Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/03/2024, 22:12

General

  • Target

    b33a36a1718cf0c996c00dce8b76659b.exe

  • Size

    791KB

  • MD5

    b33a36a1718cf0c996c00dce8b76659b

  • SHA1

    677ddcd6baea11f0e3a0c170b11e4792b2f7b7ce

  • SHA256

    07e84078d8d4f3cbf855d5a965d8fe4cbe482929c2c35320fb5535a757232356

  • SHA512

    889d117ea25a61a8c89b92fe487641d20ded4066409ce85ff2c602f6fbab326acf57f9a1de36ab793256f7a119996042619d59281906e98aff9de4c54d349bad

  • SSDEEP

    24576:gzYXUjH73F0E+f48X97kF60mV59FuXSoOA2ea8gI+k9Tiq:ZkrjFF+7N7kujr8SoOA1aFI+oTJ

Score
7/10

Malware Config

Signatures

  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b33a36a1718cf0c996c00dce8b76659b.exe
    "C:\Users\Admin\AppData\Local\Temp\b33a36a1718cf0c996c00dce8b76659b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:216
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\diyoem.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\diyoem.exe"
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      PID:4140

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\diyoem.exe

          Filesize

          385KB

          MD5

          ae88e2a3d20aa2d58d27ef444a062c33

          SHA1

          2aa03d1a8924b10627b36b90edcb80b603fb724d

          SHA256

          90ea85869ce366be2c0cf3895bd63b40890d2f3b80a2fab9f61e68a98c101f63

          SHA512

          4e264185c1f13079937e22f9c9e8f3f0437718e1e134f3bb2e7e9ee6d836009e84c11c231fe80bab3616821ca676eb58ecc2b3bca21482cb64edd727c906d923

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\oemdata\Celeronm\OEMLINK.ICO

          Filesize

          9KB

          MD5

          e85685a3cc9728d77eef0a1a1f3d344d

          SHA1

          b88172fd5515917479e001f3fa2b6719e27bd8e3

          SHA256

          1be03b5bcb4c8beb6092f973d2bb4d7d23d9b3390dae7c737418b8e3d4c2e0ad

          SHA512

          fe6c532c1129d1373e781b800af9ec3c7571387dcf68bb500de37cd988bb93ef1fd1b1233d07348e938e1cbdaf6c9fa114e06ed6dded62f8bd7a167db223695e

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\oemdata\athlon\oemlink.ico

          Filesize

          9KB

          MD5

          bc4beff42913d8ccbdaa28bd6986af4f

          SHA1

          205a6ec66eceaf5db13332fca8f48f49b9c770f8

          SHA256

          eeaa1205fb8c5b03d74a2cd7547d2e51c71211d59624f292a0a00ac138ad6183

          SHA512

          98434e747750b1a773f3ad42487dc0da28934e3006ac3da3c8c21c772bd66c0b6958f966d2260e437d94e7c296da7adc2f621181210e0acc7baa0af370c5b989

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\oemdata\viac7m\OEMINFO.INI

          Filesize

          270B

          MD5

          868d80a05759da985ac5dfc18a8b48b0

          SHA1

          c139d16a4783d07d726f25c7b3d29216896c5a64

          SHA256

          a602ed6d6302767cb3b17eca3be4b4391a5a666615b0c0678f3b7ea02c2cf775

          SHA512

          e6eb60e04681a365f6f7b2e08fd8b92b8827537b7c049b7dc1bcb7daff9be7bb506cc9fe139da57d72085547b06170d5e334ba6c5450e40d94d969e3221b2934

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\oemdata\viac7m\OEMLINK.bmp

          Filesize

          3KB

          MD5

          cdb0b2189d180f0bc4d9012255819e8d

          SHA1

          16271fc9f8ec14ec06dac0f58acd1c3cb2fc8450

          SHA256

          b6eba1a771610d3d95e4cbda638f3bafa2c89f321d17fd03d3548e29a3eadb62

          SHA512

          5abd47535325566774ccd7023deb774cda948466f5c59b76c851b16eba083ad20853266219dfe5cccf73eaaf03968c506352394dd1b8982ee5ba0e0fef2f8859

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\oemdiy.ini

          Filesize

          246B

          MD5

          d1c6afeff964043a631718dd3fdcb559

          SHA1

          5c6663cafa2274fe05b074ec8f9994faa2781925

          SHA256

          20e617230be0495fa648de153af6ea6f2ad12ee2ce1df8836b1f742bac249bfc

          SHA512

          a5332e6cf34347b4d1c8b50c7d27165b0338baf34dac36b8bf188acc87d76ec708c881806627a460346399b701308cba5ebb509f62501f6b3588691ad582b1bf

        • memory/216-444-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

        • memory/4140-442-0x00000000006E0000-0x00000000006E1000-memory.dmp

          Filesize

          4KB

        • memory/4140-445-0x0000000000400000-0x00000000004EC000-memory.dmp

          Filesize

          944KB

        • memory/4140-449-0x00000000006E0000-0x00000000006E1000-memory.dmp

          Filesize

          4KB

        • memory/4140-450-0x0000000000400000-0x00000000004EC000-memory.dmp

          Filesize

          944KB