Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
-
submitted
13/01/2024, 10:28
General
-
Target
58b10193041261d1459fc7a38e4f7182.exe
-
Size
63KB
-
MD5
58b10193041261d1459fc7a38e4f7182
-
SHA1
697a818590fb22c5f050bc6fe2e09bcd9b2c533d
-
SHA256
69bc33a4aec01f84eeee4bcccf312cc8ebfd7a4e5164f0d5a88279a9b16d6f58
-
SHA512
5d8c5622ab866c0fc7e806f7599c994897802bcc9158d3aa80f678777a1c030d2a5aaec475869fc493edf8ec1225979f68c3ba25aa71814534c7b0e7798628f6
-
SSDEEP
1536:on1bEkVY3D3+RyK/vpKl/WYEQxirnHZi0svY1Jnpv/mu:mbEm8DukK/vgc6QH2g/r
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 4 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\58b10193041261d1459fc7a38e4f7182.exe"C:\Users\Admin\AppData\Local\Temp\58b10193041261d1459fc7a38e4f7182.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\msreg.exe"C:\Windows\msreg.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchosts.exesvchosts.exe -p247593⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\svchostc.exesvchostc.exe -p147283⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\5845.exe"C:\Windows\system32\5845.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\SysWOW64\a.bat" "C:\Windows\SysWOW64\5845.exe""1⤵
-
C:\Windows\5845.exe"C:\Windows\5845.exe"1⤵
- Executes dropped EXE
- Enumerates connected drives
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD592b106420d9cc35374e809dc8fe852f7
SHA122e1cb6d2415deb60472ffe10ec06cbc4804b66b
SHA2561b188f82bf3b9bf44a35c1111136d770b554d2ae85dd9af81aceb6ac2e926eac
SHA51285b0fff543a0290aca4d3b2c3c155b2ce3e675d533b2de2cf65ca24a16176cc7f7ef12ba9c830974156921b275772fa815f40c330b897097dd97f611f90a85ba
-
Filesize
38B
MD550a94effec08179504ef46949486ef63
SHA1c36bcfbc6d85d0ae7b5642655985ecc2ab1f9e1d
SHA256149194e913c7900de706a6a48db7695059b91fd63ebc75b373355c7009fb62e2
SHA512095c1914e290377676cfbf07c52fb321d8e51638229810e560447e4db51d2e4dff8bfa870b009029692e12c0b9fe9c1fcf74dde30c3f68297631ff4ea6bbe283
-
Filesize
15KB
MD5c439458fe4dfa9bc61d7901010c70f2d
SHA16169767b230a997423f6ea700249595bdf0d9dfd
SHA256fd66eadcecc665ff52db488fbda69224bd9ada9230d7bd7d70fe3955428f2cdb
SHA512177f1a3cac0cec930d4ed6e3979eae3dcc26606d46e39038d1f0ac8bae8132d18037972e1e3b923adeb18c7c07f909b0aa01dbdf914e7991af9bfc80eee51815
-
Filesize
20KB
MD56aa3069d49df47e0758b56fd96842f4f
SHA1f883e5f1beb4e0b045f17502c2f3360e1968d199
SHA25696c4145afcf8aa0dd783003cb382431093eae04d66d3a9534cecc9b3cf23b8c7
SHA51216a36768c5297cde7e5edcad4f7416e838b75ce8825e5127434b56bcd30c5d3d62e4b700f7c86479d912681a0a528a9cf6f3c6b6ce54c67f14218f56e2d91589
-
Filesize
4KB
MD549bf33e2095037be496a3f1b32870a68
SHA1ae1007e66a72417b41d920d310f7eaed136fc505
SHA256b5f35a38774e79da832e33aa57bd97230eac89bc174a1a36c02a89497717cd19
SHA512d718adedcc5454603356020b189bf649cb2039fe923751498c00fc784fc7856ecc645429a603676a88eab859ba915e199df8bf7d03344aee3de9a568c1595635
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
76KB
-
Filesize
56KB
-
Filesize
60KB