Overview

overview

8

Static

static

3

993ad3fa6d...56.exe

windows7-x64

8

993ad3fa6d...56.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/02/2024, 10:50

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    993ad3fa6dbef1ce5a9a0ab45eba1e56.exe

  • Size

    181KB

  • MD5

    993ad3fa6dbef1ce5a9a0ab45eba1e56

  • SHA1

    29260f9aef64454d0f6ac35c0bb772e94d975725

  • SHA256

    90253a8d6f9670668b7e20d5eaafa59081674c2fa547d85e472ae61a00933cd4

  • SHA512

    b71ca010424977c2d95af42fe8502d806b8839209054a4bb8a65f6455d8229cf370aa3c3a61fbe7b8eea0ffaafe1ead2df7d94621b93d8b5a1f003d4f458864d

  • SSDEEP

    3072:uHZxhrqtQuUkP9XsZUD1yGw8aUEDMnud7/Z8mVAfSil1wMRN7p8QoGCFUwzwQ0+9:UqtQ7MRFD1yGvaZM7mw1wWN2GPwrW8

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\993ad3fa6dbef1ce5a9a0ab45eba1e56.exe
    "C:\Users\Admin\AppData\Local\Temp\993ad3fa6dbef1ce5a9a0ab45eba1e56.exe"
    1⤵
    • Disables RegEdit via registry modification
    • Modifies Installed Components in the registry
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Windows\REGSVR.EXE
      "C:\Windows\REGSVR.EXE" C:\Users\Admin\AppData\Local\Temp\993ad3fa6dbef1ce5a9a0ab45eba1e56.exe
      2⤵
      • Disables RegEdit via registry modification
      • Modifies Installed Components in the registry
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: GetForegroundWindowSpam
      PID:4852

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\eshgh.jpg
          Filesize

          167KB

          MD5

          e0b6b7da6549183b91bdef956bf6517c

          SHA1

          4cc3e1aeb7a7f85bcca43a93e10a3a421b4b404b

          SHA256

          824e67dde1a27543c472ac49334781a2ba470d05e3d72f4c54675096e323971a

          SHA512

          6156ccde6922ba93ff652b9382410d1c05a8cce9c507cb46095c7b0f395e52bf5b237857e6d0e64d5a21636c6b7543e7222137f96879db3149941c513292ef77

          Download Submit

        • C:\Windows\SysWOW64\Tapi32init.exe
          Filesize

          181KB

          MD5

          993ad3fa6dbef1ce5a9a0ab45eba1e56

          SHA1

          29260f9aef64454d0f6ac35c0bb772e94d975725

          SHA256

          90253a8d6f9670668b7e20d5eaafa59081674c2fa547d85e472ae61a00933cd4

          SHA512

          b71ca010424977c2d95af42fe8502d806b8839209054a4bb8a65f6455d8229cf370aa3c3a61fbe7b8eea0ffaafe1ead2df7d94621b93d8b5a1f003d4f458864d

          Download Submit