0c91cee9cc9c7d2f17aef3f6abe798.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:4428
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c start iexplore -embedding
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4868
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -embedding
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2396
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2396 CREDAT:17410 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3288
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c start iexplore -embedding
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2964
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -embedding
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5088
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5088 CREDAT:17410 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3736
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gosC544.bat"
      2⤵
        PID:4252
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0a0c91cee9cc9c7d2f17aef3f6abe798.bat"
        2⤵
          PID:4316

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DF35EE17-A78F-11EE-B6AD-7672481B3261}.dat
        Filesize

        5KB

        MD5

        9fb7e200f6a350b84ea24a229032dd6e

        SHA1

        8b4a83bf215aed0c1210c41d9daf295c8d2258d2

        SHA256

        93add4cae0d0c0e6796fc3fee7cc44d4338b25a4644230fec6e3ff6d513ee007

        SHA512

        60ea869664e598e1277a9c30dab06c5b7319437400d3acb51f8ca8eecdc782e2234fdcc7df67e98c179caa54f90a01f19a310d2be29782c836ed085ed81d7540

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DF3850DA-A78F-11EE-B6AD-7672481B3261}.dat
        Filesize

        4KB

        MD5

        b481b030a992b60c4a75ae34466787e7

        SHA1

        4e1504351ea318f4a5f8dc76ce1a18ab3cca1b51

        SHA256

        26c5f31f2b57cf4b1b8471a842195f9ccfadcab8554b39e7ef45a152c460a56d

        SHA512

        cd7581afcf0e884dfe3203607be4a457769a772b54066fa66881d3da92b59efe67ae07a56eaf5694d21c215c3f051630e8345b5943fb18220ec440e7743e33da

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver6378.tmp
        Filesize

        15KB

        MD5

        1a545d0052b581fbb2ab4c52133846bc

        SHA1

        62f3266a9b9925cd6d98658b92adec673cbe3dd3

        SHA256

        557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

        SHA512

        bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\L3T8W3B4\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\0a0c91cee9cc9c7d2f17aef3f6abe798.bat
        Filesize

        263B

        MD5

        ff04bcd2a70d7c9ce795a3f0cfaa402e

        SHA1

        3d18873178c0b400c2ad422320917c2d2913f6d4

        SHA256

        c68eb25266b5ad19d35d2319d6f512bad177e75c080d87c2d283da36a64b8a86

        SHA512

        0bf3e01e68521bbe1da47646bc57aec1605919c17c1e24d2988dbac0865d73c93cf82391ccc7af89737372066702031cb5f46dc4f5e09d3d3d420168d6378f2a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\gosC544.bat
        Filesize

        188B

        MD5

        0b4895ce6d45ff77760d1a59c3729600

        SHA1

        501d063ea30c7a7fc04b3bae0e989bc0fd39e962

        SHA256

        63849afd1196c4a322083a4ad9da2be8349a3e9afefda2cb2b632ed6aa74e1e8

        SHA512

        dcfb28c4618c5d2a6dab6cdad1942c2521669d91883c1534209dc715d09551322442b6883c8f0e2a0109d4c4b49b1e7232b63ae7fc0ecaa3a9afbc2709753b18

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\gosC544.tmp
        Filesize

        32KB

        MD5

        aab86d70689c799ad35ee783bec146ae

        SHA1

        08e3221f0df46ea80056d49f85726aa36361a33a

        SHA256

        3db9a6e49c312bcb32ee9b201a656c951ea7f4730fc9169b457df9a348de4b30

        SHA512

        dfcc270bdc8ca4ea9133f6ef85ea0692b4f4241d61743ec368e314d6559deb8f91dcf882528cf6c9b082ee5e662621188168a431ed4789283b276937bd35d49a

        Download Submit