Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/01/2024, 21:11

General

  • Target

    7b49a7999428556c109be5771dce3b2e.exe

  • Size

    455KB

  • MD5

    7b49a7999428556c109be5771dce3b2e

  • SHA1

    2b539957e2c9720bfc1f4018448803f0399cb421

  • SHA256

    7d01c814e4dc147036470e958c30ec7daa1a2140961e6865d0d6b2db40c66d46

  • SHA512

    ab3e7fc465603c98b20a6e8bab8bb9af3c702b2992d24e437ee80b9e6b68fd7775e507df24bf39963368ad55d2f1ff1250b271d93784450ca68e3f238a0b60d6

  • SSDEEP

    12288:tPUdz/leuYergLm9AhJ4rhFkpMMnMMMMME0bJvQI6xMdI0+6DtByCVwHM1a:tsN/leuZz8W7kpMMnMMMMME029s+6RwH

Score
8/10

Malware Config

Signatures

  • Disables Task Manager via registry modification
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7b49a7999428556c109be5771dce3b2e.exe
    "C:\Users\Admin\AppData\Local\Temp\7b49a7999428556c109be5771dce3b2e.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3716
    • C:\ProgramData\cRdQIGspBdjhpow.exe
      "C:\ProgramData\cRdQIGspBdjhpow.exe"
      2⤵
      • Executes dropped EXE
      • Maps connected drives based on registry
      • Suspicious behavior: EnumeratesProcesses
      PID:4256

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\cRdQIGspBdjhpow.exe

    Filesize

    455KB

    MD5

    7b49a7999428556c109be5771dce3b2e

    SHA1

    2b539957e2c9720bfc1f4018448803f0399cb421

    SHA256

    7d01c814e4dc147036470e958c30ec7daa1a2140961e6865d0d6b2db40c66d46

    SHA512

    ab3e7fc465603c98b20a6e8bab8bb9af3c702b2992d24e437ee80b9e6b68fd7775e507df24bf39963368ad55d2f1ff1250b271d93784450ca68e3f238a0b60d6

  • memory/3716-0-0x0000000002E60000-0x0000000003DF0000-memory.dmp

    Filesize

    15.6MB

  • memory/3716-1-0x00000000006A0000-0x00000000008E9000-memory.dmp

    Filesize

    2.3MB

  • memory/3716-15-0x00000000006A0000-0x00000000008E9000-memory.dmp

    Filesize

    2.3MB

  • memory/4256-13-0x0000000002F60000-0x0000000004260000-memory.dmp

    Filesize

    19.0MB

  • memory/4256-14-0x0000000000A10000-0x0000000000C59000-memory.dmp

    Filesize

    2.3MB

  • memory/4256-16-0x0000000000A10000-0x0000000000C59000-memory.dmp

    Filesize

    2.3MB