Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/02/2024, 14:55

General

  • Target

    976d36fe7df1e6d78740abe7cee4d09c.exe

  • Size

    535KB

  • MD5

    976d36fe7df1e6d78740abe7cee4d09c

  • SHA1

    cd35eadd5689bc5998cdc6bd0441e0eaf7f1e000

  • SHA256

    59f2ea7bae251c4def7224762b8805715bfada576d7b58d346e8f6a59f161008

  • SHA512

    0023b3b0cb4922bd2f40bd510f8face19dd5989c65f32889f28817057a51b3dc5f819dde7ac1dc65b6b6a0b5eb79be8eea0faed18ee8085ce765f4087e615d98

  • SSDEEP

    12288:si4g+yU+0pAiv+q1uQXg3sdZzX2bOwRp/ZzHxUlvjosTdcG93Dn:si4gXn0pD+qAQw3syb3v/delvjRhFJ

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\976d36fe7df1e6d78740abe7cee4d09c.exe
    "C:\Users\Admin\AppData\Local\Temp\976d36fe7df1e6d78740abe7cee4d09c.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3420
    • C:\Users\Admin\AppData\Local\Temp\491F.tmp
      "C:\Users\Admin\AppData\Local\Temp\491F.tmp" --helpC:\Users\Admin\AppData\Local\Temp\976d36fe7df1e6d78740abe7cee4d09c.exe 62EAC8DA70FA2CB46FA6B5F659F6D429686C01F800698C97E1F18E11E8BDBC639DC3E4C26DB0831C2E7FAA7F59027BF19E43E75CB1ECFEA28C615EDA90FA7664
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:3844
      • C:\Users\Admin\AppData\Local\Temp\976d36fe7df1e6d78740abe7cee4d09c.exe
        "C:\Users\Admin\AppData\Local\Temp\976d36fe7df1e6d78740abe7cee4d09c.exe"
        3⤵
        • Executes dropped EXE
        PID:4000

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\491F.tmp

          Filesize

          535KB

          MD5

          d7d7db0b18bd6a749a6f33a3909f30e8

          SHA1

          3ff789af7f69198c57f3a6ad102f6d8355f8aae8

          SHA256

          db654253199a09db78451ce150c1a9f45594d9d26f169b345b575f35fed9f5e2

          SHA512

          4fd526240175e1b822389936ae21555cb56d389a161c44a5081bef6e01dfe66b812eca5e645c9d0d452892a63f59f3cd3620e8ef81ea681b50f3d74c6d55d876

        • C:\Users\Admin\AppData\Local\Temp\976d36fe7df1e6d78740abe7cee4d09c.exe

          Filesize

          255KB

          MD5

          b7fd76103054f562a11ce616d50a0611

          SHA1

          7473656e5a33b9ecc401985f917f65054bcbd16c

          SHA256

          aba5c0bff0442597ff8743b4fe7d28de945b78be01eb88fc4a95cadd1fbee409

          SHA512

          2a2996476dbfdcd50c39c08dc91a179eff4f016013707c9c0972c6e7a0e179b9da4fcff5e2d4d4883a31312bfefdb9a88d1490e1baaa4728a516c5c7f7bdfbd2