Overview

overview

10

Static

static

3

8f5e361595...41.exe

windows7-x64

1

8f5e361595...41.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-02-2024 14:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8f5e361595c824590364e1905f9a4e41.exe

  • Size

    35KB

  • MD5

    8f5e361595c824590364e1905f9a4e41

  • SHA1

    07532614ffd292c639894dd0dff015df32edaab1

  • SHA256

    f5897a5c5b5cf936cc709a31f469067263f5eeed12c59a07ea2ddbfc9be890f8

  • SHA512

    4f019e7b85a3b69554df0c7578485f1424da3b582997173762d35539556de63450b3b74bf64c681c189f749f174122d35d640ff26bd512f92804c98da94718ed

  • SSDEEP

    768:KSFa2tn9m9VTXiOjO4ZcfnnknZNuqBkr2SbH5:KSw2XmrTXljORMZTW2y

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8f5e361595c824590364e1905f9a4e41.exe
    "C:\Users\Admin\AppData\Local\Temp\8f5e361595c824590364e1905f9a4e41.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3716
    • C:\Windows\SysWOW64\sovlost.exe
      "C:\Windows\system32\sovlost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1428
    • C:\Windows\SysWOW64\sychost.exe
      "C:\Windows\system32\sychost.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2908
      • C:\Windows\SysWOW64\sichost.exe
        "C:\Windows\system32\sichost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:3272
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 1296
          4⤵
          • Program crash
          PID:2216
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 1304
          4⤵
          • Program crash
          PID:5092
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 760
      2⤵
      • Program crash
      PID:4012
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 768
      2⤵
      • Program crash
      PID:3640
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3716 -ip 3716
    1⤵
      PID:2988
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3716 -ip 3716
      1⤵
        PID:1276
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3272 -ip 3272
        1⤵
          PID:5048
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3272 -ip 3272
          1⤵
            PID:2536

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\discard.ini
            Filesize

            91B

            MD5

            a5d0e8366838ae4e090914dbdea139a9

            SHA1

            5e1342bfb3d3d142835c2584cd31f49604e4508e

            SHA256

            3bb5ff78a77aa2b36925b4a50a50065c5239cb0d88495ad83a6dfb93a9c6b66e

            SHA512

            ee9ac4c5f98932b85f2bbb3b6502d862402b760ed4a78acb6b7051e5dcb99b358401d1f16f89a1c65b0cfbcd4348e952509ed606d371e9d9be8e7565d74fa83a

            Download Submit

          • C:\Windows\SysWOW64\discard.ini
            Filesize

            26B

            MD5

            d8ab3ea023fda33b8017ccc4748534f8

            SHA1

            e5c8b0f40ed03ad98f0d207ee073af2ee925db78

            SHA256

            14776c2d9c1446833752ec1c0686cc74bee4c3bd3036b3ad7cf51249ebe381ab

            SHA512

            0a6ab8641e77dcdc9b33e49462404aaf43ca549122d6fd5afc72448b5f50558859657d64d66d38415e752c05abaa225e545310986516eb1af0f691ff690ec5e0

            Download Submit

          • C:\Windows\SysWOW64\sichost.exe
            Filesize

            35KB

            MD5

            8f5e361595c824590364e1905f9a4e41

            SHA1

            07532614ffd292c639894dd0dff015df32edaab1

            SHA256

            f5897a5c5b5cf936cc709a31f469067263f5eeed12c59a07ea2ddbfc9be890f8

            SHA512

            4f019e7b85a3b69554df0c7578485f1424da3b582997173762d35539556de63450b3b74bf64c681c189f749f174122d35d640ff26bd512f92804c98da94718ed

            Download Submit

          • C:\Windows\SysWOW64\sovlost.exe
            Filesize

            20KB

            MD5

            33bb2a692bd2dada7d6f7a574dce9305

            SHA1

            e18ab04b0f3d4cd7c968bd0c0b3b6d1ffd66b96b

            SHA256

            af27d3417da82b642c67a80d6d98f815b9ebf333e8038c9f4446ae598475afb7

            SHA512

            474a626a2d598a9be2cbba06257d5dc9115cf6b099df804a9e7860965dec03df365e4d351088ec04ac6c2d53c047db71007d01ec5e6258e67bd5f20c71195b23

            Download Submit

          • C:\Windows\SysWOW64\ssdtti.sys
            Filesize

            2KB

            MD5

            1e14c892a6d3bd78c5508a13873b9e7b

            SHA1

            a817f4492fd9b0013eda6cb45624af8ce4b04efa

            SHA256

            99cc0877502487b5d58ce9921366fbd299253673c33c8b4d67fc872323dc334e

            SHA512

            11b0393308cb5239c4f0a7c31d6fd09e03c7a623941d1c408f1ab4119ba4089382a57db7a52990009f20ec54eb71dff2aafd6c75a0c17789edabf6f85dd298e6

            Download Submit

          • C:\Windows\SysWOW64\sychost.exe
            Filesize

            20KB

            MD5

            abdb1a784dcaefcbfb8af28599293f4f

            SHA1

            f1601133a072db15d5941628549544771a9a264c

            SHA256

            e7fa8bd434c1ca284b24e16b49ce888523af62dbdffc51325e467807796d12b1

            SHA512

            8880edc42b33d750c731fdb94382edb608df31338bb882179c45b4b6873c168f12ae4854d1b01e2c58f9b56d4003adad6a18f8e5b3312e25a5b6cf7423d709c3

            Download Submit

          • memory/3272-43-0x0000000000620000-0x0000000000621000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3272-45-0x0000000000400000-0x000000000045D000-memory.dmp

            Filesize

            372KB

            Download

          • memory/3716-0-0x0000000000400000-0x000000000045D000-memory.dmp

            Filesize

            372KB

            Download

          • memory/3716-1-0x0000000000620000-0x0000000000621000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3716-39-0x0000000000400000-0x000000000045D000-memory.dmp

            Filesize

            372KB

            Download

          • memory/3716-42-0x0000000000620000-0x0000000000621000-memory.dmp

            Filesize

            4KB

            Download