Overview

overview

7

Static

static

3

8038f55897...5e.exe

windows7-x64

7

8038f55897...5e.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/01/2024, 15:42

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    8038f55897b6cd309aeb0040e10d485e.exe

  • Size

    70KB

  • MD5

    8038f55897b6cd309aeb0040e10d485e

  • SHA1

    5bc3252533039123260e3545d6f371c9158f1d13

  • SHA256

    39e1e785dba794df0aed87f61d65c8075d35700c049db60734b9b4fef59974c8

  • SHA512

    3fc3344dac3327bc0daf0d40125ba6a46f76f41f26a2fd6c568d3a302556586d588d56dc04cd61b69e96450c234de7ea7dbf353015d9206f98e6dea2d7ad48fc

  • SSDEEP

    768:JC2MhfX7+s82cykJqG8Ov5yQcbJ2UbNkbVXWSmqSj8C1HcGh5ngCaqWiNJqauMc:mhfdxcjJqyv5jcdnbCbYGSj8Rsn/Jq0c

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8038f55897b6cd309aeb0040e10d485e.exe
    "C:\Users\Admin\AppData\Local\Temp\8038f55897b6cd309aeb0040e10d485e.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1280
    • C:\Windows\pcb_build_111_smtp.exe
      "C:\Windows\pcb_build_111_smtp.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:840
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        C:\Users\Admin\AppData\Local\Temp\\svchost.exe
        3⤵
        • Executes dropped EXE
        PID:4540

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\pcb_build_111_smtp.exe
          Filesize

          9KB

          MD5

          0d5a4f8fa9ab1d733c548bd5a4f8c949

          SHA1

          459d6268b35f6ae6ae042f71e2660479aa294a3e

          SHA256

          f7c1093f83be46a14f06431c7092160087bf85eadba2deda1283593d94879dbd

          SHA512

          389cd5cc6478194e39c5a09cc5d4226361551373371dbe7a84ef57e55b538e4a1671a395c73bcb723d3e5badf2b9e680ca77323b57ac3226475015dfd719361f

          Download Submit