Overview

overview

8

Static

static

3

54386e1ef9...78.exe

windows7-x64

8

54386e1ef9...78.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-01-2024 18:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    54386e1ef991a60bda98b305feadc678.exe

  • Size

    110KB

  • MD5

    54386e1ef991a60bda98b305feadc678

  • SHA1

    892125075d550437a3c5b28de2d1b37370b0762e

  • SHA256

    50242b91f24c282bd51c8f742f19176e3054fc38a6413ede37f70fd5cd7eb13d

  • SHA512

    0902d4d8eef6857cd0b65cdad6c9545fd18baabca50a9ef716a5fd14780fee501bbb25469474c36b1d34c5731193a4106cde05670058f92917710851b6731e50

  • SSDEEP

    3072:wXzNDOJ6EnxF4TQIbpM+9Jut5BLnWDsD27n2:wDNhOxF4cIbJXut5BjWD4F

Score
8/10
persistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 7 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\54386e1ef991a60bda98b305feadc678.exe
    "C:\Users\Admin\AppData\Local\Temp\54386e1ef991a60bda98b305feadc678.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Windows\SysWOW64\inf\svchosts.exe
      "C:\Windows\system32\inf\svchosts.exe" C:\Windows\system32\lwfdfia16_080515.dll tanlt88
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:4456
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "c:\mylstecj.bat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4432
        • C:\Windows\system\sgcxcxxaspf080515.exe
          "C:\Windows\system\sgcxcxxaspf080515.exe" i
          4⤵
          • Adds policy Run key to start application
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:404
          • C:\Program Files\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2120
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2120 CREDAT:17410 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:636

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver35D0.tmp
    Filesize

    15KB

    MD5

    1a545d0052b581fbb2ab4c52133846bc

    SHA1

    62f3266a9b9925cd6d98658b92adec673cbe3dd3

    SHA256

    557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

    SHA512

    bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

    Download Submit

  • C:\Windows\SysWOW64\inf\svchosts.exe
    Filesize

    60KB

    MD5

    889b99c52a60dd49227c5e485a016679

    SHA1

    8fa889e456aa646a4d0a4349977430ce5fa5e2d7

    SHA256

    6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

    SHA512

    08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

    Download Submit

  • C:\Windows\SysWOW64\lwfdfia16_080515.dll
    Filesize

    30KB

    MD5

    4c4a8d1a787ed781a87907396aa7af0f

    SHA1

    ff4ef76616f3cce8f7eb8dbd109e508e63b88319

    SHA256

    3564461b7f12ec14ff75a6c00f9baa6f4a7309cacef4a48dda996fd1a1149da7

    SHA512

    b2348a2e7c0b71229ac2c56de40c6006efbe6f680c6c8acee7b1e5c8a0302c2d7b2d76f2c9496314c4c91316815404fd839ee6f6b17c187bdce495d23415ba65

    Download Submit

  • C:\Windows\SysWOW64\mdccasys32_080515.dll
    Filesize

    218KB

    MD5

    b02521c9f542d02cdaadb890609c8df3

    SHA1

    b7004371868d5f96a5228551e1420d599252547f

    SHA256

    b4b47a59a2263ad2210397f7153a13679d434946c418ab37750c40269d42e65f

    SHA512

    0fd75e37712440778ab216b5e410a42ee35ae33db4fa8d546128bcf31feedfd5bee442dda1c1e7d19a319be682cb92d2050809893bf29590e0170de1aa8a0edf

    Download Submit

  • C:\Windows\System\sgcxcxxaspf080515.exe
    Filesize

    110KB

    MD5

    54386e1ef991a60bda98b305feadc678

    SHA1

    892125075d550437a3c5b28de2d1b37370b0762e

    SHA256

    50242b91f24c282bd51c8f742f19176e3054fc38a6413ede37f70fd5cd7eb13d

    SHA512

    0902d4d8eef6857cd0b65cdad6c9545fd18baabca50a9ef716a5fd14780fee501bbb25469474c36b1d34c5731193a4106cde05670058f92917710851b6731e50

