Resubmissions
21-01-2024 14:52
240121-r8syqaeac7 1021-01-2024 14:51
240121-r8k8waeac5 1001-01-2024 13:55
240101-q776kscacp 10Analysis
-
max time kernel
144s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
21-01-2024 14:52
General
-
Target
5474e75872eeb1e34cbe407c73409d4c65da7bd6aa9378b356bb3c12f316c506.exe
-
Size
263KB
-
MD5
111e7dd338f7a7db306c95e05797747f
-
SHA1
aff72034cbbc21693425306ad42b1bb182582743
-
SHA256
5474e75872eeb1e34cbe407c73409d4c65da7bd6aa9378b356bb3c12f316c506
-
SHA512
215ee93c5faf2af3a55cceed281b56aecb5990baf4ae508f02eb481c7c22081f05b73a2657279205ff5d4edfc63722ea1405a9e8cdf65939021c9f052ffb6fec
-
SSDEEP
6144:jeHgRe/IfHES0cVZrDjuNywKGOCWVoYkNMbU:jeHgM4HxZG1KGjWVoVO
Malware Config
Extracted
C:\Users\Admin\Downloads\How To Recover Encrypted Files.hta
class="mark">[email protected]</span>
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops desktop.ini file(s) 25 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5474e75872eeb1e34cbe407c73409d4c65da7bd6aa9378b356bb3c12f316c506.exe"C:\Users\Admin\AppData\Local\Temp\5474e75872eeb1e34cbe407c73409d4c65da7bd6aa9378b356bb3c12f316c506.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exemshta.exe "javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('C:\\Users\\Admin\\AppData\\Local\\Temp\\5474E7~1.EXE');close()}catch(e){}},10);"2⤵
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 6043⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\mshta.exemshta.exe "javascript:o=new ActiveXObject('WScript.Shell');setInterval(function(){try{o.RegWrite('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Scanner','C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe');}catch(e){}},10);"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4816 -ip 48161⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
208KB
MD5f3eb7c3ea106f1a43d1a45456b0f2746
SHA1ab77c708cecd48ad8381a691c043045c5990c445
SHA2569d3822bf3ff386a5e89bf66da549c37821dcc9970dca59d737385619940e4993
SHA5127f3ca6f588454c4256d912e984e33b66ec2d963be75a2250bd564ecd17add01822626ec8809634d94f4f05144b87b92f9fde350aae93518e7880cb2196075897
-
Filesize
108KB
MD5068d7914edcf3475a09418db41f7ed57
SHA124a449e033d18e8f61b2419befdbf9198e65cf13
SHA2563726c7f72f1b7eb2e615bcf6e8a5abe34f9bf9fbb230a54e5b37b75c219ec6df
SHA512ded9b193e4a36edb75efea06d95f0e4128b8760ae0af932ea00e3c7db4f36e0921a9e8a26402f35e9f5d6d428bbf506204b0d07153e98ffba5ed2bbfef5d72da
-
Filesize
67KB
MD5a671b60d5b926410a9eab25ee2d2a110
SHA17038e939d41b24a7946aa46a6f983a3194dcb22f
SHA256992bd377f1d151b618723cf95010ded6452a879e147b9eb30cb42a87eb644d1e
SHA512cf3dff24e2a5f42945de42dda2bd2178a3fc11a72a494f6e2635165b32e21be466645f0c61d3b35cb40b0009872162d4e47b3ff71f5d625f64c3f718bd8ede2e
-
Filesize
5KB
MD5c005b7fa252db4957217cbf7151ab0e9
SHA18c18a196f8d71713332e2c19cff53e843f1d657b
SHA25684a321da94e38308ef315fcceeb0e1ed6159e45ae96290d91eddd235fa3417ba
SHA51216be43fd291623d0fcddb92b5ab85759cb63340bfba5c1194168425afac61d5b33ad98ede11550c79d18ccdfee205844fcb71388fc5996f8f14a34a5fb9449e4
-
Filesize
5KB
MD5422abb0922c1865bb043b42d1abfe41e
SHA1af0c2916214bce86047640e34e0026642b65ae81
SHA2567adcbd479ff9197622ad2c1f2cce0f6ed3dd765d0c50bb88a5bad96f3feb88c9
SHA512e4c40b8e21aa88760f501eb7e6313b6530bc7b1f4a5a34551f0562cca15a602ba671520e770c491d218a8fa6b0901c9e49e53403eddc6a66633d04374939852a
-
Filesize
82KB
MD5f579e6615698e2c2dd91b4be91927c6c
SHA129e6d536e1564749f4b5fdb0efbe950ea6d360c0
SHA2564d4baf422ada331cc3d80ca07683734254469fdbb6cd7dc53b16177e0275107e
SHA51272a6385d2fad12a2dcccafcb91172169df4486e14d958f12964f2de4b64e1e072ae80beaabe0a33bf5adeb58fd9a137b423c1446d352fa58818f8c458af1e1d7
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB