Overview

overview

7

Static

static

3

ca72b53b8d...96.exe

windows7-x64

ca72b53b8d...96.exe

windows10-2004-x64

Analysis

  • max time kernel
    16s
  • max time network
    27s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/03/2024, 15:05

Sharing

Copy URL Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    ca72b53b8d910b5088778d65862e71354b4d98a0257d036fa2c1b3e34a333c96.exe

  • Size

    3.4MB

  • MD5

    3369e94f523d7e19a59e3f890c31eb22

  • SHA1

    5e63a2fde2a8e99c2ea062fc3dd40c8fcb53f25d

  • SHA256

    ca72b53b8d910b5088778d65862e71354b4d98a0257d036fa2c1b3e34a333c96

  • SHA512

    f25f2eae887638e6ff1f9794cb8e58f98b0fcdfd6b46bdae15fa62ec37e13c2e303789261522e6594d532fbcb9f3169b89bc5c6350b49369638ca0f05f3812fa

  • SSDEEP

    49152:xoCK+bLRPNdAnRmK7OWVRcjlxQVnTORZIsdJq/S46OvGa3K2WkbywhUNRj+rg4l:fTbLlNdqdObXdJOSM+0bUYg4lb0

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 25 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ca72b53b8d910b5088778d65862e71354b4d98a0257d036fa2c1b3e34a333c96.exe
    "C:\Users\Admin\AppData\Local\Temp\ca72b53b8d910b5088778d65862e71354b4d98a0257d036fa2c1b3e34a333c96.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4224
    • C:\Windows\SysWOW64\net.exe
      net user Admin windows10
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2908
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 user Admin windows10
        3⤵
          PID:1268
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c reg add " HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName" /v ComputerName /t reg_sz /d ·Ç·¨Ê¹ÓÃÕß /f >nul 2>nul
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4956
        • C:\Windows\SysWOW64\reg.exe
          reg add " HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName" /v ComputerName /t reg_sz /d ·Ç·¨Ê¹ÓÃÕß /f
          3⤵
            PID:1756
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" /v "NV Hostname" /t reg_sz /d ·Ç·¨Ê¹ÓÃÕß /f >nul 2>nul
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2076
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" /v "NV Hostname" /t reg_sz /d ·Ç·¨Ê¹ÓÃÕß /f
            3⤵
              PID:892
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" /v Hostname /t reg_sz /d ·Ç·¨Ê¹ÓÃÕß /f >nul 2>nul
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1080
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" /v Hostname /t reg_sz /d ·Ç·¨Ê¹ÓÃÕß /f
              3⤵
                PID:3420
            • C:\Users\Admin\AppData\Local\Temp\Êý×ÖÇ©Ãû.exe
              C:\Users\Admin\AppData\Local\Temp\/Êý×ÖÇ©Ãû.exe
              2⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:4592
              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\数字签名.exe
                "C:\Users\Admin\AppData\Local\Temp\RarSFX0\数字签名.exe"
                3⤵
                • Executes dropped EXE
                PID:1616
            • C:\Windows\SysWOW64\net.exe
              net user Admin windows10
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:3272
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 user Admin windows10
                3⤵
                  PID:2544
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c rundll32.exe user32.dll LockWorkStation
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1584
                • C:\Windows\SysWOW64\rundll32.exe
                  rundll32.exe user32.dll LockWorkStation
                  3⤵
                    PID:1112
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c shutdown -s -f -t 0
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4124
                  • C:\Windows\SysWOW64\shutdown.exe
                    shutdown -s -f -t 0
                    3⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:924
              • C:\Windows\system32\LogonUI.exe
                "LogonUI.exe" /flags:0x0 /state0:0xa3990855 /state1:0x41c64e6d
                1⤵
                • Drops desktop.ini file(s)
                • Modifies data under HKEY_USERS
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                PID:5064

              Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\ProgramData\Microsoft\Windows\SystemData\S-1-5-21-2727153400-192325109-1870347593-1000\ReadOnly\LockScreen_O\LockScreen___1280_0720_notdimmed.jpg
                      Filesize

                      264KB

                      MD5

                      2ff7d5d24d40c805a11c0c9d18f5367d

                      SHA1

                      26785124ca8d573c3958612a123a50ae3d34a8d6

                      SHA256

                      5c054709d70c7f7d5f7bcc1cc39ab2b36a771eb43b26e5eebd9f83d7bdd01cd4

                      SHA512

                      e7dd928e2e8a59625bb3bf17d7d351f3fc3bb1fa0b133bb90219fc66469cb6e3d3191bb7af1cfa3e788b05d388f2addbbf16d38b87b32a5b5c465b4f2f4addb2

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\数字签名.exe
                      Filesize

                      1.6MB

                      MD5

                      5831456c926c890a5a55a2b74af02287

                      SHA1

                      e6a8f3c66822ac5ed3831b086f4acbc6dc1ad849

                      SHA256

                      f45ed75e021ef61768a12d0497085e219d8b4e0601ac5b0b653bbdc0bed5dfbd

                      SHA512

                      481b9fbf49ac2c4c51988c8b62eae8c9f98878dba394ab839b6c1628553f9049ec9009c0594bdf95aa2f62a274a90cab0916aac1c3a14d010a3b1a1033067c5a

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\Êý×ÖÇ©Ãû.exe
                      Filesize

                      406KB

                      MD5

                      2440c197b85588cf42b139f1186c4350

                      SHA1

                      d5228f6ce1e2dab2dcfe35ee6b6a5446454b2587

                      SHA256

                      0f3ae0bbbf63bffa2a6649dd6abf05e7ceb214fd7350de593890a86e9e5a631a

                      SHA512

                      60e590be4da2bb05840c7a1c4eb76c824edb6b268f3118cf57d1059217a77cc91a17b67ad96c09bb64071eaebcde63ebaf78c56c9e42dab92b91c71092a63ff0

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\Êý×ÖÇ©Ãû.exe
                      Filesize

                      1.7MB

                      MD5

                      8185bd326d66ac514e1d0ff88420a87f

                      SHA1

                      bcda93044594c6eb7713b04af7316b2750f611fd

                      SHA256

                      921c3e922b8944c6df1b99f8faf30b7f903580a4cb6f76009053630cc192010b

                      SHA512

                      1a5c9bb831331e6aac2a5f70043aa095df1e3bece36fbafab604e3e21e7823c0c9b0763e7d6d10be9db84fd3a2853d05ec7bc26470e1f6a5ed2c5ac623c1ae32

                      Download Submit

                    • memory/1616-29-0x0000000076F90000-0x00000000771A5000-memory.dmp

                      Filesize

                      2.1MB

                      Download

                    • memory/4224-0-0x0000000000400000-0x00000000007BE000-memory.dmp

                      Filesize

                      3.7MB

                      Download