Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28/02/2024, 16:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ac53e736a4ec7ed14e4a86f4085fb0de.exe
Resource
win7-20240220-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
ac53e736a4ec7ed14e4a86f4085fb0de.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
ac53e736a4ec7ed14e4a86f4085fb0de.exe
-
Size
96KB
-
MD5
ac53e736a4ec7ed14e4a86f4085fb0de
-
SHA1
40b7e784c65817aa96b085bcfb0b7027ba80921f
-
SHA256
7c856e2e779dd19b2db99bd9e055f537b0859a57af8965f47bd5bd56ac67f9e0
-
SHA512
873549d5fa2f5b9e6676a939dc4d2496a3e226d7eff2e17991c4f2cb461849f0e0398771c0144616fc261ff4979617315dd88051f4cb9908c06e0520990f8d17
-
SSDEEP
1536:dYcr1FNtKFJjbwtIxwdbqTOpHbVSCxIe8tSftoIHtmHKE8:dYcrNcvYtIIp7VSo88amjE8
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation ac53e736a4ec7ed14e4a86f4085fb0de.exe -
Drops startup file 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2944.exe attrib.exe -
Executes dropped EXE 2 IoCs
pid Process 3080 2944.exe 32 2944.exe -
resource yara_rule behavioral2/memory/4600-0-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/4600-2-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/4600-4-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/4600-3-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/4600-23-0x0000000000400000-0x000000000041F000-memory.dmp upx -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1580 set thread context of 4600 1580 ac53e736a4ec7ed14e4a86f4085fb0de.exe 87 PID 3080 set thread context of 32 3080 2944.exe 96 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 32 2944.exe 32 2944.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1580 wrote to memory of 4600 1580 ac53e736a4ec7ed14e4a86f4085fb0de.exe 87 PID 1580 wrote to memory of 4600 1580 ac53e736a4ec7ed14e4a86f4085fb0de.exe 87 PID 1580 wrote to memory of 4600 1580 ac53e736a4ec7ed14e4a86f4085fb0de.exe 87 PID 1580 wrote to memory of 4600 1580 ac53e736a4ec7ed14e4a86f4085fb0de.exe 87 PID 1580 wrote to memory of 4600 1580 ac53e736a4ec7ed14e4a86f4085fb0de.exe 87 PID 1580 wrote to memory of 4600 1580 ac53e736a4ec7ed14e4a86f4085fb0de.exe 87 PID 1580 wrote to memory of 4600 1580 ac53e736a4ec7ed14e4a86f4085fb0de.exe 87 PID 4600 wrote to memory of 1596 4600 ac53e736a4ec7ed14e4a86f4085fb0de.exe 90 PID 4600 wrote to memory of 1596 4600 ac53e736a4ec7ed14e4a86f4085fb0de.exe 90 PID 4600 wrote to memory of 1596 4600 ac53e736a4ec7ed14e4a86f4085fb0de.exe 90 PID 1596 wrote to memory of 3080 1596 cmd.exe 94 PID 1596 wrote to memory of 3080 1596 cmd.exe 94 PID 1596 wrote to memory of 3080 1596 cmd.exe 94 PID 1596 wrote to memory of 2584 1596 cmd.exe 95 PID 1596 wrote to memory of 2584 1596 cmd.exe 95 PID 1596 wrote to memory of 2584 1596 cmd.exe 95 PID 3080 wrote to memory of 32 3080 2944.exe 96 PID 3080 wrote to memory of 32 3080 2944.exe 96 PID 3080 wrote to memory of 32 3080 2944.exe 96 PID 3080 wrote to memory of 32 3080 2944.exe 96 PID 3080 wrote to memory of 32 3080 2944.exe 96 PID 3080 wrote to memory of 32 3080 2944.exe 96 PID 3080 wrote to memory of 32 3080 2944.exe 96 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 PID 32 wrote to memory of 3496 32 2944.exe 71 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2584 attrib.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3496
-
C:\Users\Admin\AppData\Local\Temp\ac53e736a4ec7ed14e4a86f4085fb0de.exe"C:\Users\Admin\AppData\Local\Temp\ac53e736a4ec7ed14e4a86f4085fb0de.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\ac53e736a4ec7ed14e4a86f4085fb0de.exeC:\Users\Admin\AppData\Local\Temp\ac53e736a4ec7ed14e4a86f4085fb0de.exe3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\35A6.tmp\kill.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\2944.exe2944.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Users\Admin\AppData\Local\Temp\2944.exeC:\Users\Admin\AppData\Local\Temp\2944.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:32
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib *.exe -h /s /d5⤵
- Drops startup file
- Views/modifies file attributes
PID:2584
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5105964f3c1091b73ce4904078c145a32
SHA10425ea9e3f9f18a5dcf0fcb46b11b2365dbea03f
SHA256dc62b29db290d014b6f0ae2480067253cd2ca02e44bee79557bf4d41e7e7fe4e
SHA5128e20c5f24aa770177aa52348228d34064d27925c995139a1d1cc32d9af0d25948db057c9efe25495cf1bc885e552d7d8277779f3b0eb2b95bf32fb8a9070bdf4
-
Filesize
260B
MD561ad706c4223ca50308e9e80eaf79d88
SHA19f2f62d10a38b24167ea88dc24f0de9c52ab03c8
SHA25676cc0c681c6f3ee1a025bc01349e18b05bf0d95eb923782179c0c8a452f73f24
SHA512f7a28ba9f51612d58e98253b7a2c5a0ab284d9fb6e04cceacf0fa7a065febeb7cce38ce935fc1ac3eaa6122026ff04235bc59572711ac0b8e225b48f40a9c92c