679db6c750a2aad120f0bac9aa5a9ce763efc34533dc4a9ef8fb0e4dec8dd3e3

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2024, 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b83eb0fc2203cecb23cffe0d5abac21.exe
Size

236KB
MD5

8b83eb0fc2203cecb23cffe0d5abac21
SHA1

0ecc850f42775062132e32e5a2c5a047d9a87328
SHA256

679db6c750a2aad120f0bac9aa5a9ce763efc34533dc4a9ef8fb0e4dec8dd3e3
SHA512

f7e1fdf0f14d8da41c41fe5e1ee35d668f3c6dbcbc4f730d67d47b29659dd2cf96252116d028430dd5b0e4e2e4c7f3528e5049e73497b208e8911ff04f1bd4ca
SSDEEP

1536:kD4g5ePEDxbnQQbmnsvdUMgbhrqgXd09dE8jX1QgQMJj/Er5VqgDR2XSjwT2KrUM:kDjxbQfn+shOgmb/JbEr5I1EUdcP+uGb

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	8b83eb0fc2203cecb23cffe0d5abac21.exe

Executes dropped EXE 2 IoCs

pid	Process
3996	FLVPlayerSetup_1.3.exe
4316	FLVPlayerSetup_1.3.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3996 set thread context of 4316	3996	FLVPlayerSetup_1.3.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4316	FLVPlayerSetup_1.3.exe
4316	FLVPlayerSetup_1.3.exe
4316	FLVPlayerSetup_1.3.exe
4316	FLVPlayerSetup_1.3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3996	FLVPlayerSetup_1.3.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 3996	1208	8b83eb0fc2203cecb23cffe0d5abac21.exe	84
PID 1208 wrote to memory of 3996	1208	8b83eb0fc2203cecb23cffe0d5abac21.exe	84
PID 1208 wrote to memory of 3996	1208	8b83eb0fc2203cecb23cffe0d5abac21.exe	84
PID 3996 wrote to memory of 4316	3996	FLVPlayerSetup_1.3.exe	85
PID 3996 wrote to memory of 4316	3996	FLVPlayerSetup_1.3.exe	85
PID 3996 wrote to memory of 4316	3996	FLVPlayerSetup_1.3.exe	85
PID 3996 wrote to memory of 4316	3996	FLVPlayerSetup_1.3.exe	85
PID 3996 wrote to memory of 4316	3996	FLVPlayerSetup_1.3.exe	85
PID 3996 wrote to memory of 4316	3996	FLVPlayerSetup_1.3.exe	85
PID 3996 wrote to memory of 4316	3996	FLVPlayerSetup_1.3.exe	85
PID 4316 wrote to memory of 3596	4316	FLVPlayerSetup_1.3.exe	52
PID 4316 wrote to memory of 3596	4316	FLVPlayerSetup_1.3.exe	52
PID 4316 wrote to memory of 3596	4316	FLVPlayerSetup_1.3.exe	52
PID 4316 wrote to memory of 3596	4316	FLVPlayerSetup_1.3.exe	52

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3596
- C:\Users\Admin\AppData\Local\Temp\8b83eb0fc2203cecb23cffe0d5abac21.exe
  "C:\Users\Admin\AppData\Local\Temp\8b83eb0fc2203cecb23cffe0d5abac21.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Users\Admin\AppData\Local\Temp\FLVPlayerSetup_1.3.exe
    "C:\Users\Admin\AppData\Local\Temp\FLVPlayerSetup_1.3.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3996
  - - C:\Users\Admin\AppData\Local\Temp\FLVPlayerSetup_1.3.exe
      "C:\Users\Admin\AppData\Local\Temp\FLVPlayerSetup_1.3.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FLVPlayerSetup_1.3.exe

Filesize
197KB

MD5
b57868abfe00304bb2854391dc935e64

SHA1
7f2f764b50cacd92321966bc9af0245f549c8ad2

SHA256
a454b1ea8ef8b5d3cd5cc41de63334a4b25f03f6d33d2962ef000b23ad20efda

SHA512
407bd0393c496087a8258b4e1254c2432c4a706dcc5c32e95031276cfc6b11a5dfe4f1082af872d6db2dacf2dbe47d1c8713436021171b036bbf37797d6a5577

Download Submit
memory/3596-22-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/3596-23-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

Filesize
4KB

Download
memory/4316-14-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4316-17-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4316-18-0x0000000000400000-0x00000000004083A0-memory.dmp

Filesize
32KB

Download
memory/4316-19-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4316-20-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/4316-28-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download