Analysis
-
max time kernel
151s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
10/01/2024, 12:41
Static task
static1
Behavioral task
behavioral1
Sample
509567746584cefbda29149448eb7dbc.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
509567746584cefbda29149448eb7dbc.exe
Resource
win10v2004-20231215-en
General
-
Target
509567746584cefbda29149448eb7dbc.exe
-
Size
5.4MB
-
MD5
509567746584cefbda29149448eb7dbc
-
SHA1
2e4bf637ba8ff53e863503c993e4e107169017e2
-
SHA256
d50705040b30b00f8a8fa6adfb56c31763e6a4d7ebd341976dab18fccc8e679e
-
SHA512
8d1591d49c7eff5e3688f7d2d8fa355e633f599be620976a6236787fd0c6315bc17277e7ed0e4066331649e7fb8f26e2cc8a291d87990757f87656ff74ec4bba
-
SSDEEP
98304:e3g2ZGsXdwFZY/HC2TK62pJjxnYezvNIqIeo5ZOsXk9gX30YEB:d9sUZ82pNGez45wsXbX30D
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation 509567746584cefbda29149448eb7dbc.exe -
Executes dropped EXE 2 IoCs
pid Process 3872 Runtime Broker.exe 2224 108953vg7238n0gv5.exe -
resource yara_rule behavioral2/files/0x0009000000023133-19.dat vmprotect behavioral2/memory/2224-26-0x0000000140000000-0x0000000140980000-memory.dmp vmprotect behavioral2/memory/2224-30-0x0000000140000000-0x0000000140980000-memory.dmp vmprotect behavioral2/memory/2224-35-0x0000000140000000-0x0000000140980000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2224 108953vg7238n0gv5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2224 108953vg7238n0gv5.exe 2224 108953vg7238n0gv5.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2224 108953vg7238n0gv5.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 532 wrote to memory of 3872 532 509567746584cefbda29149448eb7dbc.exe 93 PID 532 wrote to memory of 3872 532 509567746584cefbda29149448eb7dbc.exe 93 PID 532 wrote to memory of 2224 532 509567746584cefbda29149448eb7dbc.exe 89 PID 532 wrote to memory of 2224 532 509567746584cefbda29149448eb7dbc.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\509567746584cefbda29149448eb7dbc.exe"C:\Users\Admin\AppData\Local\Temp\509567746584cefbda29149448eb7dbc.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Users\Admin\AppData\Roaming\108953vg7238n0gv5.exe"C:\Users\Admin\AppData\Roaming\108953vg7238n0gv5.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2224
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"2⤵
- Executes dropped EXE
PID:3872
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD5476df6be3a41e37bac0dddb012cadef3
SHA18603cd737272f466d061ef09c34ea7b36dbb10a9
SHA256820e87a95fef884afd9e40e88a7524680407573d3cb42fe7a5d297a660fb7311
SHA51235ec22e32b1657b5f8d2bb1ed6d6c096ec12e53c26f5afca8cbff2cfaacb55bad0c1dd26fec1548040eaea0f3a6c74737901e71a2626e0d63a1b0f447058ec30