Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
13-03-2024 02:26
General
-
Target
c4bd87c3284cab7b4a4d4039af0f933e.exe
-
Size
428KB
-
MD5
c4bd87c3284cab7b4a4d4039af0f933e
-
SHA1
f99fbf47be97d05942aaa7de443ee60d1fde7c30
-
SHA256
55caca52abf37a49b12a02e66216185dce838bb0222921647148ee495c1d1c08
-
SHA512
8d8ba14128507d03cf67c88b676763038bb631579ba981ba43e83e807c6250ea6ca3e5d1db30f2e4162515236b0f4940a08100b511a78ccced8506d11ae6accd
-
SSDEEP
12288:B7tb3KcX80ljcF82LnZ84bd4zRrnKorz:dtmOjYZdbdilj
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 36 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4bd87c3284cab7b4a4d4039af0f933e.exe"C:\Users\Admin\AppData\Local\Temp\c4bd87c3284cab7b4a4d4039af0f933e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TIEGHZKC55.exe"C:\Users\Admin\AppData\Local\Temp\TIEGHZKC55.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WinSec.exeC:\Users\Admin\AppData\Roaming\WinSec.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\TIEGHZKC55.exeFilesize
276KB
MD5441d047bd699525d4e3268e25e16e1b8
SHA165d9070ef5ba0f8dea0face8f3a2c8525111d63e
SHA256cbbf088b87bb798c35e955281026571835656d25c75aa6a994b9fb89e6070bfe
SHA5123717bcf2e929da78b8b1b62e78f81a7171c050ea0fa948f587a7a2ab02a32446d573c613f019df6206461aa7fdc6b4b6fc15a0ce9f58a5438e0b319ed46d7a28
-
C:\Users\Admin\AppData\Roaming\WinSec.exeFilesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0
-
memory/3316-18-0x0000000001A60000-0x0000000001A70000-memory.dmpFilesize
64KB
-
memory/3316-19-0x0000000074870000-0x0000000074E21000-memory.dmpFilesize
5.7MB
-
memory/3316-28-0x0000000074870000-0x0000000074E21000-memory.dmpFilesize
5.7MB
-
memory/3316-17-0x0000000074870000-0x0000000074E21000-memory.dmpFilesize
5.7MB
-
memory/3716-36-0x0000000076FD0000-0x00000000770C0000-memory.dmpFilesize
960KB
-
memory/3716-23-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/3716-29-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/3716-37-0x0000000076300000-0x000000007637A000-memory.dmpFilesize
488KB
-
memory/3716-38-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/3716-44-0x0000000076FD0000-0x00000000770C0000-memory.dmpFilesize
960KB
-
memory/3728-16-0x0000000074870000-0x0000000074E21000-memory.dmpFilesize
5.7MB
-
memory/3728-1-0x0000000074870000-0x0000000074E21000-memory.dmpFilesize
5.7MB
-
memory/3728-0-0x0000000074870000-0x0000000074E21000-memory.dmpFilesize
5.7MB
-
memory/3728-2-0x0000000000E60000-0x0000000000E70000-memory.dmpFilesize
64KB