    Download Submit

  • C:\Windows\pwisys.ini
    Filesize

    97B

    MD5

    cd13eb5dc50944fd66eba374a04003b0

    SHA1

    9e85d3402c24b43ff92dadc2320ee5a2899417a8

    SHA256

    8552eec27aa8a5ac1ac1bbe3ff720794e83a54e04c2361ff009261054554a3b9

    SHA512

    f4016541b6f8286f54ce8354346f47b4e4542e0e672ddaa9dbfb333eeff6f752fbcb04242f79677cf1fd9515a42cabda649dfcab2ec6152064939f7f114f9f87

    Download Submit

  • C:\Windows\pwisys.ini
    Filesize

    448B

    MD5

    0b364065ca09d61aabea352fba88a04e

    SHA1

    459b136ae51efbcabb224b3f9031739f782d42f2

    SHA256

    189aaec0fa8283aa9bdb605a9798d770f2c4518cc6fe5c31b7ab82dd37aa5539

    SHA512

    4a35dab5eaa5cd9afb2bfc475b6888a13c556c0d308d99d9395e01c4cbbc244a18679ffe1cf268603442b19fa8e7f85ec9b8ecdadc717eec264273a726b9d6c3

    Download Submit

  • C:\Windows\pwisys.ini
    Filesize

    378B

    MD5

    d514959a7cb4eef1169a1604baa803c9

    SHA1

    a1d9dbb2579031d6448020ab1c0ccd5ee325d639

    SHA256

    1e8c7207fdff2cdc48737f79caaf9d8c7b0c0a6009a51314635bef0423afd7f9

    SHA512

    61856e969326aa622db3d4db8710875a039f53976204fee168cccb4439f36f445ed73bbff067215234f5eb69150b87fd44f728568cc05863456296cedf34ca17

    Download Submit

  • C:\Windows\pwisys.ini
    Filesize

    406B

    MD5

    56d983b3443047b51838e4bb3c5bae69

    SHA1

    24933aec1bf770719cdf70dce6ea9dd8b5d0f3d8

    SHA256

    e678a3c110fbcfa660cfa589a59f39f6ad929dfdba41f34d52354b0a69246ffc

    SHA512

    4746ef32386d198fc101dbb89f393d3d6b30d84712685916bffee41e4dfeb5ccd05f7af96f167a27903a378fe93b9560b74ae029c1e6b85b2465f8cf3856cdaf

    Download Submit

  • C:\Windows\pwisys.ini
    Filesize

    412B

    MD5

    2aa800ab1b2697472b357e6fc0d3c48a

    SHA1

    525ae58ae6a2cedec44e6950897bc726925a4255

    SHA256

    72ddad5c48a07067698e9558ff06f33ee14ba8631f64fd4344c0a867c1e6ef35

    SHA512

    d30fc75da70fe5754a97c495512264b28d2c2d1f657d3c5d66b525f5c69b158eb0257972a2393d7075c072a76101fcc07599a09fd2c6b502b281279e16663593

    Download Submit

  • C:\Windows\pwisys.ini
    Filesize

    472B

    MD5

    e40c2ec89bc3d9ba7fd79a94ea6b668c

    SHA1

    c54054c44238ec170bdab56f7e96fcd72b891836

    SHA256

    08368f3bf75bdb57ed4a64c662ac06df3fdf083a2ed0ecbb69ab37668e12b7ef

    SHA512

    984fd87aef6df5dbf202c2dfa712e3b30aef09084e03508d2a9590180a34b0530d23804def6c01e6992707f9ae88c444218bef62789f15b88d7128a334e8417b

    Download Submit

  • \??\c:\mylstecj.bat
    Filesize

    53B

    MD5

    94d0a2a547916c750d4d389461fe9248

    SHA1

    79850c7eef48247648b64d5b6ab4a327e79d9ba0

    SHA256

    ca608b14e38a37c9b7f17de97432c5f05601e4c7e859083af8fa2b4bf84fd1cc

    SHA512

    4e1b51d9650c13e41b77532ccc42b0a40af8935398443f90ef27c691a43bd6e05d04524757d8884e1594fd2a0e64370915bff1081173922e654e1c326d70b475

    Download Submit

  • memory/4456-72-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4456-64-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4456-86-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4456-112-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download