Overview

overview

8

Static

static

3

1b4c872d43...86.exe

windows7-x64

8

1b4c872d43...86.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2023, 14:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1b4c872d43eba86ee9f0293dffd3b386.exe

  • Size

    527KB

  • MD5

    1b4c872d43eba86ee9f0293dffd3b386

  • SHA1

    790d63c9aa14888e7d22493c44abaea2da5e3a62

  • SHA256

    195477d1197291930eededbef167d80ccd113a97b828a5e21e111b2077983565

  • SHA512

    a874fd54b95e41835b2ff4e69d614b34c6b98dddc14cebbfaa0a573834f2058cb857dd4d665d28e0c07cd87f35f466633aed006bd3fa7979c180e37f9242fcc8

  • SSDEEP

    12288:NMi02x3yexziO9pAXgGjZsHBglwhmyfEqX:X02xhBiO9iXNeHBglwfVX

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Disables Task Manager via registry modification
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3292
      • C:\Users\Admin\AppData\Local\Temp\1b4c872d43eba86ee9f0293dffd3b386.exe
        "C:\Users\Admin\AppData\Local\Temp\1b4c872d43eba86ee9f0293dffd3b386.exe"
        2⤵
        • Checks computer location settings
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: RenamesItself
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:1860
        • C:\Users\Admin\AppData\Local\Temp\vWLKdLDhCL.exe
          "C:\Users\Admin\AppData\Local\Temp\vWLKdLDhCL.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1632

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\gghreqCvBN.dll
      Filesize

      64KB

      MD5

      23df64ac01dab150a0ecdf7121e749e3

      SHA1

      1f2dcdb2c8156bd07734fde518c27d5f2c76b609

      SHA256

      732d92de935628efda8dce07f945522127489807d48d2a8fd0fa22d47c3fbff3

      SHA512

      63f7ca8376bcdf9ed336db0cf1f0cabb88fb88d2bf66b74da0c28e73d8e49a65d8ae12bf78ac761273d2d9186eacc8a671a85d1cf904b7f4d317c7c78005c0e7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vWLKdLDhCL.exe
      Filesize

      527KB

      MD5

      1b4c872d43eba86ee9f0293dffd3b386

      SHA1

      790d63c9aa14888e7d22493c44abaea2da5e3a62

      SHA256

      195477d1197291930eededbef167d80ccd113a97b828a5e21e111b2077983565

      SHA512

      a874fd54b95e41835b2ff4e69d614b34c6b98dddc14cebbfaa0a573834f2058cb857dd4d665d28e0c07cd87f35f466633aed006bd3fa7979c180e37f9242fcc8

      Download Submit

    • memory/1632-14-0x0000000000400000-0x000000000099E000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1632-16-0x0000000000400000-0x000000000099E000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1860-0-0x0000000000A60000-0x0000000000AE2000-memory.dmp

      Filesize

      520KB

      Download

    • memory/1860-1-0x0000000000400000-0x000000000099E000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1860-15-0x0000000000400000-0x000000000099E000-memory.dmp

      Filesize

      5.6MB

      Download