Overview

overview

7

Static

static

3

bd25183ad5...9c.exe

windows7-x64

7

bd25183ad5...9c.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/03/2024, 00:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bd25183ad55fe3b91a00ee6412c4fc9c.exe

  • Size

    15KB

  • MD5

    bd25183ad55fe3b91a00ee6412c4fc9c

  • SHA1

    2a139eaa3792f8f87d8de6d3fd8f8959fae65d83

  • SHA256

    f1688cd32a979bb3d9aa3cb03d087ebffc2bb75c2c790a41a37f0b897bfab07b

  • SHA512

    8a3c8a3a9ee5b66ae2b452c5f4322b5f19cc66be982176d766d124ae631fd6792154e0f6257815242fc1f3efe300b6e7686057fc7a314cb3873269efe1892190

  • SSDEEP

    384:284Ms5M/1iqQj9S198mNGePRf1SdoqKejdbkHWq+:2t5M/ccEqGKe8K

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bd25183ad55fe3b91a00ee6412c4fc9c.exe
    "C:\Users\Admin\AppData\Local\Temp\bd25183ad55fe3b91a00ee6412c4fc9c.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:4312
    • C:\Windows\SysWOW64\ijhjiwli.exe
      "C:\Windows\system32\ijhjiwli.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:208

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\ijhjiwli.exe
    Filesize

    15KB

    MD5

    bd25183ad55fe3b91a00ee6412c4fc9c

    SHA1

    2a139eaa3792f8f87d8de6d3fd8f8959fae65d83

    SHA256

    f1688cd32a979bb3d9aa3cb03d087ebffc2bb75c2c790a41a37f0b897bfab07b

    SHA512

    8a3c8a3a9ee5b66ae2b452c5f4322b5f19cc66be982176d766d124ae631fd6792154e0f6257815242fc1f3efe300b6e7686057fc7a314cb3873269efe1892190

    Download Submit

  • C:\Windows\SysWOW64\mspr.dat
    Filesize

    8B

    MD5

    807021cf64abacabc4252db182d8bb2c

    SHA1

    7f4523049a66a0eaa9fcc0eaf4861eb78b53442d

    SHA256

    4be82ffaffed65f674aa3ecb5ac74a205cb44a9f0f0ed8362fc2b88c1399fdc9

    SHA512

    f5a9714d1ae2dff03a4b825043a24d15acb8ea0f5512561fe56cb4c759904429eae1df28999318a5f3c6277953d3dbe85e7897918bf7dec0b8f9d42df25380c7

    Download Submit