Analysis
-
max time kernel
142s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12-02-2024 10:50
Static task
static1
Behavioral task
behavioral1
Sample
96f92cfdee68ecfcf016c2d4104ef397.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
96f92cfdee68ecfcf016c2d4104ef397.exe
Resource
win10v2004-20231215-en
General
-
Target
96f92cfdee68ecfcf016c2d4104ef397.exe
-
Size
5.1MB
-
MD5
96f92cfdee68ecfcf016c2d4104ef397
-
SHA1
c2ed10a3fc906d46450dbcfe082a1f351732c973
-
SHA256
32e15aa26a62761a64dfac28e63e8407c124ce2f823d9c5b67a8365ed902d0b8
-
SHA512
c2a1c02b7b2261b9e962102317dd3eb102db5e59aabac77fed6c39747e80bf5fec3975f27ef018f7ea673c4ecf899cc2e0130d6be19f2ff9c7a42431828e5d38
-
SSDEEP
98304:DUo2jCVAvzvcI06rDWGe+i5Ca6Tt2Sk29seCQdwr783Q0h4gkQ33zcFNHx2I:raCVALER6rmd5lSkebw03Hh4XQ33mR2I
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
96f92cfdee68ecfcf016c2d4104ef397.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation 96f92cfdee68ecfcf016c2d4104ef397.exe -
Executes dropped EXE 2 IoCs
Processes:
7za.exeSetup.exepid Process 2408 7za.exe 4952 Setup.exe -
Processes:
resource yara_rule behavioral2/files/0x000600000002320b-33.dat upx behavioral2/memory/4952-35-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/4952-38-0x0000000000400000-0x00000000004C1000-memory.dmp upx -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4952-38-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Setup.exepid Process 4952 Setup.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
96f92cfdee68ecfcf016c2d4104ef397.execmd.exedescription pid Process procid_target PID 3320 wrote to memory of 3472 3320 96f92cfdee68ecfcf016c2d4104ef397.exe 85 PID 3320 wrote to memory of 3472 3320 96f92cfdee68ecfcf016c2d4104ef397.exe 85 PID 3320 wrote to memory of 3472 3320 96f92cfdee68ecfcf016c2d4104ef397.exe 85 PID 3472 wrote to memory of 2408 3472 cmd.exe 87 PID 3472 wrote to memory of 2408 3472 cmd.exe 87 PID 3472 wrote to memory of 2408 3472 cmd.exe 87 PID 3472 wrote to memory of 4952 3472 cmd.exe 88 PID 3472 wrote to memory of 4952 3472 cmd.exe 88 PID 3472 wrote to memory of 4952 3472 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\96f92cfdee68ecfcf016c2d4104ef397.exe"C:\Users\Admin\AppData\Local\Temp\96f92cfdee68ecfcf016c2d4104ef397.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\extract.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Users\Admin\AppData\Local\Temp\7za.exe.\7za.exe e .\WebPlayerTV.7z -pjesuisadmin -y3⤵
- Executes dropped EXE
PID:2408
-
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe.\Setup.exe3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:4952
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
574KB
MD542badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c
-
Filesize
87B
MD59495ff73014b8a17bd4798911ad097fa
SHA171b6db4d7e576cf8b1cbf93079397bc0c1ce46b2
SHA2560a59275adf474e7164e14a7e622ecb93f3a1477958e6e1e0de6d7ae2c6913a33
SHA51255062bb9381ac302367aeb43492613762434da730663891f577e050fcbc0993eaf19e96154adf4d669cb9587d8eef2a7ec96cb02b366db5d5c58b1eefe64ecd3
-
Filesize
387KB
MD5ce68dce74b754a258c414338a0b8b1f9
SHA1ac64f0252ec7097287e52ed1ce55d641c25810c5
SHA256dade0855884933b3e1c4ec86f39883ea8e22c080a25ad8ac71dae915f21fd355
SHA512eeae803d6f4a9f8a8258faec69c6c1d062a7d69d350f49613243c1532185e9532424d0d29b5c30fe83dc9d810f4ea391ee0ed633f21dd49f7b62992ec482319e
-
Filesize
4.7MB
MD554c1975de43ac9df40f51272b3f188af
SHA1db0c7d217cdb83edb58aca81ba0993a66ff442aa
SHA256563ffa816354d3682494d925d32d5fe42a64183f4aaec4d11381794fe47b178e
SHA512cc3160aa0f7b62ae6b1e116508e2c362166985ee4a318bbb94251f84ffc3e10e2298fd06017adfa3d464a95c519e5524a942aac068cc95a6d1e3783f65e43599
-
Filesize
18KB
MD518ecfd10ad618670c9b5a6506aedecd4
SHA1e9659a3ccb3d74302a039d137f2abfb289b6beb1
SHA25611aad77b7086f3422b2befe0fba993d4d172dd7aea24b345c6d84036fb17665e
SHA5120a5ad7da4deb3b93fbf6cbe54cc45f8324e281be21cbdf887c1a727fde88feadb8dc1f6c44df35c6a6dc348ebc53f9a25f761b174495eddfd8013213f7872200
-
Filesize
428B
MD5877875ed7bef4ba5c90f3850e3d39030
SHA19f45f80568fde3a0725e09eb1465a051a5271d6b
SHA256d9fd4afb7ad2c1505a82c244c6c48ce8a377e8ebdd5d157615af7cb222e32697
SHA5125bc55c19e4e2350f7e55adb9658ab07c993160265b577bc0219903519c6c7a12f26c29f887f5e8589b66bdef6f1a7248b24e731db0aca21147c18a69c6bccb0d