Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12/02/2024, 14:55
Static task
static1
Behavioral task
behavioral1
Sample
976d36fe7df1e6d78740abe7cee4d09c.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
976d36fe7df1e6d78740abe7cee4d09c.exe
Resource
win10v2004-20231215-en
General
-
Target
976d36fe7df1e6d78740abe7cee4d09c.exe
-
Size
535KB
-
MD5
976d36fe7df1e6d78740abe7cee4d09c
-
SHA1
cd35eadd5689bc5998cdc6bd0441e0eaf7f1e000
-
SHA256
59f2ea7bae251c4def7224762b8805715bfada576d7b58d346e8f6a59f161008
-
SHA512
0023b3b0cb4922bd2f40bd510f8face19dd5989c65f32889f28817057a51b3dc5f819dde7ac1dc65b6b6a0b5eb79be8eea0faed18ee8085ce765f4087e615d98
-
SSDEEP
12288:si4g+yU+0pAiv+q1uQXg3sdZzX2bOwRp/ZzHxUlvjosTdcG93Dn:si4gXn0pD+qAQw3syb3v/delvjRhFJ
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation 491F.tmp -
Executes dropped EXE 2 IoCs
pid Process 3844 491F.tmp 4000 976d36fe7df1e6d78740abe7cee4d09c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3844 491F.tmp -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3420 wrote to memory of 3844 3420 976d36fe7df1e6d78740abe7cee4d09c.exe 85 PID 3420 wrote to memory of 3844 3420 976d36fe7df1e6d78740abe7cee4d09c.exe 85 PID 3420 wrote to memory of 3844 3420 976d36fe7df1e6d78740abe7cee4d09c.exe 85 PID 3844 wrote to memory of 4000 3844 491F.tmp 86 PID 3844 wrote to memory of 4000 3844 491F.tmp 86 PID 3844 wrote to memory of 4000 3844 491F.tmp 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\976d36fe7df1e6d78740abe7cee4d09c.exe"C:\Users\Admin\AppData\Local\Temp\976d36fe7df1e6d78740abe7cee4d09c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Users\Admin\AppData\Local\Temp\491F.tmp"C:\Users\Admin\AppData\Local\Temp\491F.tmp" --helpC:\Users\Admin\AppData\Local\Temp\976d36fe7df1e6d78740abe7cee4d09c.exe 62EAC8DA70FA2CB46FA6B5F659F6D429686C01F800698C97E1F18E11E8BDBC639DC3E4C26DB0831C2E7FAA7F59027BF19E43E75CB1ECFEA28C615EDA90FA76642⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Users\Admin\AppData\Local\Temp\976d36fe7df1e6d78740abe7cee4d09c.exe"C:\Users\Admin\AppData\Local\Temp\976d36fe7df1e6d78740abe7cee4d09c.exe"3⤵
- Executes dropped EXE
PID:4000
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
535KB
MD5d7d7db0b18bd6a749a6f33a3909f30e8
SHA13ff789af7f69198c57f3a6ad102f6d8355f8aae8
SHA256db654253199a09db78451ce150c1a9f45594d9d26f169b345b575f35fed9f5e2
SHA5124fd526240175e1b822389936ae21555cb56d389a161c44a5081bef6e01dfe66b812eca5e645c9d0d452892a63f59f3cd3620e8ef81ea681b50f3d74c6d55d876
-
Filesize
255KB
MD5b7fd76103054f562a11ce616d50a0611
SHA17473656e5a33b9ecc401985f917f65054bcbd16c
SHA256aba5c0bff0442597ff8743b4fe7d28de945b78be01eb88fc4a95cadd1fbee409
SHA5122a2996476dbfdcd50c39c08dc91a179eff4f016013707c9c0972c6e7a0e179b9da4fcff5e2d4d4883a31312bfefdb9a88d1490e1baaa4728a516c5c7f7bdfbd2