Overview

overview

7

Static

static

3

994a36321a...07.exe

windows7-x64

7

994a36321a...07.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/02/2024, 11:19

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    994a36321a63f1e49b3a79afa332fa07.exe

  • Size

    10KB

  • MD5

    994a36321a63f1e49b3a79afa332fa07

  • SHA1

    c45250cb0fef51942c981950928d518f88b09421

  • SHA256

    d133dc4fce7e41aadcb99764b6a212aff2d50d1b8c447289582232885a13b97d

  • SHA512

    86a256ea0d9efd9e9acfa6e37f680eb477e2622c2e7e0a7ea4646b4b9b4fe40cb09f731fba5cbbeddd01a9dd838ed7aa119ecf895e4ef94585b7e4c80d8d3c43

  • SSDEEP

    192:Nekfn2UklmxRdn/YL6dqkYTLZk/JDHWYOG372+NGMXkpKQVc5ndzP8D6vmj5:Nrv2Hmx3yoq9mhf17h4MXkXc5ndzPut

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\994a36321a63f1e49b3a79afa332fa07.exe
    "C:\Users\Admin\AppData\Local\Temp\994a36321a63f1e49b3a79afa332fa07.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:808
    • C:\Windows\SysWOW64\fxmngr.exe
      C:\Windows\system32\fxmngr.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1308
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\fxmngr.exe > nul
        3⤵
          PID:4412
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\994A36~1.EXE > nul
        2⤵
          PID:3476

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Public\Desktop\Security Troubleshooting.url
              Filesize

              109B

              MD5

              82c6041e6f1e8edaef89150ce7c09e3d

              SHA1

              b1914bb4491357de109f639d031d375f1c3ee3f1

              SHA256

              0f26bd5671f3cbfd0056cc3e44dc3ede7c8d5b0700071f546faf7908a7f0ee64

              SHA512

              67b69b25b6d0fd6c2002f183d0f2d24f8b56464a72356c37a1ce48653dc4d05893332b0054b6a21b2667ecf0d961be0b53bea587013a1e54a01b6799e5a36a76

              Download Submit

            • C:\Windows\SysWOW64\fxmngr.exe
              Filesize

              2KB

              MD5

              af1444409e57da51b24ddcc141ba86d9

              SHA1

              a43c07c82cc766e418cf8b3bfe1f3a158d3c4977

              SHA256

              f7b7738a55c2c092dd6f6089f82bcb10adf9bfcb36169bad111580b8b48d6bee

              SHA512

              c3ffd1a935ae99185a2929d4021e855094e300f7262ceac7d02dfd805545c4201b266847b9eba6ec519a9d62d66b213e4bec7a3f500b25662dcf092b25c00d58

              Download Submit