Overview

overview

7

Static

static

3

abbcfa031c...4f.exe

windows7-x64

7

abbcfa031c...4f.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    143s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/02/2024, 11:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    abbcfa031c70a277a81b988878b7b24f.exe

  • Size

    20KB

  • MD5

    abbcfa031c70a277a81b988878b7b24f

  • SHA1

    3044c5ec69ee595ebdd3c40de273614f39bb1748

  • SHA256

    698796557066dacb25b80ab17d090dca9822a5a85bc87b2fc43a5c7a336a2891

  • SHA512

    858465fae8ea99b7b8f6cc7ca797729a0b2312e227aa1648a737a1dd6e8bb48bb5a0533401a375fc20c20ae46aa13038b468040cb558e4121cbf70cfd7003fa5

  • SSDEEP

    384:RNvL5wIjHFfzUZrT1seXmrIyWvWME2B1MAivP:RN5FYVseXjLE41Zi3

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Modifies registry class 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\abbcfa031c70a277a81b988878b7b24f.exe
    "C:\Users\Admin\AppData\Local\Temp\abbcfa031c70a277a81b988878b7b24f.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2120
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.18hi.com/
      2⤵
        PID:3100
      • C:\Windows\system\taskmgr.exe
        "C:\Windows\system\taskmgr.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:4232
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=5364 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:1
      1⤵
        PID:2900
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5340 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:1
        1⤵
          PID:4576
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5676 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:4252
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5488 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:1
            1⤵
              PID:4976
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5324 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:1
              1⤵
                PID:4740
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5976 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
                1⤵
                  PID:3084
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6052 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
                  1⤵
                    PID:3148

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Windows\System\taskmgr.exe
                    Filesize

                    20KB

                    MD5

                    abbcfa031c70a277a81b988878b7b24f

                    SHA1

                    3044c5ec69ee595ebdd3c40de273614f39bb1748

                    SHA256

                    698796557066dacb25b80ab17d090dca9822a5a85bc87b2fc43a5c7a336a2891

                    SHA512

                    858465fae8ea99b7b8f6cc7ca797729a0b2312e227aa1648a737a1dd6e8bb48bb5a0533401a375fc20c20ae46aa13038b468040cb558e4121cbf70cfd7003fa5

                    Download Submit

                  • memory/2120-0-0x0000000000400000-0x0000000000412000-memory.dmp

                    Filesize

                    72KB

                    Download

                  • memory/2120-77-0x0000000000400000-0x0000000000412000-memory.dmp

                    Filesize

                    72KB

                    Download

                  • memory/4232-78-0x0000000000400000-0x0000000000412000-memory.dmp

                    Filesize

                    72KB

                    Download