Analysis
-
max time kernel
146s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29/02/2024, 02:57
Behavioral task
behavioral1
Sample
aa3d0852067bd1fd257472f5af3c2b17.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
aa3d0852067bd1fd257472f5af3c2b17.exe
Resource
win10v2004-20240226-en
General
-
Target
aa3d0852067bd1fd257472f5af3c2b17.exe
-
Size
564KB
-
MD5
aa3d0852067bd1fd257472f5af3c2b17
-
SHA1
8d974d97d8f595f3514312fd38e91673fc1154ce
-
SHA256
56cfb7b5579b036bbb080149dd5bfdb6dfa1ed68c9c630f487549d4adb05c242
-
SHA512
ab7d212520dba64cc89e1e3976905edfe2f84b9a9195aa96af3d0920e3ca738a7814c79cddd9f7fbc17be5304627fd6881a7ef3b872cdeb5c61b8dd55a7a9bcd
-
SSDEEP
12288:kaTYg3j932XwPDh3evCgso/zLW5E1/boCvZSnO5v5n9LOTdENm:tTY0j991JkC5E1/ECxSU5n9+EE
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation aa3d0852067bd1fd257472f5af3c2b17.exe -
Deletes itself 1 IoCs
pid Process 3828 WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 4908 76ZIHMEZJI.sys -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Fonts\76ZIHMEZJI.sys aa3d0852067bd1fd257472f5af3c2b17.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3308 4908 WerFault.exe 88 -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings aa3d0852067bd1fd257472f5af3c2b17.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3548 aa3d0852067bd1fd257472f5af3c2b17.exe 3548 aa3d0852067bd1fd257472f5af3c2b17.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3548 wrote to memory of 4908 3548 aa3d0852067bd1fd257472f5af3c2b17.exe 88 PID 3548 wrote to memory of 4908 3548 aa3d0852067bd1fd257472f5af3c2b17.exe 88 PID 3548 wrote to memory of 4908 3548 aa3d0852067bd1fd257472f5af3c2b17.exe 88 PID 3548 wrote to memory of 3828 3548 aa3d0852067bd1fd257472f5af3c2b17.exe 96 PID 3548 wrote to memory of 3828 3548 aa3d0852067bd1fd257472f5af3c2b17.exe 96 PID 3548 wrote to memory of 3828 3548 aa3d0852067bd1fd257472f5af3c2b17.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe"C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\Fonts\76ZIHMEZJI.sysC:\Windows\Fonts\\76ZIHMEZJI.sys2⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 2283⤵
- Program crash
PID:3308
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"2⤵
- Deletes itself
PID:3828
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4908 -ip 49081⤵PID:4968
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
220B
MD5a027919e332b58969f064e8da9155a4d
SHA10ecf2b41e09461983b4a6f4b325442cb958fb2e9
SHA2568269e89541f3cd23aca5798682a98815162a6bef4394b1c988d42e5c8b1522f7
SHA512851cb81bbf8f51fc35e432c920abc52d58934f4d799aef1b31095c9dea1efcd926dbed8aeededfc5774a389f4d88c27af143d90e7a8f4546978f9b57973aa803
-
Filesize
720KB
MD5a7008ec876370b1fef6b9a594ffd1009
SHA146774968567c74145dcc8b15f6b127547e90a581
SHA25625572294ebbb1e757b38cdb894e80c7031ca8034afe97fe11d05e3eb27d68574
SHA51287f43cf5951c3c6533e35a70c2d5e1285dacaeff69387e230e458063e356aa0baa1b0ef5f9fdca46b4294f66bde33c96dd079743da0a5a2e92975c3b72bae5bc