Overview

overview

8

Static

static

3

64946db264...10.exe

windows7-x64

8

64946db264...10.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/01/2024, 05:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    64946db26421aa3e6d06bb9f03122510.exe

  • Size

    78KB

  • MD5

    64946db26421aa3e6d06bb9f03122510

  • SHA1

    ba10cf2420056dad5926af52d4feb1e0955ffb0f

  • SHA256

    e64448fbec35929e347d5921ed62f5f0ed24a6690a366291d65a059c01aa708a

  • SHA512

    ad5f942db30eea786b86492f1d641946211a9b0aad249bdd337723aa1014466aaf296ca9f8cda26c155aa7a250779811e85547552284fc63808d0a4c63fe6b76

  • SSDEEP

    1536:mxQYWznHcjuPw+USFODz1wM8de6s9xQe6N5iPGbf9fd5BHmVuDSV19rK0r:9znHcew+kzKM8dqPQeuR79fd5cjH1K0r

Score
8/10
persistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 45 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\64946db26421aa3e6d06bb9f03122510.exe
    "C:\Users\Admin\AppData\Local\Temp\64946db26421aa3e6d06bb9f03122510.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4856
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Windows\system32\mycc080324.dll mymain
      2⤵
      • Checks computer location settings
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3132
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\downf.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4940
        • C:\Windows\SysWOW64\mycc080324.exe
          "C:\Windows\system32\mycc080324.exe" i
          4⤵
          • Adds policy Run key to start application
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2632
          • C:\program files\internet explorer\iexplore.exe
            "C:\program files\internet explorer\iexplore.exe"
            5⤵
              PID:1212
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c "c:\nmDelm.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:864
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:2308
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:2876
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:2136
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:4652
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:4992
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:4464
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:5028
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:1120
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:4300
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:2888
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:1460
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:3860
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:4596
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:4452
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:1116
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:4856
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:3236
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:3924
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:2804
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:2984
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:4528
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:752
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:3536
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:1928
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:4580
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:3576
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:4100
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:4140
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:4840
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:2056
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:1344
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:2144
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:3520
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:4744
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:3768
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:2640
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:1216
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:4336
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:1484
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:4492
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:3828
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:1252
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:2944
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:3524
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "c:\nmDelm.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2596
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:3924

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\mycc080324.dll
      Filesize

      27KB

      MD5

      e2c67e75d417ca1e97090b7de1aaf4e2

      SHA1

      eb844fa348b839c0e116c68724acbb1f58aafa8c

      SHA256

      47f2ddd9633be60665bbc21264d958afeb691035fa859746f1285a8b38c78bf7

      SHA512

      bcd354a194d1174df94a3242470d1e788828e2ac847a0c2df6494651eb50ff1262d374aeccb0c607ef12a7adc2b5dc4e20a9cf2cd8ebe63e94ddcd708157f6f4

      Download Submit

    • C:\Windows\SysWOW64\mycc080324.exe
      Filesize

      78KB

      MD5

      64946db26421aa3e6d06bb9f03122510

      SHA1

      ba10cf2420056dad5926af52d4feb1e0955ffb0f

      SHA256

      e64448fbec35929e347d5921ed62f5f0ed24a6690a366291d65a059c01aa708a

      SHA512

      ad5f942db30eea786b86492f1d641946211a9b0aad249bdd337723aa1014466aaf296ca9f8cda26c155aa7a250779811e85547552284fc63808d0a4c63fe6b76

      Download Submit

    • C:\Windows\cc16.ini
      Filesize

      146B

      MD5

      976b012a633dea3a5ed30a4c92629a27

      SHA1

      679ded03f24b2c0844a65ddf6ed21ea53fc24467

      SHA256

      8ec463857c40fde9759778a4abf8cc58a0d1dfb9b3c45ffa97f7a1a9f96d03ef

      SHA512

      40bee835c5f356063ad2ee8ad590745637d6ed8cda7f3391d7cf0b552cdde09063a5fd3147b34f04b892d27fd04ce515745cfb49c6213f96bf5ebf6f85d81c75

      Download Submit

    • C:\Windows\cc16.ini
      Filesize

      185B

      MD5

      db966879eb834436e693696d70d89b4c

      SHA1

      7ab82c07d5a7a0fe23ea820a8eae96a2f6b3c2eb

      SHA256

      50425f109119d7dcefb8d54aad1f97fc82bfa4b110f92ba9242dfd3a6ca920fb

      SHA512

      f69898dd3206c196f446ebcc7afd8bf51c7e9671429cbb9c6e62988d2e94ebd2eafd7179549dfc4edc816b3c226bc3c4fd5e7d42d70603e80ebd1a1d5da4af38

      Download Submit

    • C:\downf.bat
      Filesize

      48B

      MD5

      3ece5ab0ebefa9af2dbdd19b4f2ca969

      SHA1

      2296ec9988484ce487149e0a182513a4a7025a2a

      SHA256

      cdab44e5eefddea61e8aec02ea2bb4d24fa1b53f86012beecf1d1f6005b2234d

      SHA512

      6d73fd18711f7940d684bf68256867ae8b8bb2e96ff1bdda6acc46cfd588d4238754bec061a5dcfafea46cb06817841c72df62494a46bb717383a14b6b97f823

      Download Submit

    • \??\c:\nmDelm.bat
      Filesize

      205B

      MD5

      1c9f1d21f8da37fac12b26a57058478b

      SHA1

      a11c91405f6204cd418741e6cf2905919f0d6eb6

      SHA256

      47374245f519b80d1d4ef0cbd304e9a193d498c484626223b44817a781974766

      SHA512

      5f73d2420b63616ae7357e5ddfc01f5ba447a760618cf7302260bc0f50c77451980f18fb361911a005363500863dee25474d19bc0d12b4c3029ac9342eb710a0

      Download Submit

    • \??\c:\nmDelm.bat
      Filesize

      133B

      MD5

      a192146b60f47f75afa7e500e74006f9

      SHA1

      aab331c2902d3eddd84ef7e3ae7629239e719787

      SHA256

      521be57d25a8d6607b223522dc1d604274ed12c5eb719da10d490b899a7dca0e

      SHA512

      cc9a8328909e6777ed4fdd03f27d45739a6c7ae3e1ec87268afb70fadf680648d934e846fa3c4ad2fe49f5019912ee0398313588f7c34e6070fa1e3a33f90387

      Download Submit

    • memory/3132-17-0x00000000007F0000-0x00000000007FD000-memory.dmp

      Filesize

      52KB

      Download

    • memory/3132-30-0x00000000007F0000-0x00000000007FD000-memory.dmp

      Filesize

      52KB

      Download

    • memory/3132-33-0x00000000007F0000-0x00000000007FD000-memory.dmp

      Filesize

      52KB

      Download

    • memory/3132-38-0x00000000007F0000-0x00000000007FD000-memory.dmp

      Filesize

      52KB

      Download

    • memory/3132-44-0x00000000007F0000-0x00000000007FD000-memory.dmp

      Filesize

      52KB

      Download