Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05/03/2024, 05:47
Behavioral task
behavioral1
Sample
b3f0afe4e3456523502d6ef1d0c402b4.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b3f0afe4e3456523502d6ef1d0c402b4.exe
Resource
win10v2004-20240226-en
General
-
Target
b3f0afe4e3456523502d6ef1d0c402b4.exe
-
Size
47KB
-
MD5
b3f0afe4e3456523502d6ef1d0c402b4
-
SHA1
63a8c4444267dea5268780ff495d3fcf4d4b5690
-
SHA256
dcac9c98f6f51362bbcd26e9509a2d4a03d4427d50b000528842ec0b00ca7f0f
-
SHA512
05192e78d16d139818d36374082024bd122c709c0b32ac174a74a1053a055fd2e8b9ebed9c9e333c844dcc9a7774c90eae115a42bb261ae7ad72063223c3fcc0
-
SSDEEP
768:DQMGEnhR6hs1K0tW3KPHTGovr1AXsDj+N/kM9I/l6UKOe+AEGqYARSCNdIixRde8:kmb5XWUHdr1y/rI/lo9qNRSCN/J
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation b3f0afe4e3456523502d6ef1d0c402b4.exe -
Loads dropped DLL 1 IoCs
pid Process 4524 rundll32.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files\Wizet\Maple\npkcrypt.dll rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4524 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1364 wrote to memory of 4524 1364 b3f0afe4e3456523502d6ef1d0c402b4.exe 91 PID 1364 wrote to memory of 4524 1364 b3f0afe4e3456523502d6ef1d0c402b4.exe 91 PID 1364 wrote to memory of 4524 1364 b3f0afe4e3456523502d6ef1d0c402b4.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3f0afe4e3456523502d6ef1d0c402b4.exe"C:\Users\Admin\AppData\Local\Temp\b3f0afe4e3456523502d6ef1d0c402b4.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\Favorites\hfdf.hlp" InstallHook12⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4524
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD55ae5fbaa678e08e5d136826a8de7cc16
SHA10b4192bc6a527856f3a7a70d29d171cbbef64286
SHA256f59fa8cef0dd4d2583c9080f65fa7b4e4c956d1e2c5c2be0d741c435a86002de
SHA512e8bf55ff6e43712c88181e7c0adc9b2082a476199d03fe1b8167d4e978d8285a1db02a6f626b89f3a52624967978f8d0cbeddeb4ef3edd9298af39d35fa394b4