Overview

overview

8

Static

static

3

4925b9c17c...74.exe

windows7-x64

8

4925b9c17c...74.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-01-2024 13:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4925b9c17c5c0de34eedf258f8f4f374.exe

  • Size

    202KB

  • MD5

    4925b9c17c5c0de34eedf258f8f4f374

  • SHA1

    0a66255b71760d6fd467ad48c7be3816e32097c9

  • SHA256

    9a6a99e76ce170b6abda7ba6fbe18d492b5276db3ca68ed273de74e5cb564e42

  • SHA512

    dd49fb95737b42d93cbb3359ceefaa9fcecf3c4c66f22f19207cd513e2184524db666f0641f4896a43b817740b8d40c3c0cb99066d137795f750791be68295aa

  • SSDEEP

    6144:lkaoTSj1byLqohs0g7ltVXPeAayyQqxa1m:UGpbyLLhCJfkyylG

Score
8/10
persistence

Malware Config

Signatures

  • Modifies AppInit DLL entries 2 TTPs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\4925b9c17c5c0de34eedf258f8f4f374.exe
    "C:\Users\Admin\AppData\Local\Temp\4925b9c17c5c0de34eedf258f8f4f374.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3188
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" "C:\Windows\system32\extrfind64.dll",CreateProcessNotify
      2⤵
      • Loads dropped DLL
      PID:3416
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240623765.bat" "C:\Users\Admin\AppData\Local\Temp\4925b9c17c5c0de34eedf258f8f4f374.exe""
      2⤵
      • Loads dropped DLL
      PID:2916
      • C:\Windows\SysWOW64\attrib.exe
        attrib -s -r -h"C:\Users\Admin\AppData\Local\Temp\4925b9c17c5c0de34eedf258f8f4f374.exe"
        3⤵
        • Views/modifies file attributes
        PID:4448
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 524
        3⤵
        • Program crash
        PID:4540
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 532
        3⤵
        • Program crash
        PID:1640
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3188 -ip 3188
    1⤵
      PID:2024
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2916 -ip 2916
      1⤵
        PID:4404
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2916 -ip 2916
        1⤵
          PID:4136

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Hide Artifacts

        1
        T1564

        Hidden Files and Directories

        1
        T1564.001

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\240623765.bat
          Filesize

          97B

          MD5

          d226a657b279c5fc0a892748230a56ff

          SHA1

          fa7e4fb6d6de3c4769001cbfce0a00ba02ef28a5

          SHA256

          9dae2767b8e3499d37418a75ddd04d457c7ec8d6c8f312ee109c95a8a97e7761

          SHA512

          07d55ccf3b511c3be64f6dcd05cea3feaafb286196e5d7ba30016ab6d9c0d656fb7cde8eb1ce0ef28a41f1f3f00f0e29020c92479619fd43e4ed47b829f8bf2a

          Download Submit
        • C:\Windows\SysWOW64\extrfind.dll
          Filesize

          66KB

          MD5

          1b779622c0d6eec48ac0c1f3e39eb7b9

          SHA1

          db01babafb0bbd256dca940cbe3667774e76c80a

          SHA256

          ff0d559548eb5bcf7ee0368198cd74d2aca13b54dece875080653b677c81508a

          SHA512

          fc88df2a55dd082a568ade994ea0eaa6a581f94e797fbe3962eaa692e43ac5403b4e817ccc011445643d690022bfbe14f580f39a06b1cab14cbef0d8091c4a34

          Download Submit
        • C:\Windows\System32\extrfind64.dll
          Filesize

          75KB

          MD5

          4dab557dad0fb8ec95f66d5efe648b02

          SHA1

          b52d4d3c8429a132b7582cd8dbe89ec93da3dc05

          SHA256

          b8a5ae38b6d38327ae2abbeb70dec6ee9ac52cdc421f5585c4907e8088eb3849

          SHA512

          5dbc616b17578dfb4c620bcca3b040a89b5e771f34053ffe46ff449f0bea5f68f6c7db9eb7d43cddf7de7e34a94aeb29be4c2174bcec3de74a5a09a6bd70afbf

          Download Submit
        • memory/2916-22-0x0000000010000000-0x0000000010015000-memory.dmp
          Filesize

          84KB

          Download
        • memory/3188-2-0x0000000001000000-0x0000000001035000-memory.dmp
          Filesize

          212KB

          Download
        • memory/3188-7-0x0000000008AD0000-0x0000000008AD1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3188-8-0x0000000010000000-0x0000000010015000-memory.dmp
          Filesize

          84KB

          Download
        • memory/3188-0-0x00000000001E0000-0x00000000001E1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3188-10-0x0000000001000000-0x0000000001035000-memory.dmp
          Filesize

          212KB

          Download
        • memory/3188-11-0x0000000010000000-0x0000000010015000-memory.dmp
          Filesize

          84KB

          Download
        • memory/3188-1-0x0000000001000000-0x0000000001035000-memory.dmp
          Filesize

          212KB

          Download
        • memory/3188-23-0x0000000001000000-0x0000000001035000-memory.dmp
          Filesize

          212KB

          Download
        • memory/3188-25-0x0000000001000000-0x0000000001035000-memory.dmp
          Filesize

          212KB

          Download
        • memory/3416-15-0x0000018108980000-0x0000018108981000-memory.dmp
          Filesize

          4KB

          Download