Analysis

  • max time kernel
    0s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2023, 13:29

General

  • Target

    380b05c750732bd4c0887d90c684b5de.exe

  • Size

    45KB

  • MD5

    380b05c750732bd4c0887d90c684b5de

  • SHA1

    1be814a2f68acf74e6d716e2b4a87be870ee1e5e

  • SHA256

    3d55b037cd4d9041de0e54b74c146c698d185c124fad6a889309ce0878ddfc1d

  • SHA512

    b2a6a1252a52a0992d67a8b34e267196507ff0c78599cf6bfc759fb187f4e510eb17b098c92da22d4760f6e9814008702c54ddb255da0779fd0aafd3fd49b0bb

  • SSDEEP

    768:gdcI0SjL+ejzE7z/hcwFlrGGIaxuNplzTNCjKY50x:jSjLzE/fFlqNplzTNcjY

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 6 IoCs
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 14 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\380b05c750732bd4c0887d90c684b5de.exe
    "C:\Users\Admin\AppData\Local\Temp\380b05c750732bd4c0887d90c684b5de.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Modifies Installed Components in the registry
    • Checks computer location settings
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1480
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\380B05~1.EXE >> NUL
      2⤵
        PID:3588
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\System32\regsvr32.exe" /s sxmg4.dll
        2⤵
          PID:4624

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\sxmg4.dll

        Filesize

        10KB

        MD5

        da75366ea6738c6363c9381ee49d16f8

        SHA1

        34bb8566ca0c18587d1c841d872774af27fc2f97

        SHA256

        8779969cf9ca7ed3ba3ef5568c44d5110403fb9d0eca45525486faf253e924a5

        SHA512

        810475ba53c8b076806745ca5b6cc10d78eb32120852ce4b97faf47581e9d0ca8f422a86bc57d1f344717877daaa83bcf54b1bbc279e315e770edcb0c05293fb

      • C:\Windows\SysWOW64\sxmg4.dll

        Filesize

        24KB

        MD5

        283d1021ecab1236f6c063d04d65bb45

        SHA1

        e902bf782b764528890f3bd2e3deeac6f3401601

        SHA256

        2b0469e0f2b196882e68278949ea325a7783229aeae47e9fa712d629cfdfe13d

        SHA512

        5c9e88677ad04cc1663c1de128b5d78ee6614b050479a3dd07f6d3f1984f3ade344f8680a214ad7849827e887fb92d3e2401d4485100e4346cc8278d18a997a9

      • memory/4624-5-0x0000000010000000-0x0000000010019000-memory.dmp

        Filesize

        100KB