Overview

overview

7

Static

static

3

7ee3ed3120...31.exe

windows7-x64

7

7ee3ed3120...31.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/01/2024, 04:29

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    7ee3ed3120050479710e20a16ca83631.exe

  • Size

    395KB

  • MD5

    7ee3ed3120050479710e20a16ca83631

  • SHA1

    a667ffe5a53d4bbc0bff2ab835e02fa7aa1150e3

  • SHA256

    8d2e67921a53595e58ec39f8a7553be20b28448f3a01f949a8c7d8e6c464b622

  • SHA512

    9519abff1bac05b178a35bbb308008126ce322c960141fe4ac7eec9d55e97877916ce5f3058b27b620dc6c3bfa442c56406622495b1bd462d682c0ed27222547

  • SSDEEP

    6144:d8cL5nzdHT6Z1iV26cqG9xWjXbH63/HmhN3GlFbl3XYt5y:bRzZTSR6zWxK+PAN2B3o7y

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Runs net.exe
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7ee3ed3120050479710e20a16ca83631.exe
    "C:\Users\Admin\AppData\Local\Temp\7ee3ed3120050479710e20a16ca83631.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Users\Admin\AppData\Local\Temp\7ee3ed3120050479710e20a16ca83631.exe
      C:\Users\Admin\AppData\Local\Temp\7ee3ed3120050479710e20a16ca83631.exe
      2⤵
      • Checks computer location settings
      • Drops file in Windows directory
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Windows\SysWOW64\net.exe
        net stop "mcshield"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4452
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "mcshield"
          4⤵
            PID:2392
        • C:\Windows\SysWOW64\net.exe
          net stop "Norton Antivirus Auto Protect Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2372
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
            4⤵
              PID:4236
          • C:\Windows\Tibia.exe
            "C:\Windows\Tibia.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2848
            • C:\Windows\Tibia.exe
              StubPath
              4⤵
              • Executes dropped EXE
              PID:2808
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 460
                5⤵
                • Program crash
                PID:4352
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2808 -ip 2808
        1⤵
          PID:4044

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\temp..zip
                Filesize

                5KB

                MD5

                73495c42be54dc72f1b0d8178d74f129

                SHA1

                04e56b365fd7febe4a2d0d099caaf694ae7434f8

                SHA256

                950bb6b61c65699e92f5645f895d0b7fa9310ae467637b104f1d4d635f4735d5

                SHA512

                8e212c6438ac71fc86f95b1088fa2999a3021df5ae95e42fc17fe4abeec0ccbbcbead8cd05ce436590a4f563fae78a4d1955322c0dfed482c6d5b3f0dc121715

                Download Submit

              • C:\Windows\Tibia.exe
                Filesize

                8KB

                MD5

                94e271fda1196e2f659ca875bbff093f

                SHA1

                bf452c579620b6483bea0c1519926ea77baaf2c8

                SHA256

                ce549dca6c4fc0a119d4a1eea560b21f6293521e9451ae33b3cbde06f63a0009

                SHA512

                67aae0ba5b60c3095754164a4db77057590372a4fb0d47b5a0778d01439e1aae9558fb4e4abc239ac4bf3326c0eb254d28661d06d3c770dcb154c59ed5022a05

                Download Submit

              • memory/2160-0-0x0000000063400000-0x000000006345F000-memory.dmp

                Filesize

                380KB

                Download

              • memory/2160-2-0x00000000022A0000-0x00000000022A1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2160-4-0x0000000063400000-0x000000006345F000-memory.dmp

                Filesize

                380KB

                Download

              • memory/2680-5-0x0000000063400000-0x000000006345F000-memory.dmp

                Filesize

                380KB

                Download

              • memory/2680-6-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

                Download

              • memory/2680-1-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

                Download

              • memory/2680-49-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

                Download

              • memory/2848-48-0x0000000000400000-0x0000000000402000-memory.dmp

                Filesize

                8KB

                Download