Overview

overview

7

Static

static

3

file.exe

windows7-x64

7

file.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    92s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-02-2024 07:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    2.3MB

  • MD5

    f14b54c6e41545c8ba51629183431d1d

  • SHA1

    758aa4668d2206d3a80308ecd2fecae459fed07e

  • SHA256

    015a36adeafc759d8034813bff44559ef28060351dd0e8750b87fdf12802e82f

  • SHA512

    d25744c0a1185205641d3f0199bea923d4224e43ea91f371782424339c4d56bd92efe41de3c3f026bf72f5d1e6d324aff3a1d737fade6ae56d2aa3632f899fee

  • SSDEEP

    49152:anGImUlx7X/pQ2P6p6rVzCOKPec313JYbcBKUd+IAWgLqGWQy:aGIfXha29COKWc31ZkcBuIA/Li

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3316
    • C:\Windows\SysWOW64\control.exe
      "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\_d8c4M1.CPL",
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4940
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\_d8c4M1.CPL",
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1812
        • C:\Windows\system32\RunDll32.exe
          C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\_d8c4M1.CPL",
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3304
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\_d8c4M1.CPL",
            5⤵
            • Loads dropped DLL
            PID:4728

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_d8c4M1.cpl
    Filesize

    2.0MB

    MD5

    4516fffb265c3011e2750a255b382363

    SHA1

    cd74ae4c5424e4f529e29bbd22c4bddadcbdf7dd

    SHA256

    3dddf9d138c67c29b932605e99bcfbb712e5dc219df9d845c5aaf25bbbc6ba08

    SHA512

    3c9a4fda5d7a52b660a05d2a82f9f00332aa5bee545d8668653260ae257a608d1b2ff11bc4ffbd16797e6246b3fa02a222c183f0556e797273e19b037b7c47c3

    Download Submit
  • memory/1812-11-0x0000000010000000-0x000000001020A000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/1812-12-0x0000000000F40000-0x0000000000F46000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1812-14-0x0000000003050000-0x0000000003177000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1812-15-0x0000000003180000-0x0000000003289000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1812-17-0x0000000003180000-0x0000000003289000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1812-18-0x0000000003180000-0x0000000003289000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1812-19-0x0000000003180000-0x0000000003289000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4728-21-0x00000000009E0000-0x00000000009E6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/4728-24-0x0000000002B10000-0x0000000002C37000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/4728-25-0x0000000002C40000-0x0000000002D49000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4728-27-0x0000000002C40000-0x0000000002D49000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4728-28-0x0000000002C40000-0x0000000002D49000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4728-29-0x0000000002C40000-0x0000000002D49000-memory.dmp
    Filesize

    1.0MB

    Download