Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-03-2024 17:11

General

  • Target

    c12576e982a57d58f9f818e04e3f3074.exe

  • Size

    140KB

  • MD5

    c12576e982a57d58f9f818e04e3f3074

  • SHA1

    a78e387cba08b4f64d825693c7b4f422a3d7730c

  • SHA256

    0223f0fe39443d4b57bfa079979bf39080351338f122fb0e864d0776fabae9a8

  • SHA512

    517b156d0bac1de7f6c3b80548382f9c21fe8587790ff6079a28519151dc2ac2ba898157ad0197cb194e5a4c5cfb55ca08efdabb214adf483624cbce8a006c8e

  • SSDEEP

    1536:axgnlf4Y2YenLF+fG4OEQhni+SJQ0juk4vcUez2WQp1AdG0fAUMi0OdxZXEJ0Mqf:vlflfGL02W2N0fAU9x5Ea3hGcE5j4oQ

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 53 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c12576e982a57d58f9f818e04e3f3074.exe
    "C:\Users\Admin\AppData\Local\Temp\c12576e982a57d58f9f818e04e3f3074.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4776
    • C:\Users\Admin\peoecot.exe
      "C:\Users\Admin\peoecot.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2524

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\peoecot.exe

    Filesize

    140KB

    MD5

    9483aa6bcb3279e5055039f795569b86

    SHA1

    bb14b9a0f85c18d47572357188059d8c284e679a

    SHA256

    f560332b1bc9e355cd1bba1870b31de40cbbe8746be9e6dec98a279c04f0738a

    SHA512

    c51823aed2e008212a0ce1945eb3f10c55ec5993157cc64387e9055cc8fdd459cf6453d217155725e61214d48ece9b4e4d0e03a5984d859acff29b3dd16dfe9f