Overview

overview

7

Static

static

3

tmp.exe

windows7-x64

tmp.exe

windows10-2004-x64

Analysis

  • max time kernel
    2s
  • max time network
    10s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/02/2024, 21:15

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    28.6MB

  • MD5

    9c61c190bbb22122f489b4f2330ac64f

  • SHA1

    9e37f31e5d0c75f9fa20a1f0cc039e9a7c3564ff

  • SHA256

    5e409a457d9aa726d556f9b2af6d3b58e124f2c277db797210d9181913c00def

  • SHA512

    45a27174751b9e0d87e7cd909504e655f14325c7600ac0167cfa6a6c2b6ada67cf68a86aa6984483296632f69c5543716861082a9c88825a0c0e5c0444a89e7c

  • SSDEEP

    786432:fEcER85ZbJJg93fSChmlZgiWDOnswGP/gsdxjLk+:fEDSHbziphmlZgxDOnkAsdxjLk+

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:456
    • C:\Users\Admin\AppData\Local\Temp\ManCafeServer.exe
      "C:\Users\Admin\AppData\Local\Temp\ManCafeServer.exe"
      2⤵
      • Executes dropped EXE
      PID:4720
      • C:\Windows\SysWOW64\regedit.exe
        "regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\UT\2e34dcdc-f2e6-4f21-b8e3-d5cec507faea.reg"
        3⤵
        • Runs .reg file with regedit
        PID:2372
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa39a6055 /state1:0x41c64e6d
    1⤵
      PID:2208

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\MR_MESSAGE_BOX.dll
      Filesize

      155KB

      MD5

      8edaaee6f263cc2c92c26fd91302b2b8

      SHA1

      a8636c95e62cfc806ae8babdabef022b2606128d

      SHA256

      435cd2428c4be9abbe0c4ef795517856ab2e13aaab63346b852338da04b8c833

      SHA512

      ae6e073157c235f93793b6c23d82f12eaa6ea256144729595271ef7ccb515bd4758cb02daa9ec0d4bc3dc1a9ecb7d8ee8356eca7780cdd7b8f7f068116b2bcae

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ManCafeServer.exe
      Filesize

      5.2MB

      MD5

      11d6c0aa8e47a1b64625c3766fbbcff3

      SHA1

      2157eef8ebdb21d808b64c6f683e5ae4fedbca48

      SHA256

      2e1a2d25f053bb21876df235b2970b6a367c6706dae1d1c4ea75f895e3f00a40

      SHA512

      e808d682096c81b266fb19e818519a8208d1ee0cfd4fbde80942146a4d5ba96290bd0b7ab163a6835b051e57eebb475b45baa55d01133a4de45206e241e13409

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ManCafeServer.exe
      Filesize

      2.3MB

      MD5

      4a884140d13824c3a03df781b6fe2519

      SHA1

      bf51d92d4b5167823a84511ab332d5c6f3238b39

      SHA256

      58b15a8ac68f40f70bf73829876471f7f389e8255b8e3628f8a951615a90700e

      SHA512

      7c55d476af2640fcd3347ca8415791c278d6d42624585d373f810a048bf100fb2dd9c9aef1cf629b6cdf83395c4c3200f792b13e0119f01157732d6fab27f280

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ManCafeServer.exe
      Filesize

      2.2MB

      MD5

      3b8e2bf405b2dac311c98f9b2bb5d24c

      SHA1

      b7b03e3678735fc05e965aa7bfd04638eb38a646

      SHA256

      9591d9e71c54aa26a3fe7441e95d48ca442fc65ae198e6167f24c15c1764ddfb

      SHA512

      2ed296f312fd08d1314693c1f24695ce7deca8764a358cba43fae1359f3decb6ff1dd40a75a02d20c396e21aa6ca166f4fb17aad5f6d0c37146db10288d1df80

      Download Submit

    • memory/4720-131-0x000000000C630000-0x000000000C6C2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4720-128-0x00000000087F0000-0x0000000008EB8000-memory.dmp

      Filesize

      6.8MB

      Download

    • memory/4720-129-0x0000000006290000-0x00000000062A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4720-130-0x000000000CB00000-0x000000000D0A4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4720-127-0x0000000000D60000-0x000000000197C000-memory.dmp

      Filesize

      12.1MB

      Download

    • memory/4720-132-0x000000000C740000-0x000000000C7A6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4720-126-0x0000000072E90000-0x0000000073640000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4720-136-0x0000000007420000-0x0000000007450000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4720-137-0x0000000010630000-0x0000000010698000-memory.dmp

      Filesize

      416KB

      Download

    • memory/4720-138-0x00000000064B0000-0x00000000064BA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4720-139-0x0000000006290000-0x00000000062A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4720-141-0x0000000072E90000-0x0000000073640000-memory.dmp

      Filesize

      7.7MB

      Download