Analysis
-
max time kernel
141s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/01/2024, 16:30
Static task
static1
Behavioral task
behavioral1
Sample
74f8f0d4d2d17f3a63e2c95ce62aa991.exe
Resource
win7-20231215-en
General
-
Target
74f8f0d4d2d17f3a63e2c95ce62aa991.exe
-
Size
313KB
-
MD5
74f8f0d4d2d17f3a63e2c95ce62aa991
-
SHA1
e3a1ff16f0a67b5c534e096082b240f3a2cc24e9
-
SHA256
7fa440918a8b62e7f7c85cf7d19cb4cfbbc706b1546e40dfe789c2c7144c5536
-
SHA512
53d6dc61b641e729b084f83dee20d460ca985e18a1f50cf635b8c8a49bb6edf75f418809fc49a91ccedbbeec8558f3ac40dcb7c7dee1f0c9e250250d01de6a3d
-
SSDEEP
6144:8d93ZBZMbqYgomHmXX7tiPkRcUN9eEKati3M2lht93hyBPSDpSLF89nx:8r3ZBIRAcRDN0EKatmh3hOPipSL8nx
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation 74f8f0d4d2d17f3a63e2c95ce62aa991.exe Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation 1.sfx.exe -
Executes dropped EXE 2 IoCs
pid Process 2924 1.sfx.exe 3728 1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4788 3728 WerFault.exe 89 -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\Local Settings 1.sfx.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1620 wrote to memory of 2924 1620 74f8f0d4d2d17f3a63e2c95ce62aa991.exe 88 PID 1620 wrote to memory of 2924 1620 74f8f0d4d2d17f3a63e2c95ce62aa991.exe 88 PID 1620 wrote to memory of 2924 1620 74f8f0d4d2d17f3a63e2c95ce62aa991.exe 88 PID 2924 wrote to memory of 3728 2924 1.sfx.exe 89 PID 2924 wrote to memory of 3728 2924 1.sfx.exe 89 PID 2924 wrote to memory of 3728 2924 1.sfx.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\74f8f0d4d2d17f3a63e2c95ce62aa991.exe"C:\Users\Admin\AppData\Local\Temp\74f8f0d4d2d17f3a63e2c95ce62aa991.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.sfx.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.sfx.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe"3⤵
- Executes dropped EXE
PID:3728 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 2284⤵
- Program crash
PID:4788
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3728 -ip 37281⤵PID:1792
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3704
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
113KB
MD558280c5ffb2fec6bb2fe6dc7afd9432b
SHA11875cceeb805dea7292506b41059e0fe579b078b
SHA2566cf376f5e33a3f1cef6832710839be0f4791dbd7b8d9bde606e5d522771ec741
SHA5124f4fef0f88ef9ab814977109628a9ff00d6555723a69af79e94162f9d974252afc07f676d62fbeab19d8ab18dfc74895a784c49e0bb8464a202ce23a4b3b6f5a
-
Filesize
211KB
MD5e6b1fbf09891ef5dc98243fc81aa1379
SHA18cc122d05d52d66b2cb59a22ae8aa9aabfb6bc2b
SHA2567f79301e907ba2b3149e8c08f22d3c89327b48609618aa9dd479d232d72b32d8
SHA5126d5dc6edb250c6e6f6d205288a9cf8a7be49fc6a7bd71103a5df839a3ea79ccf73311d224092a9a5209b80854acc3de91ddb816836e1c05170c0e8d33d40195b