Overview

overview

10

Static

static

3

5b69da4ef7...04.exe

windows7-x64

10

5b69da4ef7...04.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-01-2024 13:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5b69da4ef76fdd75ac29737dcfb0c304.exe

  • Size

    156KB

  • MD5

    5b69da4ef76fdd75ac29737dcfb0c304

  • SHA1

    a4f0fdd81682b708e31d60b9a7f5fc9bdeffd604

  • SHA256

    d940548c354277aaf332b8bf2a3a36e8064b4d8268658cf3f106c74c40046097

  • SHA512

    dc6918dcddd6cced963764001054c2a73fb9b2b9207bfe5e314a2501c8de8d00f32f8cc751a30cbc2519e52cd6253ccf5137aa1afae88ecc4ea556136d1235dd

  • SSDEEP

    3072:PNMtJS4aZhJdxKPE+vgu36MN9vqKyHjm6I1JDVOc2W4oQZiE32L:sm7d0zvhqMN9vgjm6ILDVOAWli

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 51 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5b69da4ef76fdd75ac29737dcfb0c304.exe
    "C:\Users\Admin\AppData\Local\Temp\5b69da4ef76fdd75ac29737dcfb0c304.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4552
    • C:\Users\Admin\fiqer.exe
      "C:\Users\Admin\fiqer.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\fiqer.exe
    Filesize

    156KB

    MD5

    e16c840287e39dd31ed496aaea1e455e

    SHA1

    51dceda5fa142c64e641b312a20f1fb3245955df

    SHA256

    5703dd1574f3802ff5ac5a6674730a59e60654e4cba520e08bfbdbafa6f3fa4a

    SHA512

    3ae888ed643deba96fe739412d78fdfcff6ecc681a829c2842df89e580fe1b77d3b7347465a2be1a76368600d24b4986571c6628fde1e2a6aef2ad3772939bec

    Download Submit