Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
15-03-2024 19:35
Static task
static1
Behavioral task
behavioral1
Sample
cc3f8ce01ea26c763077eb8d4bbc9b30.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
cc3f8ce01ea26c763077eb8d4bbc9b30.exe
Resource
win10v2004-20240226-en
General
-
Target
cc3f8ce01ea26c763077eb8d4bbc9b30.exe
-
Size
20KB
-
MD5
cc3f8ce01ea26c763077eb8d4bbc9b30
-
SHA1
ef2fd7dd3a27a90d18838087a59d30b267cf1ba1
-
SHA256
dc083468804d02b799cf6515b554a53ac45d296814c0aff848efbd8889daa766
-
SHA512
efa7b10f62750182f50f9fbd738b214b2251ad6f3ecf151ceb96368d433404ac16c0e8d042c418fb76b375d7c6d01fb4e3d4ecaaa536e31d86217a93d2a6d98f
-
SSDEEP
384:27yJ/Ki+hgnEq7HhSryRdL6KPtjyc754wKtlOl0szto:j/KB219Htjyc756t4l0
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation cc3f8ce01ea26c763077eb8d4bbc9b30.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\videoPl.chl cc3f8ce01ea26c763077eb8d4bbc9b30.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\videoPl.chl\CLSID\ = "{6BF52A52-394A-11D3-B153-00C04F79FAA6}" cc3f8ce01ea26c763077eb8d4bbc9b30.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\videoPl.chl\CLSID cc3f8ce01ea26c763077eb8d4bbc9b30.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1584 wrote to memory of 3680 1584 cc3f8ce01ea26c763077eb8d4bbc9b30.exe 111 PID 1584 wrote to memory of 3680 1584 cc3f8ce01ea26c763077eb8d4bbc9b30.exe 111 PID 1584 wrote to memory of 3680 1584 cc3f8ce01ea26c763077eb8d4bbc9b30.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc3f8ce01ea26c763077eb8d4bbc9b30.exe"C:\Users\Admin\AppData\Local\Temp\cc3f8ce01ea26c763077eb8d4bbc9b30.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awer0.bat" "2⤵PID:3680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3384 --field-trial-handle=3488,i,1267426273081718772,6254127258555406296,262144 --variations-seed-version /prefetch:81⤵PID:384
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
274B
MD580a986d5920763c59b2f873ff6e4deba
SHA1cc43bf9a899e8cb10e6ace1084f59b74746d1f8a
SHA256e1698c11765d97e2cbfd52e47b633bc71716a18b0ef1e12f18e0a591d28eb7fb
SHA51212b3035c23dcec8d8255ecd7f18183112b8db148024ad9f2c16127698130a4aca9884784d82513bc0ca3d1360758195a834bfbbde85649994159241c888cd48b