Overview

overview

7

Static

static

3

48fe699f32...74.exe

windows7-x64

7

48fe699f32...74.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-01-2024 20:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    48fe699f325e6a37f7e9a01e2ff6f3b8e7f56a0d49a928c1befa37acc74a7174.exe

  • Size

    196KB

  • MD5

    5eb837b123ae38fb189414cf6f071ad4

  • SHA1

    d05e46ed48539cd97930417859346e2121283dcb

  • SHA256

    48fe699f325e6a37f7e9a01e2ff6f3b8e7f56a0d49a928c1befa37acc74a7174

  • SHA512

    92d750b5b1923c7085dcc3d1674f804329313ec510c8c15319737878f0489abf959fdf91defe405f72f3d96ef09e2ce1d4010e05c3c561bc9ef5ed0c4214f3fe

  • SSDEEP

    6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCOX:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXXO

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\48fe699f325e6a37f7e9a01e2ff6f3b8e7f56a0d49a928c1befa37acc74a7174.exe
    "C:\Users\Admin\AppData\Local\Temp\48fe699f325e6a37f7e9a01e2ff6f3b8e7f56a0d49a928c1befa37acc74a7174.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1440
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\48FE69~1.EXE > nul
      2⤵
        PID:3012
    • C:\Windows\Debug\qcihost.exe
      C:\Windows\Debug\qcihost.exe
      1⤵
      • Executes dropped EXE
      • Checks processor information in registry
      PID:3080

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\debug\qcihost.exe
      Filesize

      196KB

      MD5

      5425c9c21bea05865ee15ce2d7959ce2

      SHA1

      ebc8555c1c5b808bea382738b6b10711521be97f

      SHA256

      e16b57b9ac63a673f262fd4139a02fc7b8d20c1f76c37d3b853948d9acc28581

      SHA512

      6b2bc870941f5faad5b2e51556170214efa00dff399a6586a09694629c32bae332dc2ff10c6102a9e3da48eabbd3b77506310b199da0df7ca17e4c40ac9bb9b6

      Download Submit