Overview

overview

8

Static

static

3

0b494190cf...17.exe

windows7-x64

8

0b494190cf...17.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    156s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-12-2023 02:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b494190cf132736d424fc84476c7417.exe

  • Size

    125KB

  • MD5

    0b494190cf132736d424fc84476c7417

  • SHA1

    5268710700cce5898345e44d3ff4e2b9b2e9a74d

  • SHA256

    7db6f17fe267fae26318abab623095b77b8ce5baa3f3fcc3bbf67b66cf2e1dd0

  • SHA512

    a9b19f31c9e8a6c3bcca4f2b5a6a059639eaafe51bdae8c5085a6ccbfb61a2be7ff38f86e77ffc344a1c98c8d6d13ac90e968064efd7190371127a60018ddf22

  • SSDEEP

    3072:c06y6L6Pkk0O6wwMcayICQJtayzrt1x9Q9gJdSJ9orLa:r6y6LG3cayIDayPt1/QLL

Score
8/10
persistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 24 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b494190cf132736d424fc84476c7417.exe
    "C:\Users\Admin\AppData\Local\Temp\0b494190cf132736d424fc84476c7417.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2864
    • C:\Windows\SysWOW64\inf\svchoct.exe
      "C:\Windows\system32\inf\svchoct.exe" C:\Windows\wftadfi16_081019a.dll tan16d
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3520
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "c:\mylas3tecj.bat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1272
        • C:\Windows\system\sgcxcxxaspf081019.exe
          "C:\Windows\system\sgcxcxxaspf081019.exe" i
          4⤵
          • Adds policy Run key to start application
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Windows directory
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3668
          • C:\Program Files\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3600
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3600 CREDAT:17410 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2488
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c del "C:\Users\Admin\AppData\Local\Temp\0b494190cf132736d424fc84476c7417.exe"
      2⤵
        PID:528

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\inf\svchoct.exe
      Filesize

      60KB

      MD5

      889b99c52a60dd49227c5e485a016679

      SHA1

      8fa889e456aa646a4d0a4349977430ce5fa5e2d7

      SHA256

      6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

      SHA512

      08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

      Download Submit

    • C:\Windows\System\sgcxcxxaspf081019.exe
      Filesize

      125KB

      MD5

      0b494190cf132736d424fc84476c7417

      SHA1

      5268710700cce5898345e44d3ff4e2b9b2e9a74d

      SHA256

      7db6f17fe267fae26318abab623095b77b8ce5baa3f3fcc3bbf67b66cf2e1dd0

      SHA512

      a9b19f31c9e8a6c3bcca4f2b5a6a059639eaafe51bdae8c5085a6ccbfb61a2be7ff38f86e77ffc344a1c98c8d6d13ac90e968064efd7190371127a60018ddf22

      Download Submit

    • C:\Windows\dcbdcatys32_081019a.dll
      Filesize

      241KB

      MD5

      484910d231176debadd2f074eb3038b3

      SHA1

      f0d30b60e0aea8e0d4e554fbc96a89b83abd20c5

      SHA256

      80a996f3d43381b655d88e58657db65469160fa8e9496b2d1542186f42b141fd

      SHA512

      b7624973b95626f25a2a0da8bc836333f05d1ea032eec36eb904e954d43fdb11998e28c7c68c7651a2e27dd5965c9fcb38db08104d674e2bb31b6136a571bcc8

      Download Submit

    • C:\Windows\tawisys.ini
      Filesize

      384B

      MD5

      674a9efa274ca69785e54aa754791c0c

      SHA1

      633af45a8e7c46d0ae7bfc57ac416bf29abc5f9a

      SHA256

      c62161a56762b0409f3bfa97ed76cac0a07a026470a012439334490b6aecebea

      SHA512

      eaf54f439cc4e8ef4d842d1a47ee9a6338bcac7c2597be4dad8b8b96bbc635169721c89e0a915528024b46eee325b4f11cd75f61b539f0a01c1cfba9c0c7110b

      Download Submit

    • C:\Windows\tawisys.ini
      Filesize

      133B

      MD5

      ba1e1bf5bd891d4cf6142be75835312c

      SHA1

      716ccff07aaeddea57e38724f047f873df2e7033

      SHA256

      b2be8cd69a234ced55eb046756fc78c4e0ce673f1242928a9023000c956ee2fe

      SHA512

      3119c10707451a34d3fcb6d349b90549251fe7382907673d466b51a73346a8348dab158a46d234e6332b71d130e5fb484f2bca90c6009ef55dd2b48656cf7733

      Download Submit

    • C:\Windows\tawisys.ini
      Filesize

      433B

      MD5

      28bec23c126240d96e1fc0375bf640e0

      SHA1

      610b0292795296d7d2d53d0248664b8bfd2f460b

      SHA256

      4b949f6d4b71f9d8b31ed3d1496f753fef84b9ea06547e1a9961ce5175e3a6e5

      SHA512

      f0730a05d34e071644dfc3b12e2aa44fe3ed6867eded4a02993a47b153c903e86808248d56e3e4f0025a32b40a28cd10704f526787cc6202e5d1c83ccf7f1dc6

      Download Submit

    • C:\Windows\wftadfi16_081019a.dll
      Filesize

      35KB

      MD5

      e900023a51d91de18b18890175b6e0cd

      SHA1

      f4ad4e3631bf3d092698781b916879ead5d571f6

      SHA256

      d44d2ac22e0fbff1ad489309ac2ee8afb2db6d48b917a05d7fc48d6f564e6ba9

      SHA512

      97159bac57e25a6f52e07e00990cca880b78429f374068a9d5f6c37c52dd5d19d547afd9e199a9603f68a9bafd50c9f5cd5157f923bf1a7d1ea5f55b97cc7cbd

      Download Submit

    • \??\c:\mylas3tecj.bat
      Filesize

      53B

      MD5

      db297befd021392ebbf15c6640278108

      SHA1

      1a30c4576518f4d79cbaafc67883a236f5475359

      SHA256

      26f365ec686b0ad3a353c97066c8b3d7af7b766c67fa356ed01e98928e530297

      SHA512

      1fcb06b7cf6d79558cbd763d9bc29f09379ef72d14d51b5104380939dae6d7869372321a060feeeb195e4f345ca8a45f571dc3756f80c3cb1b1c26ed0c731f07

      Download Submit

    • memory/3520-65-0x0000000000400000-0x000000000040F000-memory.dmp

      Filesize

      60KB

      Download