Overview

overview

7

Static

static

3

8f4a490dc7...78.exe

windows7-x64

6

8f4a490dc7...78.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/02/2024, 13:41

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    8f4a490dc751613082e3a9e32592ab78.exe

  • Size

    43KB

  • MD5

    8f4a490dc751613082e3a9e32592ab78

  • SHA1

    61f6e68840fe57c9b2bed376a8a5a132ede0bbf6

  • SHA256

    60a7254518fcb5b5f5707507bb1b0054dae3ea28eb9d311d83049d315e199ba4

  • SHA512

    7928a0a4d92a74af65ead7cef3a0bfef3e2afe8fd7952ea93a186bdf55ffae153af4c2263909c45aa03bd16574f895ab546f9e5fa0e726d95471305e8c350aa7

  • SSDEEP

    768:AsFRB0RRdJ2CyILFzIDvXF9BidETc86ndvn6vgmITABLh85DaPpInp6i659Cg:AyCyILZ0vXFBb6dyvjsBVEi6X

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8f4a490dc751613082e3a9e32592ab78.exe
    "C:\Users\Admin\AppData\Local\Temp\8f4a490dc751613082e3a9e32592ab78.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:4524
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat" "
      2⤵
        PID:5092

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\delself.bat
            Filesize

            202B

            MD5

            c86868b182d40fb0f2f60ab1eaddd65a

            SHA1

            4d87d0806fbbccd5d914f41e9cf4b6b683c7f0b5

            SHA256

            96173328617e14f34c5847de9ff69bc8b3e4cf4e01b49afb59edc5365c705854

            SHA512

            2e92f45bfcb816193a20fd2969eff8b558c0f7cae65030b166a038c481cd1cd160d79653524b7a5b9e33965c48b4d6d0824d1268e4409382642be7f5f900aaf4

            Download Submit

          • memory/4524-0-0x0000000000400000-0x000000000041B000-memory.dmp

            Filesize

            108KB

            Download

          • memory/4524-1-0x00000000005C0000-0x00000000005CA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4524-4-0x0000000000400000-0x000000000041B000-memory.dmp

            Filesize

            108KB

            Download