Overview

overview

7

Static

static

3

aa428ff001...d8.exe

windows7-x64

7

aa428ff001...d8.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-02-2024 21:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aa428ff0019adadd688d0e1460f62ad8.exe

  • Size

    152KB

  • MD5

    aa428ff0019adadd688d0e1460f62ad8

  • SHA1

    ef676a63d193f497076ee1c8cf106e2cfa910380

  • SHA256

    4f5e06b5c32fa53acae1e10bf68a01ce41dd546d4356aeabedacedb25ea55cc2

  • SHA512

    08d0202f7dc0eb08e6f407c55ddc15321745f6637fcf34d8f125faa6835401edf05015b4e16214ffc8d1cc95271ddcceb4d41f6c044b6c03482478c3fd59486a

  • SSDEEP

    3072:b1dlKwgj23+Oz05YoNozBI4b81QxTkMXfFPB4w19:b1dlZro5yqQxwmf92g

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3268
      • C:\Users\Admin\AppData\Local\Temp\aa428ff0019adadd688d0e1460f62ad8.exe
        "C:\Users\Admin\AppData\Local\Temp\aa428ff0019adadd688d0e1460f62ad8.exe"
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:1692
        • C:\Extracted\LD-EDITOR.exe
          "C:\Extracted\LD-EDITOR.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1548
        • C:\Extracted\server.exe
          "C:\Extracted\server.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3348
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:1376

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Extracted\LD-EDITOR.exe
        Filesize

        40KB

        MD5

        df272b8e62917668511b6b2b00b6db84

        SHA1

        4ab2229aace98561c98bc13088c7418ecf638907

        SHA256

        03709c2b32c4e19e474c20e911359a6047fbc563cc997bd6304fb91e76b28d38

        SHA512

        4a17edb0858dbb1564eaba0850e72161c8c076478ff71584ec8f5969eddf1cc142388c7e4fe7d707506f5fe685edc76d5d4bfb4366339b184f71c263f52f7511

        Download Submit

      • C:\Extracted\server.exe
        Filesize

        63KB

        MD5

        b129f675a0cba74d6a39624b08354c80

        SHA1

        8a6500eff9dc05d2e46cc929762b07b8f8aad665

        SHA256

        a359002f011fa5579482626fdb6a0dd3fad8e9905f6e17f914adbe1c952aa2b7

        SHA512

        cbc58670027e459b6b55ee9afd666dc20d210d519dd37a8bad55b0b7fbe64250d365426428ab2537fca833c85ec04bb7771e790e524ee948544066cfa645dab2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\sfx.ini
        Filesize

        214B

        MD5

        864192ae3616161af4895b6474f5f972

        SHA1

        387e915d0d7c89400fac00a52170dd5a76f8007f

        SHA256

        fdcda52ffd834f2a48e4cfd5823a349986440f934de372a09b6728e0415d984b

        SHA512

        7afe3cdad8e480bc70cfca48eaa7f591751f56ef4f9b60890ff6fcf2b27bab87362fe99e19fa8fcaf78951c316330e0e0be6999ec85df7a68d927bd3aacbe4c4

        Download Submit

      • memory/3268-40-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3268-42-0x000000007FFC0000-0x000000007FFC6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/3348-36-0x0000000000400000-0x000000000040B000-memory.dmp

        Filesize

        44KB

        Download

      • memory/3348-38-0x0000000010000000-0x0000000010012000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3348-46-0x0000000000400000-0x000000000040B000-memory.dmp

        Filesize

        44KB

        Download

      • memory/3348-47-0x0000000010000000-0x0000000010012000-memory.dmp

        Filesize

        72KB

        Download