Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 17:49
Static task
static1
Behavioral task
behavioral1
Sample
75223dcf04ed991c3c6285b3a8fcfeb9.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
75223dcf04ed991c3c6285b3a8fcfeb9.exe
Resource
win10v2004-20231215-en
General
-
Target
75223dcf04ed991c3c6285b3a8fcfeb9.exe
-
Size
143KB
-
MD5
75223dcf04ed991c3c6285b3a8fcfeb9
-
SHA1
3e829e04b2b5e0dec8deb30b03de94771894a09d
-
SHA256
3be80cfa604086072f7763041a1324bce517f90d67d401c81a8297ed60699f99
-
SHA512
79263f738fb2e2b0d293d8a6ea53f381afaade88688b21144239bb0be6730c632089b11d8b87c6a813bff5cf53e67537b7723bc9df7d30848315903a81e5a1c0
-
SSDEEP
3072:XJqmWJGq7dW9p6ra8cWaBCFW4fFFrdEMPXgbnVfAW3hpSt:smmdUv8cWaBCFW4tZ+kXgbnGKpS
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
75223dcf04ed991c3c6285b3a8fcfeb9.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation 75223dcf04ed991c3c6285b3a8fcfeb9.exe -
Loads dropped DLL 2 IoCs
Processes:
75223dcf04ed991c3c6285b3a8fcfeb9.execmd.exepid process 4804 75223dcf04ed991c3c6285b3a8fcfeb9.exe 916 cmd.exe -
Drops file in System32 directory 1 IoCs
Processes:
75223dcf04ed991c3c6285b3a8fcfeb9.exedescription ioc process File opened for modification C:\Windows\SysWOW64\ddoddump.dll 75223dcf04ed991c3c6285b3a8fcfeb9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3368 4804 WerFault.exe 75223dcf04ed991c3c6285b3a8fcfeb9.exe 5104 916 WerFault.exe cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
75223dcf04ed991c3c6285b3a8fcfeb9.exepid process 4804 75223dcf04ed991c3c6285b3a8fcfeb9.exe 4804 75223dcf04ed991c3c6285b3a8fcfeb9.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
75223dcf04ed991c3c6285b3a8fcfeb9.execmd.exedescription pid process target process PID 4804 wrote to memory of 3392 4804 75223dcf04ed991c3c6285b3a8fcfeb9.exe Explorer.EXE PID 4804 wrote to memory of 916 4804 75223dcf04ed991c3c6285b3a8fcfeb9.exe cmd.exe PID 4804 wrote to memory of 916 4804 75223dcf04ed991c3c6285b3a8fcfeb9.exe cmd.exe PID 4804 wrote to memory of 916 4804 75223dcf04ed991c3c6285b3a8fcfeb9.exe cmd.exe PID 916 wrote to memory of 4924 916 cmd.exe attrib.exe PID 916 wrote to memory of 4924 916 cmd.exe attrib.exe PID 916 wrote to memory of 4924 916 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3392
-
C:\Users\Admin\AppData\Local\Temp\75223dcf04ed991c3c6285b3a8fcfeb9.exe"C:\Users\Admin\AppData\Local\Temp\75223dcf04ed991c3c6285b3a8fcfeb9.exe"2⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240611437.bat" "C:\Users\Admin\AppData\Local\Temp\75223dcf04ed991c3c6285b3a8fcfeb9.exe""3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h"C:\Users\Admin\AppData\Local\Temp\75223dcf04ed991c3c6285b3a8fcfeb9.exe"4⤵
- Views/modifies file attributes
PID:4924 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 5244⤵
- Program crash
PID:5104 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 12803⤵
- Program crash
PID:3368
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4804 -ip 48041⤵PID:4800
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 916 -ip 9161⤵PID:1344
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
69B
MD5604802586163bdc9eda42f6a471e01ad
SHA1fc255017a78e3ec103f73c8c8651effe08089c81
SHA25602f35eec8f33e1ad57621253ee252ca073f6cc16bf9712d89859ffeb6bb49dd3
SHA51266dc346d7bdcc80fc8ae6894ae10cab306aaf5cf1c1dd750a971d3df37d6f4ac607d188f583d08b526e3df13234cec9c7fa7f9bdc4c4ad187fc83a3506b94888
-
Filesize
63KB
MD5e0fd7f29011e26683fee67b52232905a
SHA1e0c9ccbe79539a0287b6ebce858870af0ce7c8ff
SHA25638328718c33c7e60a738cd8f79c78f48791f0e76d6dcf6babc69c3b5fc71e2d1
SHA512b0c2e07aa00e85d2b74e299f24236097aff8a359d7a21496c8ee7b1926ba67d2f758daf11cba7b81ca4ce158d61bffda1536d8d9a476d451469595d48a76e29f