Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
24/02/2024, 04:20
Static task
static1
Behavioral task
behavioral1
Sample
a0ee287caf739fd852681ecb4b4572f5.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a0ee287caf739fd852681ecb4b4572f5.exe
Resource
win10v2004-20240221-en
General
-
Target
a0ee287caf739fd852681ecb4b4572f5.exe
-
Size
49KB
-
MD5
a0ee287caf739fd852681ecb4b4572f5
-
SHA1
3438f0efc2489397896862580afb463402879044
-
SHA256
a41298f558400373e01f055e445bab5bf5c18668bcc7af4ec767c807a1e1b077
-
SHA512
d64f588edc73e8a2f1b2df2bb76c43342daa3a460914425a6119d1cae7ad401ba0ead0cedf223a0befc314854880b1244adde494bc0f9ea5dc87f8da65c62458
-
SSDEEP
1536:GQ6PzGTQ5arL5CXlPg8Llob9wxQhADbdAEvg:b6bG80H5CXXLlOO+hWbdpI
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation a0ee287caf739fd852681ecb4b4572f5.exe Key value queried \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation ms1src.exe -
Deletes itself 1 IoCs
pid Process 4080 ms1src.exe -
Executes dropped EXE 1 IoCs
pid Process 4080 ms1src.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ms1src = "c:\\program files (x86)\\common files\\system\\ms1src.exe /install" ms1src.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 2 IoCs
description ioc Process File created \??\c:\program files (x86)\common files\system\ms1src.exe a0ee287caf739fd852681ecb4b4572f5.exe File opened for modification \??\c:\program files (x86)\common files\system\ms1src.exe a0ee287caf739fd852681ecb4b4572f5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID a0ee287caf739fd852681ecb4b4572f5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000000-0000-0000-0000-000000000001} a0ee287caf739fd852681ecb4b4572f5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000000-0000-0000-0000-000000000001}\InprocServer32 ms1src.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000000-0000-0000-0000-000000000001}\InprocServer32 a0ee287caf739fd852681ecb4b4572f5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node a0ee287caf739fd852681ecb4b4572f5.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4080 ms1src.exe 4080 ms1src.exe 4080 ms1src.exe 4080 ms1src.exe 4080 ms1src.exe 4080 ms1src.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4636 wrote to memory of 1868 4636 a0ee287caf739fd852681ecb4b4572f5.exe 88 PID 4636 wrote to memory of 1868 4636 a0ee287caf739fd852681ecb4b4572f5.exe 88 PID 4636 wrote to memory of 1868 4636 a0ee287caf739fd852681ecb4b4572f5.exe 88 PID 4636 wrote to memory of 4080 4636 a0ee287caf739fd852681ecb4b4572f5.exe 89 PID 4636 wrote to memory of 4080 4636 a0ee287caf739fd852681ecb4b4572f5.exe 89 PID 4636 wrote to memory of 4080 4636 a0ee287caf739fd852681ecb4b4572f5.exe 89 PID 4080 wrote to memory of 1548 4080 ms1src.exe 90 PID 4080 wrote to memory of 1548 4080 ms1src.exe 90 PID 4080 wrote to memory of 1548 4080 ms1src.exe 90 PID 4080 wrote to memory of 3396 4080 ms1src.exe 51 PID 4080 wrote to memory of 3396 4080 ms1src.exe 51 PID 4080 wrote to memory of 3396 4080 ms1src.exe 51 PID 4080 wrote to memory of 3396 4080 ms1src.exe 51 PID 4080 wrote to memory of 3396 4080 ms1src.exe 51 PID 4080 wrote to memory of 3396 4080 ms1src.exe 51
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3396
-
C:\Users\Admin\AppData\Local\Temp\a0ee287caf739fd852681ecb4b4572f5.exe"C:\Users\Admin\AppData\Local\Temp\a0ee287caf739fd852681ecb4b4572f5.exe"2⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" C:\Windows\system32\SafeSearch.dll /u /s3⤵PID:1868
-
-
C:\program files (x86)\common files\system\ms1src.exe"C:\program files (x86)\common files\system\ms1src.exe" -kill c:\users\admin\appdata\local\temp\a0ee287caf739fd852681ecb4b4572f5.exe /install3⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" C:\Windows\system32\SafeSearch.dll /u /s4⤵PID:1548
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
49KB
MD5a0ee287caf739fd852681ecb4b4572f5
SHA13438f0efc2489397896862580afb463402879044
SHA256a41298f558400373e01f055e445bab5bf5c18668bcc7af4ec767c807a1e1b077
SHA512d64f588edc73e8a2f1b2df2bb76c43342daa3a460914425a6119d1cae7ad401ba0ead0cedf223a0befc314854880b1244adde494bc0f9ea5dc87f8da65c62458