Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2024, 03:40
Static task
static1
Behavioral task
behavioral1
Sample
4a576229508cc4de24c7d206662a50ec.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4a576229508cc4de24c7d206662a50ec.exe
Resource
win10v2004-20231215-en
General
-
Target
4a576229508cc4de24c7d206662a50ec.exe
-
Size
107KB
-
MD5
4a576229508cc4de24c7d206662a50ec
-
SHA1
cd6304a914720f473c9a87f20e2062805e26e614
-
SHA256
d511989fa3f11bf8e3516fd48be81a6bd50359dce2a3677945d5f90b17776895
-
SHA512
3f952e6bb83bd4077d9e0affe6df25ec0928ecbcd906bc90a178a61904ef16bc1128961f27dde4b40028fe9661a85cd6c423c8d3033404134f9adb8b3ab77dbd
-
SSDEEP
3072:eVGJwcYEQn1VeCjRjgPijntfnCfJ2u4CyiHsi2f:b1Yzn5jxgIntfnCR2u4GNG
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation 4a576229508cc4de24c7d206662a50ec.exe -
Executes dropped EXE 1 IoCs
pid Process 3928 9564556e.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\b89721c1.dll 4a576229508cc4de24c7d206662a50ec.exe File opened for modification C:\Windows\SysWOW64\b89721c1.dll 4a576229508cc4de24c7d206662a50ec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1760 wrote to memory of 3928 1760 4a576229508cc4de24c7d206662a50ec.exe 37 PID 1760 wrote to memory of 3928 1760 4a576229508cc4de24c7d206662a50ec.exe 37 PID 1760 wrote to memory of 3928 1760 4a576229508cc4de24c7d206662a50ec.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a576229508cc4de24c7d206662a50ec.exe"C:\Users\Admin\AppData\Local\Temp\4a576229508cc4de24c7d206662a50ec.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Users\Admin\AppData\Local\Temp\9564556e.exe"C:\Users\Admin\AppData\Local\Temp\9564556e.exe"2⤵
- Executes dropped EXE
PID:3928
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5ee33f6c50cf97530173ad593e17430ff
SHA1d7f569936877cc8e9f4d2814f663d7c1300944c2
SHA256aae4d4a74b16c3067b5afd72e7a483f08baa2ff072d38bd4adcd5aae2018559d
SHA51231e6d3751d73c667c62cc78dcb1ea621165a92827e8667a4b556d11dce951c908eaac5cb8ffdea610027e8c88d2160b29d637cf00b7450a985b9e7da52910ad9