b009169a2965f738e64c5636ba9c38d8859e11b8b8d2c5d48869eac0da975085

Analysis

max time kernel
137s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2024, 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

778efeeba34cb65c696d8054e2c1bd24.exe
Size

298KB
MD5

778efeeba34cb65c696d8054e2c1bd24
SHA1

4da1799c8d83cf93364699cb90f07242208f5794
SHA256

b009169a2965f738e64c5636ba9c38d8859e11b8b8d2c5d48869eac0da975085
SHA512

d0f027403e0e79fd302e7046a4e423ae4f12436b7c3fa3f65d57f7fdff37f68734a18cb00f915e82379029b51192edffe84b6b4b2bfbc8d2f3a5c33ee9860ff4
SSDEEP

6144:54lRkAehaKuqT+FjAgDR6VCjX34JKADBrk3dkJHq4b:5kWAehJuqTroWCbIJKark3SJHq4b

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	778efeeba34cb65c696d8054e2c1bd24.exe

Executes dropped EXE 1 IoCs

pid	Process
3996	flash.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4420	3996	WerFault.exe	88

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3996	flash.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 3996	4888	778efeeba34cb65c696d8054e2c1bd24.exe	88
PID 4888 wrote to memory of 3996	4888	778efeeba34cb65c696d8054e2c1bd24.exe	88
PID 4888 wrote to memory of 3996	4888	778efeeba34cb65c696d8054e2c1bd24.exe	88

C:\Users\Admin\AppData\Local\Temp\778efeeba34cb65c696d8054e2c1bd24.exe
"C:\Users\Admin\AppData\Local\Temp\778efeeba34cb65c696d8054e2c1bd24.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\flash.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\flash.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 692
    3⤵
    - Program crash
    PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3996 -ip 3996
1⤵
PID:3112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\flash.exe

Filesize
118KB

MD5
4cda2afba43485f8f4eca4c6938815a2

SHA1
ee0fa02a0f2523703967d15de59bbe872f2b50df

SHA256
ba127bc5d12de76189ed20ee8c2c212236ab6229717814723253889930baa225

SHA512
a2d6966b79a9215e32670d43e0cf3159f67635028df4a57a1fee4e65b163c05bc6a4f4c37408a42dfa9947c393b49114d14afc843a2acf39340cb3d88224c2a6

Download Submit