Overview

overview

7

Static

static

1

InstalIer2...31.rar

windows10-2004-x64

7

Resubmissions

26/01/2024, 19:54

240126-ymwk2sefhl 7

26/01/2024, 19:50

240126-ykk2jadca8 7

Analysis

  • max time kernel
    67s
  • max time network
    78s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/01/2024, 19:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    [email protected]

  • Size

    37.5MB

  • MD5

    5e584ead9246ddfde60222ba2e720fa7

  • SHA1

    2cd05041d5767d5b5d4f5ff014b22a8eadf0eab0

  • SHA256

    34695dd990c97f464a0f2901438e86ab256488f8e40d9af88e394c58986004c5

  • SHA512

    68ba88ad19601094e9724e58e244b9f81d79d83694a6fe2dd1eb708bca0dcebc6736bec756c93f34655c1cb0610a02d641821353b11e97e4f2a157e7c7eea4c1

  • SSDEEP

    786432:LxTOUNWg7QmlV5cZP+VyQd3hqf8xlHyZvTf8JfRHyKWec/X0IfdEj:Lx6UNWwVhQWVg8Py4p9kXFqj

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\[email protected]
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4256
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\[email protected]"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:712
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4308
    • C:\Users\Admin\Desktop\InstalIer2024__P@s3w0rd---1231\linstaIler2024.exe
      "C:\Users\Admin\Desktop\InstalIer2024__P@s3w0rd---1231\linstaIler2024.exe"
      1⤵
      • Executes dropped EXE
      PID:3180
      • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        2⤵
          PID:1676
      • C:\Users\Admin\Desktop\InstalIer2024__P@s3w0rd---1231\linstaIler2024.exe
        "C:\Users\Admin\Desktop\InstalIer2024__P@s3w0rd---1231\linstaIler2024.exe"
        1⤵
        • Executes dropped EXE
        PID:2188

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\Desktop\InstalIer2024__P@s3w0rd---1231\linstaIler2024.exe
        Filesize

        904KB

        MD5

        a99be8d261780339aeaaf6ab2c14bfeb

        SHA1

        b50741572ab2d1144e3c49490905c227622c2d81

        SHA256

        1749353b1e49457424d82d61d74df3929505ffd9f9841a5337fb50b441f3e649

        SHA512

        6090421c78c0fd76afd21ca3f193c7a557013fdc18af6ebb6707ae07a1c2594c6aeca7461682ac251f4ffec5893f38c8d23bab3824718a2ed4e50d52ca718e4e

        Download Submit

      • C:\Users\Admin\Desktop\InstalIer2024__P@s3w0rd---1231\linstaIler2024.exe
        Filesize

        801KB

        MD5

        1dc0c77bad19e6cfcb0165db3b59880d

        SHA1

        d34c83dbb97399176d978aef88e5f7ad1212677d

        SHA256

        cd4924d97b3758a4f0756c752912bdc0cbbf256c7f166b7267f2cc104c5a0606

        SHA512

        d80db59cc51a803936667fd154328a1b2f83cc856830943ebf7ce4a7fd84f3b6ee3bb70092f66d57822e59f0bffe06adbcf7694af4c14da0dfea0238d14656d6

        Download Submit

      • C:\Users\Admin\Desktop\InstalIer2024__P@s3w0rd---1231\linstaIler2024.exe
        Filesize

        642KB

        MD5

        03470d4862c70d3acab918386b28d2a5

        SHA1

        842d1f041f3e72f7f050a854415ed16eea0411d8

        SHA256

        da7dae0cdb71267f0ef3b6b1da98aba8ca5b7ae61cbb8b3b85e261adc420081d

        SHA512

        8984eb4938fa4b1d25a49e89ee6a02d6edd929070a7378a3b8dc8b37b3a8c1bd694ffac49a3d9fe47987c56b4853644d858c23991c15a1d6fa17878ebe89b570

        Download Submit

      • memory/1676-380-0x0000000000840000-0x0000000000872000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1676-372-0x0000000000610000-0x0000000000693000-memory.dmp

        Filesize

        524KB

        Download

      • memory/1676-375-0x0000000000610000-0x0000000000693000-memory.dmp

        Filesize

        524KB

        Download

      • memory/1676-377-0x0000000000840000-0x0000000000872000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1676-381-0x0000000000840000-0x0000000000872000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1676-379-0x0000000000840000-0x0000000000872000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1676-378-0x0000000000840000-0x0000000000872000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1676-376-0x0000000000610000-0x0000000000693000-memory.dmp

        Filesize

        524KB

        Download

      • memory/1676-382-0x0000000000610000-0x0000000000693000-memory.dmp

        Filesize

        524KB

        Download

      • memory/3180-373-0x00007FF609390000-0x00007FF60BD97000-memory.dmp

        Filesize

        42.0MB

        Download

      • memory/3180-368-0x00007FF609390000-0x00007FF60BD97000-memory.dmp

        Filesize

        42.0MB

        Download