0fbeb3f50de140fda85678fe354a9cd5df970763fa9541c7a7f93226c292e1d9

Analysis

max time kernel
92s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9328044f3d94a0e9dc9d22c200e317a.exe
Size

145KB
MD5

c9328044f3d94a0e9dc9d22c200e317a
SHA1

d036f755ad9001dbad66d2011fb470a3c9452643
SHA256

0fbeb3f50de140fda85678fe354a9cd5df970763fa9541c7a7f93226c292e1d9
SHA512

d439c3ff81a64e0393358f34cf3b3905b88141e501bfe9100846c889ee6fb6934ba0e27cc4d74a69b13380c02b3c814cf054203a65ab6ff8b8dfe6879be88d30
SSDEEP

3072:OXPjwSiU99T0uhtdk4to+sogF9zcn4FZhFU/tZ5Cm80Kba:ePjUU9V0Svbs/zG2H+ZJ2

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	c9328044f3d94a0e9dc9d22c200e317a.exe

Loads dropped DLL 2 IoCs

pid	Process
4628	c9328044f3d94a0e9dc9d22c200e317a.exe
856	cmd.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\agenskey.dll	c9328044f3d94a0e9dc9d22c200e317a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1080	4628	WerFault.exe	83
3304	856	WerFault.exe	84

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4628	c9328044f3d94a0e9dc9d22c200e317a.exe
4628	c9328044f3d94a0e9dc9d22c200e317a.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4628 wrote to memory of 3524	4628	c9328044f3d94a0e9dc9d22c200e317a.exe	56
PID 4628 wrote to memory of 856	4628	c9328044f3d94a0e9dc9d22c200e317a.exe	84
PID 4628 wrote to memory of 856	4628	c9328044f3d94a0e9dc9d22c200e317a.exe	84
PID 4628 wrote to memory of 856	4628	c9328044f3d94a0e9dc9d22c200e317a.exe	84
PID 856 wrote to memory of 3796	856	cmd.exe	89
PID 856 wrote to memory of 3796	856	cmd.exe	89
PID 856 wrote to memory of 3796	856	cmd.exe	89

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3796	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3524
- C:\Users\Admin\AppData\Local\Temp\c9328044f3d94a0e9dc9d22c200e317a.exe
  "C:\Users\Admin\AppData\Local\Temp\c9328044f3d94a0e9dc9d22c200e317a.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240600906.bat" "C:\Users\Admin\AppData\Local\Temp\c9328044f3d94a0e9dc9d22c200e317a.exe""
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:856
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -s -h"C:\Users\Admin\AppData\Local\Temp\c9328044f3d94a0e9dc9d22c200e317a.exe"
      4⤵
      Views/modifies file attributes
      PID:3796
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 548
      4⤵
      Program crash
      PID:3304
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1284
    3⤵
    - Program crash
    PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4628 -ip 4628
1⤵
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 856 -ip 856
1⤵
PID:4508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240600906.bat

Filesize
69B

MD5
604802586163bdc9eda42f6a471e01ad

SHA1
fc255017a78e3ec103f73c8c8651effe08089c81

SHA256
02f35eec8f33e1ad57621253ee252ca073f6cc16bf9712d89859ffeb6bb49dd3

SHA512
66dc346d7bdcc80fc8ae6894ae10cab306aaf5cf1c1dd750a971d3df37d6f4ac607d188f583d08b526e3df13234cec9c7fa7f9bdc4c4ad187fc83a3506b94888

Download Submit
C:\Windows\SysWOW64\agenskey.dll

Filesize
61KB

MD5
9d97c86e98a114b832b3dd8fb9e3d03b

SHA1
f23b5815eceecafafc2d69a652f3a6a6cdd58f3c

SHA256
c484bd308bd7de22a82f4117ecaac626dea2de468f390a3d32ae3e87ba908e2d

SHA512
422db73df5b29e3985423ef57c83ee513e60b1c0ee1a8e35db229051c5d13317c745e85489fa6bb928c3b95e896d81f7ae326b9e479706045e371b2d9a9e8266

Download Submit
memory/4628-0-0x0000000001000000-0x0000000001026000-memory.dmp

Filesize
152KB

Download
memory/4628-8-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4628-9-0x0000000001000000-0x0000000001026000-memory.dmp

Filesize
152KB

Download