Overview

overview

7

Static

static

3

4932262152...aa.exe

windows7-x64

7

4932262152...aa.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/03/2024, 20:06

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    4932262152b570800f0e595a0034ee2305edef7ed1d1e7914b771a40ea03c9aa.exe

  • Size

    472KB

  • MD5

    322e4700befb566eba9229da6658b653

  • SHA1

    1248ee6b70b64c941d3bb9bde4cfdf28231894d8

  • SHA256

    4932262152b570800f0e595a0034ee2305edef7ed1d1e7914b771a40ea03c9aa

  • SHA512

    d0ebb218cd78e026ace19ca6850509cc84e87a933454d7eaaa0db6e2adbad9e512c77213bc2e58acf95e800d749fe573a806817020a33653f31a38a8560fdf4c

  • SSDEEP

    6144:cf+Jjjou35J6i5plrzuo6/LkeYvjoIHnv0RX/VwFdLD/7MsrYMC+9GXL9M8sG3dr:bj8u3ui5pl+uBvc/V0FdYxJdRqMv

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4932262152b570800f0e595a0034ee2305edef7ed1d1e7914b771a40ea03c9aa.exe
    "C:\Users\Admin\AppData\Local\Temp\4932262152b570800f0e595a0034ee2305edef7ed1d1e7914b771a40ea03c9aa.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4784
    • C:\Windows\LSASS.exe
      "C:\Windows\LSASS.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2360
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:2236
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:1560
      • C:\Users\Admin\LSASS.exe
        "C:\Users\Admin\LSASS.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:3728
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:4528
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:4036
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:2236
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:4000
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:1708
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:3968

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\LSASS.exe
          Filesize

          472KB

          MD5

          72a0d7e753defd34cd5d5d1bd144b28e

          SHA1

          e936ec31ec66c2601789bc2dae1a9e38a91946fd

          SHA256

          849800feb515ec360c75de5ad8fe9df004e869b1dfb5983b8a77c8e8166a225e

          SHA512

          245b794fbe2f0001af7a4cf4d7b33e5887f01607f1bd30a0e023cb37940b2c6064bfdd6531e6e2df3648b2fdc4ec4bf8f5191d5e8308090123c67c855e488b77

          Download Submit

        • C:\Windows\LSASS.exe
          Filesize

          472KB

          MD5

          2ace02dcae8950ac118fe8249c1b6a77

          SHA1

          667eb1cd71732253efc552070225d268930929cf

          SHA256

          7f3650540e9cd855e5ab96384fa2050cd6bf086a517da74f2fed23a40a328a1e

          SHA512

          e13a68c47379bed2ba364be042b82b40e1be93bd59202fcbc6a652e9a4236573b1f964c930aa32f1f70174137810db591b77d5fd0261d142299348daeca5f24b

          Download Submit

        • C:\autorun.inf
          Filesize

          190B

          MD5

          b1445c7f646c6ca9a7597791af38d575

          SHA1

          91efaf63fa1f7a51ee2f9b1c3b0f8932f15439ce

          SHA256

          220517d50470c86d94020cebcd03af286898e65338f468dc5f860dc04af2c88e

          SHA512

          533349278b6d186f0f3947681e90dcc7f617e146736798e6fc23e79d61610f1f7b2e4b4241b296884622fbd6b1cf73dc694a852e05bf4235da8ed40b70c5683f

          Download Submit

        • memory/2360-223-0x0000000000400000-0x000000000047D000-memory.dmp

          Filesize

          500KB

          Download

        • memory/2360-244-0x0000000000400000-0x000000000047D000-memory.dmp

          Filesize

          500KB

          Download

        • memory/2360-337-0x0000000000400000-0x000000000047D000-memory.dmp

          Filesize

          500KB

          Download

        • memory/2360-320-0x0000000000400000-0x000000000047D000-memory.dmp

          Filesize

          500KB

          Download

        • memory/2360-295-0x0000000000400000-0x000000000047D000-memory.dmp

          Filesize

          500KB

          Download

        • memory/2360-278-0x0000000000400000-0x000000000047D000-memory.dmp

          Filesize

          500KB

          Download

        • memory/2360-150-0x0000000000400000-0x000000000047D000-memory.dmp

          Filesize

          500KB

          Download

        • memory/2360-133-0x0000000000400000-0x000000000047D000-memory.dmp

          Filesize

          500KB

          Download

        • memory/2360-124-0x0000000000400000-0x000000000047D000-memory.dmp

          Filesize

          500KB

          Download

        • memory/2360-171-0x0000000000400000-0x000000000047D000-memory.dmp

          Filesize

          500KB

          Download

        • memory/2360-36-0x00000000041D0000-0x00000000041D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2360-261-0x0000000000400000-0x000000000047D000-memory.dmp

          Filesize

          500KB

          Download

        • memory/2360-34-0x0000000000400000-0x000000000047D000-memory.dmp

          Filesize

          500KB

          Download

        • memory/2360-188-0x0000000000400000-0x000000000047D000-memory.dmp

          Filesize

          500KB

          Download

        • memory/2360-206-0x0000000000400000-0x000000000047D000-memory.dmp

          Filesize

          500KB

          Download

        • memory/2360-113-0x0000000000400000-0x000000000047D000-memory.dmp

          Filesize

          500KB

          Download

        • memory/3728-112-0x0000000000400000-0x000000000047D000-memory.dmp

          Filesize

          500KB

          Download

        • memory/3728-111-0x00000000041D0000-0x00000000041D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3728-109-0x0000000000400000-0x000000000047D000-memory.dmp

          Filesize

          500KB

          Download

        • memory/4784-0-0x0000000000400000-0x000000000047D000-memory.dmp

          Filesize

          500KB

          Download

        • memory/4784-1-0x0000000001560000-0x0000000001561000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4784-37-0x0000000000400000-0x000000000047D000-memory.dmp

          Filesize

          500KB

          Download