Overview

overview

10

Static

static

3

(?)#Androm...ew.exe

windows10-2004-x64

7

koori.exe

windows10-2004-x64

10

meow.exe

windows10-2004-x64

10

srodus.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    106s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-01-2024 08:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    (?)#Androm-CGfxListView.exe

  • Size

    152KB

  • MD5

    e2a3695183a53cf01c5fee5dd13afb45

  • SHA1

    fb730909a89480728d243782558828d624089974

  • SHA256

    894007e5d07de82a13d1ce44ddefbffcfb790d410e5fe01c7e04deb7e5b8464b

  • SHA512

    2df11dbf31394a176eaa9277c1c61062e9a785e90ad89d714fa1eb2bfae98e91b57060b75d000eda64082e588d8b963f0a11a2df063f6cd0e8760fb744061823

  • SSDEEP

    3072:wf4Zp1MIrIf4lO6VogYx4q+wZoCXiZxnLRmEj:LZpyIrIw1q+kPUL

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 1 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\(_)#Androm-CGfxListView.exe
    "C:\Users\Admin\AppData\Local\Temp\(_)#Androm-CGfxListView.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5028
    • C:\Program Files (x86)\msiexec.exe
      "C:\Program Files (x86)\msiexec.exe" -Puppet
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:2044

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\msiexec.exe
    Filesize

    58KB

    MD5

    9d09dc1eda745a5f87553048e57620cf

    SHA1

    1d0c7cfca8104d06de1f08b97f28b3520c246cd7

    SHA256

    3a90ede157d40a4db7859158c826f7b4d0f19a5768f6483c9be6ee481c6e1af7

    SHA512

    2be940f0468f77792c6e1b593376900c24ff0b0fae8dc2e57b05596506789aa76119f8be780c57252f74cd1f0c2fa7223fe44ae4fa3643c26df00dd42bd4c016

    Download Submit

  • C:\Users\Admin\Documents\msedge.exe
    Filesize

    152KB

    MD5

    e2a3695183a53cf01c5fee5dd13afb45

    SHA1

    fb730909a89480728d243782558828d624089974

    SHA256

    894007e5d07de82a13d1ce44ddefbffcfb790d410e5fe01c7e04deb7e5b8464b

    SHA512

    2df11dbf31394a176eaa9277c1c61062e9a785e90ad89d714fa1eb2bfae98e91b57060b75d000eda64082e588d8b963f0a11a2df063f6cd0e8760fb744061823

    Download Submit

  • memory/2044-14-0x0000000010000000-0x000000001001A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/5028-0-0x0000000002630000-0x000000000267E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/5028-1-0x0000000010000000-0x000000001001A000-memory.dmp

    Filesize

    104KB

    Download