Overview

overview

8

Static

static

5

be3f0baa13...f7.exe

windows7-x64

8

be3f0baa13...f7.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    159s
  • max time network
    171s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-03-2024 09:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    be3f0baa13fecfbf44e07583e2351df7.exe

  • Size

    911KB

  • MD5

    be3f0baa13fecfbf44e07583e2351df7

  • SHA1

    3989229062f1393bccac518002b4625445721063

  • SHA256

    168b6fbe8b8f0fa03736eeec8e5e3b5a72c049700bfe847cd7050bc97f267649

  • SHA512

    9c26974164d5b4f999dffa8c5f59a32dbd6bc868498f300d44e33c4aa32576aa190a25c0a761f6421857bfe934a9ea0d955d064034e2c7ad887ac0c5d6479de6

  • SSDEEP

    12288:Jtb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNTPPpHSgaZpCYcT2wE0XzFHV6A:Jtb20pkaCqT5TBWgNT7aZHIREwBV6A

Score
8/10
evasion

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 5 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Script User-Agent 4 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\be3f0baa13fecfbf44e07583e2351df7.exe
    "C:\Users\Admin\AppData\Local\Temp\be3f0baa13fecfbf44e07583e2351df7.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4864
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn MSShell32 /tr "C:\Users\Admin\AppData\Roaming\MSShell32.exe"
      2⤵
      • Creates scheduled task(s)
      PID:1912
  • C:\Users\Admin\AppData\Roaming\MSShell32.exe
    C:\Users\Admin\AppData\Roaming\MSShell32.exe
    1⤵
    • Checks computer location settings
    • Executes dropped EXE
    • Enumerates connected drives
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:4320
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn MSShell32 /tr "C:\Users\Admin\AppData\Roaming\MSShell32.exe"
      2⤵
      • Creates scheduled task(s)
      PID:4288
    • C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\MSShell32.exe" "MSShell32" ENABLE
      2⤵
      • Modifies Windows Firewall
      PID:2260

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\MSShell32.exe
    Filesize

    911KB

    MD5

    be3f0baa13fecfbf44e07583e2351df7

    SHA1

    3989229062f1393bccac518002b4625445721063

    SHA256

    168b6fbe8b8f0fa03736eeec8e5e3b5a72c049700bfe847cd7050bc97f267649

    SHA512

    9c26974164d5b4f999dffa8c5f59a32dbd6bc868498f300d44e33c4aa32576aa190a25c0a761f6421857bfe934a9ea0d955d064034e2c7ad887ac0c5d6479de6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MSShell32.ini
    Filesize

    15B

    MD5

    97a75a065383136b888da2884b84ceba

    SHA1

    000ba94c7d528ddfd9aebcbfe8e64abc672852e9

    SHA256

    46f6285ae622e0c180232e435ce0b43311c9f5b38ce43526160b993b734a3268

    SHA512

    37d0c532719e18cf21a237cf5a1dacf90c4a6a4f41ef125da2d1ac738f2b649eaa4f759e021d4d867248a0655c2396419ff806078e8ba3debab75acfe3c5ae4b

    Download Submit

  • memory/4320-6-0x0000000000400000-0x00000000004EF000-memory.dmp

    Filesize

    956KB

    Download

  • memory/4320-11-0x0000000002B70000-0x0000000002B71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4320-12-0x0000000002B80000-0x0000000002B81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4320-13-0x00000000033C0000-0x00000000033C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4320-14-0x0000000000400000-0x00000000004EF000-memory.dmp

    Filesize

    956KB

    Download

  • memory/4864-0-0x0000000000400000-0x00000000004EF000-memory.dmp

    Filesize

    956KB

    Download

  • memory/4864-4-0x0000000000400000-0x00000000004EF000-memory.dmp

    Filesize

    956KB

    Download