Analysis

  • max time kernel
    146s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240319-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-03-2024 23:58

General

  • Target

    fe746895cb0ea59e16b71c9507a9d0fb5173a93b4da63e6a12f58fc45417fa1e.exe

  • Size

    197KB

  • MD5

    909ef8750f6e448a033cdd899f08e4e8

  • SHA1

    280397956ad0b2b8deb0f4fa4417ff004b12b97d

  • SHA256

    fe746895cb0ea59e16b71c9507a9d0fb5173a93b4da63e6a12f58fc45417fa1e

  • SHA512

    184aaa79bea2c6ad976baace8512c899661ec0c2b37b6ba99e62ca9d9ba08ba39a56fcf234f321cb84b70e95efcd59c59ac26a4c2b1c549ba079aa17afa41499

  • SSDEEP

    6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCOI:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXXx

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe746895cb0ea59e16b71c9507a9d0fb5173a93b4da63e6a12f58fc45417fa1e.exe
    "C:\Users\Admin\AppData\Local\Temp\fe746895cb0ea59e16b71c9507a9d0fb5173a93b4da63e6a12f58fc45417fa1e.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3824
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\FE7468~1.EXE > nul
      2⤵
        PID:3472
    • C:\Windows\Debug\zewhost.exe
      C:\Windows\Debug\zewhost.exe
      1⤵
      • Executes dropped EXE
      • Checks processor information in registry
      PID:5060
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4472 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:4840

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\Debug\zewhost.exe

        Filesize

        197KB

        MD5

        fc2bde0c882885aa39b898264bf8be52

        SHA1

        4e97f3d9f8cc698d481937a3fb39980ca0d72a76

        SHA256

        e3bde11d908b3e00095f2a6d8ffc22ff8218b3c629899e2208e4bad7f5fbb700

        SHA512

        3fb627ed9c2ac3a51e9528566aebcdb3b37c420b149451ec2a2013de525d516ff467c9a009f58eeeab40d4baa0742b98d4a91dcd7fae6680cdc44595b633f7dc