c3c5ace13b00673a4622119daac1bfdd13bdc88d94124ababcd16324637b8834

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2024, 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d6dbcf7914b3e8feaf0fbf75f08523c.exe
Size

155KB
MD5

4d6dbcf7914b3e8feaf0fbf75f08523c
SHA1

9f52f32594e2d0bf9c34dbd786c9378b6faf0214
SHA256

c3c5ace13b00673a4622119daac1bfdd13bdc88d94124ababcd16324637b8834
SHA512

358ece12d00902551bd8a41a06fde4e7b77f0c9f0602165e6f3107a90a93b89b5ff2c26818ddcbcb84f15bed8142ef08a59e9cd31e826e2dc0045b8d86519c4d
SSDEEP

3072:XXNPIR7cznPmwECfj+qwuK5xGj4uTFY+Vxl:HNPIp5qTIxGDhYIx

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	4d6dbcf7914b3e8feaf0fbf75f08523c.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	4d6dbcf7914b3e8feaf0fbf75f08523c.exe

Executes dropped EXE 1 IoCs

pid	Process
4116	dplaysvr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe"	4d6dbcf7914b3e8feaf0fbf75f08523c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe"	4d6dbcf7914b3e8feaf0fbf75f08523c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3252	4116	WerFault.exe	92

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	4d6dbcf7914b3e8feaf0fbf75f08523c.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3208 wrote to memory of 4116	3208	4d6dbcf7914b3e8feaf0fbf75f08523c.exe	92
PID 3208 wrote to memory of 4116	3208	4d6dbcf7914b3e8feaf0fbf75f08523c.exe	92
PID 3208 wrote to memory of 4116	3208	4d6dbcf7914b3e8feaf0fbf75f08523c.exe	92

C:\Users\Admin\AppData\Local\Temp\4d6dbcf7914b3e8feaf0fbf75f08523c.exe
"C:\Users\Admin\AppData\Local\Temp\4d6dbcf7914b3e8feaf0fbf75f08523c.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3208
- C:\Users\Admin\AppData\Local\dplaysvr.exe
  "C:\Users\Admin\AppData\Local\dplaysvr.exe" C:\Users\Admin\AppData\Local\Temp\4d6dbcf7914b3e8feaf0fbf75f08523c.exe
  2⤵
  - Executes dropped EXE
  PID:4116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 2708
    3⤵
    - Program crash
    PID:3252

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4116 -ip 4116
1⤵
PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4873.tmp

Filesize
68KB

MD5
37517422efa2162da0cbf1ab53ff8dc9

SHA1
e5bf2c0e2107e88d494efcc26787cfba29201eae

SHA256
f25d5aa5a4d1c548bb6500be889d240c001407c245b0cd2c3db4470179dd5f4e

SHA512
d79b334e86eb17617760cf7ed3dafb348faee89ec52c42dd50e8c249b7803225e959e29ef3660fce7ae7cf84739b9d93eb520c774a08e7da73d5e5f54c88d55d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4874.tmp

Filesize
30KB

MD5
025761b21de842fadae111dd1e88fd29

SHA1
2ea24e07973d276add5ddf4ae5730393c5acf32e

SHA256
3e2b06d8bcf4ca4fd03633fb32de64728889542c4fe34695930f68a3a1b39a3c

SHA512
bb9fbbb1179ca2b7eea93daecd40b52d8a966049dd35d6d1ddee617f1eed995b44ff888ce33ec72a402de146087be255a17afe0d2052ee2ce6fe2702c99deee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\4876.tmp

Filesize
884B

MD5
edb70e0091a21ac94afe2a048549979c

SHA1
84121f1eb4ce53110475ead9515170b320291478

SHA256
e187da6700f91309e896681a308d52d7ceb0ce4ebf41a1cd7bca191b18f8716a

SHA512
aee14421ce7c4e26dea35fe47f54a0b2e05b751bbceb9ddf97c10d2506d5a521559b682092ed7f122eb88539a2a45eebfd04061fee0712c7e186f697603bb733

Download Submit
memory/3208-0-0x0000000000470000-0x000000000049E000-memory.dmp

Filesize
184KB

Download
memory/3208-1-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3208-20-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3208-21-0x0000000000470000-0x000000000049E000-memory.dmp

Filesize
184KB

Download
memory/3208-23-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads