Overview

overview

10

Static

static

3

cafb65ee66...34.exe

windows7-x64

10

cafb65ee66...34.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/03/2024, 08:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cafb65ee6617b984354d3025b87aef34.exe

  • Size

    136KB

  • MD5

    cafb65ee6617b984354d3025b87aef34

  • SHA1

    7e0954d7a3d785c322a95210a554cbf44a94eaff

  • SHA256

    d459febb408cf7e62ce2aeebfdc1323544b6d178d22542a6f836b6820b2bdf40

  • SHA512

    1647533c2fcdc7f3bd6fb7a9bb69a25ad43bf8dc13a71a991c8e89d764f4352a741ace22237f496c889cea2237adf46306d9822a712f82682ffb66978e554d87

  • SSDEEP

    3072:IFlPHoTgWMoDJeceXqSHgt8AIPH8FJgryZSxYnEl7L3g:IFhHGZl9e6SHgG8bkYnEl7s

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cafb65ee6617b984354d3025b87aef34.exe
    "C:\Users\Admin\AppData\Local\Temp\cafb65ee6617b984354d3025b87aef34.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:408
    • C:\Users\Admin\AppData\Local\Temp\cafb65ee6617b984354d3025b87aef34.exe
      "C:\Users\Admin\AppData\Local\Temp\cafb65ee6617b984354d3025b87aef34.exe"
      2⤵
      • Modifies firewall policy service
      • Checks computer location settings
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3172
      • C:\Users\Admin\P-7-78-8964-9648-3874\wincrs.exe
        "C:\Users\Admin\P-7-78-8964-9648-3874\wincrs.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2904
        • C:\Users\Admin\P-7-78-8964-9648-3874\wincrs.exe
          "C:\Users\Admin\P-7-78-8964-9648-3874\wincrs.exe"
          4⤵
          • Executes dropped EXE
          PID:3584

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\P-7-78-8964-9648-3874\wincrs.exe
    Filesize

    136KB

    MD5

    cafb65ee6617b984354d3025b87aef34

    SHA1

    7e0954d7a3d785c322a95210a554cbf44a94eaff

    SHA256

    d459febb408cf7e62ce2aeebfdc1323544b6d178d22542a6f836b6820b2bdf40

    SHA512

    1647533c2fcdc7f3bd6fb7a9bb69a25ad43bf8dc13a71a991c8e89d764f4352a741ace22237f496c889cea2237adf46306d9822a712f82682ffb66978e554d87

    Download Submit

  • memory/408-1-0x00000000005D0000-0x00000000005D8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/408-0-0x00000000005D0000-0x00000000005D8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2904-68-0x0000000002030000-0x0000000002038000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2904-69-0x0000000002030000-0x0000000002038000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3172-2-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/3172-4-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/3172-5-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/3172-66-0x0000000000410000-0x00000000004D9000-memory.dmp

    Filesize

    804KB

    Download

  • memory/3584-73-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/3584-74-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download