Analysis
-
max time kernel
28s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
30/12/2023, 04:51
General
-
Target
0f1ada39fbf13586539cf691c34e5a8e.exe
-
Size
836KB
-
MD5
0f1ada39fbf13586539cf691c34e5a8e
-
SHA1
340aa85a724eca387d5e76f9868033adcc018cec
-
SHA256
57ebe41c389dc6cdd973274d6bba8289b3269bdb52ee9013ad2c9bb98ae7dc2f
-
SHA512
73854731841c9ca502f1e6347d7d8074c91fe2414817a3f01f3d1a520ddc4c2501bbda82e8e6708312371fef6f41a72ada74b96f0511baacfab4feae3d6c6a8e
-
SSDEEP
24576:lXTvLi9yj9BLsuOrfssfrnD1I1YYNb1oLf:BTrLLsuOTvrD1IWwCLf
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f1ada39fbf13586539cf691c34e5a8e.exe"C:\Users\Admin\AppData\Local\Temp\0f1ada39fbf13586539cf691c34e5a8e.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:/Users/Public/Downloads/unzip.exe -o -P Server8888 C:/Users/Public/Downloads/Server.dat -d C:/Users/Public/Downloads2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Downloads\unzip.exeC:/Users/Public/Downloads/unzip.exe -o -P Server8888 C:/Users/Public/Downloads/Server.dat -d C:/Users/Public/Downloads3⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\0f1ada39fbf13586539cf691c34e5a8e.exe"C:\Users\Admin\AppData\Local\Temp\0f1ada39fbf13586539cf691c34e5a8e.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:/Users/Public/Downloads/unzip.exe -o -P Server8888 C:/Users/Public/Downloads/Server.dat -d C:/Users/Public/Downloads2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Downloads\unzip.exeC:/Users/Public/Downloads/unzip.exe -o -P Server8888 C:/Users/Public/Downloads/Server.dat -d C:/Users/Public/Downloads3⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
355KB
MD5f1a9334ea3cd1cafe1f34d74dcaebe59
SHA1293b8cfbfcf7607f8ea0eb9aed81e467d0ddc1b2
SHA25661ec91b2dbb2644c1d24b15e32a4a65995cea98b15abe7776ed86d75aba424aa
SHA5126546c1a6453335563c157321a103b226ae04b215f44103ddabd3a5aed400d8dfa3dc91eb4691e29f064a2c55b773692461354cb7f5ac90e8e94523c7dc0c58ce
-
Filesize
164KB
MD575375c22c72f1beb76bea39c22a1ed68
SHA1e1652b058195db3f5f754b7ab430652ae04a50b8
SHA2568d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a
SHA5121b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a