Analysis
-
max time kernel
149s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 17:02
Static task
static1
Behavioral task
behavioral1
Sample
7509d9427bf753cf9dafa87adb64c8df.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7509d9427bf753cf9dafa87adb64c8df.exe
Resource
win10v2004-20231222-en
General
-
Target
7509d9427bf753cf9dafa87adb64c8df.exe
-
Size
52KB
-
MD5
7509d9427bf753cf9dafa87adb64c8df
-
SHA1
ad35734b8f42c3a5e32b907eda5f276ad78339a1
-
SHA256
7c58dff060dc7c42fa7124e27d2ee7ce8398c2e832e42f50416ee93c170f20b8
-
SHA512
b0e3cb21527d0f8a89ecee9875efdaf54c09a3de7cd5896c8366f56d01d1a9b331848ac1614c6611197933bd988c053c6b85f8859a057c5777da70b06f9d47e0
-
SSDEEP
768:qwRndq137gQOCEEL9Lj2Pi08do+cC6O1Kpdd48mSkj1++QN6tT7QD+1fA:qXglioi0AdNvgDZmJj19QNgHM
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7509d9427bf753cf9dafa87adb64c8df.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation 7509d9427bf753cf9dafa87adb64c8df.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
7509d9427bf753cf9dafa87adb64c8df.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\braviax = "C:\\Windows\\system32\\braviax.exe" 7509d9427bf753cf9dafa87adb64c8df.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax = "C:\\Windows\\system32\\braviax.exe" 7509d9427bf753cf9dafa87adb64c8df.exe -
Drops file in System32 directory 1 IoCs
Processes:
7509d9427bf753cf9dafa87adb64c8df.exedescription ioc process File created C:\Windows\SysWOW64\braviax.exe 7509d9427bf753cf9dafa87adb64c8df.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
7509d9427bf753cf9dafa87adb64c8df.exedescription pid process target process PID 1684 wrote to memory of 2768 1684 7509d9427bf753cf9dafa87adb64c8df.exe cmd.exe PID 1684 wrote to memory of 2768 1684 7509d9427bf753cf9dafa87adb64c8df.exe cmd.exe PID 1684 wrote to memory of 2768 1684 7509d9427bf753cf9dafa87adb64c8df.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7509d9427bf753cf9dafa87adb64c8df.exe"C:\Users\Admin\AppData\Local\Temp\7509d9427bf753cf9dafa87adb64c8df.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat" "2⤵PID:2768
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\delself.batFilesize
202B
MD5594797a294b4fd617d614eb99ff8493e
SHA1c804d7e1eaca1fae08290214a6398b7cfa10d311
SHA256890ea2a7e0da05c2504d9de0cbaaa9f6f4738ceec1b625a5af414f90e1adf848
SHA5121fbfce5498b259b4267eab5d119fbcb55d1c5764b4bdc71dfd13733ef52ad34ac9266177014e475c3f083a5e4c0c3c62ddc96f36515a7020ffdb41becb2bbd61
-
memory/1684-0-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/1684-1-0x00000000009B0000-0x00000000009BD000-memory.dmpFilesize
52KB
-
memory/1684-7-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB