Analysis
-
max time kernel
145s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
08-01-2024 12:54
Static task
static1
Behavioral task
behavioral1
Sample
4b7d655a6aa9804d8366e1207b22bafe.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4b7d655a6aa9804d8366e1207b22bafe.exe
Resource
win10v2004-20231215-en
General
-
Target
4b7d655a6aa9804d8366e1207b22bafe.exe
-
Size
124KB
-
MD5
4b7d655a6aa9804d8366e1207b22bafe
-
SHA1
6598067abb69b4ba2a4ee9466637f294277785f7
-
SHA256
c4e89ebe1ad512b7fee087bc152bd144056954faa85ee692fdfb8812ecbd2043
-
SHA512
c49d7634ffc856f8f266b4e9cb2ff0f7944fc60bcafeed9018fb272a65f73e0ccc1c78af6341e5562e67d1a5f8825162aeded1ef3d459ba06c3c98cb28499762
-
SSDEEP
3072:GeBzd/ok8z9yjoP8cyfbgwpePQYcHd8I/lWYWuZ:G8C9CoPZyfrpIQb2Q
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation 4b7d655a6aa9804d8366e1207b22bafe.exe -
Executes dropped EXE 1 IoCs
pid Process 2216 xmg.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\xmg.exe 4b7d655a6aa9804d8366e1207b22bafe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process 1556 2216 WerFault.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4504 4b7d655a6aa9804d8366e1207b22bafe.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4504 wrote to memory of 2216 4504 4b7d655a6aa9804d8366e1207b22bafe.exe 33 PID 4504 wrote to memory of 2216 4504 4b7d655a6aa9804d8366e1207b22bafe.exe 33 PID 4504 wrote to memory of 2216 4504 4b7d655a6aa9804d8366e1207b22bafe.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b7d655a6aa9804d8366e1207b22bafe.exe"C:\Users\Admin\AppData\Local\Temp\4b7d655a6aa9804d8366e1207b22bafe.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\xmg.exe"C:\Windows\xmg.exe"2⤵
- Executes dropped EXE
PID:2216
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2216 -ip 22161⤵PID:4208
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 2281⤵
- Program crash
PID:1556
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
109KB
MD574c51e6f254788de397cba07e3a621e4
SHA153b2b724058b11a2cf06568a40e61665ee11b65d
SHA25652f05b9efedb3bf5cff2875ae7a12396141d4c24cc41a1940e644d0f796b54d0
SHA5129c2654a7d9dccb0c4317ca9ed1ceaf48fea41e9b4d84351804e8ccb216c017f4ca9ab682d2261d164f25503c3c476d1f5b72855d1375c15a43876c2886836532