Overview

overview

7

Static

static

3

67687f7f65...48.exe

windows7-x64

7

67687f7f65...48.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/01/2024, 10:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    67687f7f6552a3aad001e5a0c802c348.exe

  • Size

    213KB

  • MD5

    67687f7f6552a3aad001e5a0c802c348

  • SHA1

    0192ebef5f601cdcffa3c8b96ad53c3c34f05253

  • SHA256

    c32a96d73f51de511004dbe9662db39ec24538e41592dccaaeb0ca0220b33e2d

  • SHA512

    b8a4e71b288f26674c0e2667d0461e8405f06e4f9a30b1330cb9ecddf96f949e8f14eb4dd474245ecb9a21fe4d7ac20c92535b6b6fa0e7840a982680f9cf2132

  • SSDEEP

    3072:AfP+miCL5fWqeKuIwxLBqbeeUJIj4tWVAHZux6fKQJ:8PECL5+/KunESeSxtuwnfX

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\67687f7f6552a3aad001e5a0c802c348.exe
    "C:\Users\Admin\AppData\Local\Temp\67687f7f6552a3aad001e5a0c802c348.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3888
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Xdf..bat" > nul 2> nul
      2⤵
        PID:368
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
      1⤵
        PID:2144
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k UnistackSvcGroup
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:740

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Xdf..bat
        Filesize

        210B

        MD5

        c7e477342e1bace25cd29a48838cb0e7

        SHA1

        9a115edda825afa2c434a8570be574801ee34afc

        SHA256

        d5902c6a0cb67157e728f876a7c6af85770ebd6841fdc031fb224f291696124f

        SHA512

        178c931069ba3c2a71f97c5b97bb4cb55b7956a0209148d90d0522d5294b213a1a02d2304cfe649ec56b0f166f5468ee74aa15dab8a56773ed7aa8716492efc7

        Download Submit

      • memory/740-7-0x00000277D9E40000-0x00000277D9E50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/740-23-0x00000277D9F40000-0x00000277D9F50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/740-42-0x00000277E2270000-0x00000277E2271000-memory.dmp

        Filesize

        4KB

        Download

      • memory/740-41-0x00000277E2270000-0x00000277E2271000-memory.dmp

        Filesize

        4KB

        Download

      • memory/740-43-0x00000277E2380000-0x00000277E2381000-memory.dmp

        Filesize

        4KB

        Download

      • memory/740-39-0x00000277E2240000-0x00000277E2241000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3888-0-0x0000000000660000-0x000000000066D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/3888-1-0x0000000000400000-0x000000000043D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/3888-3-0x00000000020C0000-0x00000000020DB000-memory.dmp

        Filesize

        108KB

        Download

      • memory/3888-2-0x00000000020C0000-0x00000000020DB000-memory.dmp

        Filesize

        108KB

        Download

      • memory/3888-5-0x0000000000400000-0x000000000043D000-memory.dmp

        Filesize

        244KB

        Download