Analysis
-
max time kernel
147s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 17:33
Static task
static1
Behavioral task
behavioral1
Sample
751b0391c47ac27fd5880602095c2b75.exe
Resource
win7-20231129-en
General
-
Target
751b0391c47ac27fd5880602095c2b75.exe
-
Size
392KB
-
MD5
751b0391c47ac27fd5880602095c2b75
-
SHA1
57bb747fc1bff49bb43598d4e9ef035589ff8a65
-
SHA256
69e62c01d01514823c9f50a77e79b456241aed9f23596e48d78490d227fbb18b
-
SHA512
7ac38504d483601ec7dc660559f23b75d127a82091eba15f50f4f62d715c8d327f5950c5cc99ba7cf31c1f60c2457ff8fa6fc3691dffb60abca7a355eb7ae607
-
SSDEEP
3072:TjeF/OZ/HI8IhYt5BjAsoDYp9qducrNK+B968s655MjawzakfWeiKWVOzYZO:TjC/4/HI87/Xr6UKzB92hOvVUYZO
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
751b0391c47ac27fd5880602095c2b75.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 751b0391c47ac27fd5880602095c2b75.exe -
Executes dropped EXE 1 IoCs
Processes:
oztdohk.exepid Process 4028 oztdohk.exe -
Loads dropped DLL 1 IoCs
Processes:
oztdohk.exepid Process 4028 oztdohk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 1640 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid Process Token: SeDebugPrivilege 1640 taskkill.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
751b0391c47ac27fd5880602095c2b75.execmd.exedescription pid Process procid_target PID 4072 wrote to memory of 3276 4072 751b0391c47ac27fd5880602095c2b75.exe 89 PID 4072 wrote to memory of 3276 4072 751b0391c47ac27fd5880602095c2b75.exe 89 PID 4072 wrote to memory of 3276 4072 751b0391c47ac27fd5880602095c2b75.exe 89 PID 3276 wrote to memory of 1640 3276 cmd.exe 91 PID 3276 wrote to memory of 1640 3276 cmd.exe 91 PID 3276 wrote to memory of 1640 3276 cmd.exe 91 PID 3276 wrote to memory of 4436 3276 cmd.exe 93 PID 3276 wrote to memory of 4436 3276 cmd.exe 93 PID 3276 wrote to memory of 4436 3276 cmd.exe 93 PID 3276 wrote to memory of 4028 3276 cmd.exe 94 PID 3276 wrote to memory of 4028 3276 cmd.exe 94 PID 3276 wrote to memory of 4028 3276 cmd.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\751b0391c47ac27fd5880602095c2b75.exe"C:\Users\Admin\AppData\Local\Temp\751b0391c47ac27fd5880602095c2b75.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 4072 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\751b0391c47ac27fd5880602095c2b75.exe" & start C:\Users\Admin\AppData\Local\oztdohk.exe -f2⤵
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /pid 40723⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.13⤵
- Runs ping.exe
PID:4436
-
-
C:\Users\Admin\AppData\Local\oztdohk.exeC:\Users\Admin\AppData\Local\oztdohk.exe -f3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4028
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
392KB
MD5751b0391c47ac27fd5880602095c2b75
SHA157bb747fc1bff49bb43598d4e9ef035589ff8a65
SHA25669e62c01d01514823c9f50a77e79b456241aed9f23596e48d78490d227fbb18b
SHA5127ac38504d483601ec7dc660559f23b75d127a82091eba15f50f4f62d715c8d327f5950c5cc99ba7cf31c1f60c2457ff8fa6fc3691dffb60abca7a355eb7ae607