Overview

overview

7

Static

static

3

f0f74400fc...69.exe

windows7-x64

7

f0f74400fc...69.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/03/2024, 18:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f0f74400fc18908065b8f5f97c9b9405941051a3b99b027ce0349d1f6e5abb69.exe

  • Size

    197KB

  • MD5

    7567110787c5f71e285ed9c6beb7124d

  • SHA1

    155f68d30209398c904a01d2929426ffae3422c9

  • SHA256

    f0f74400fc18908065b8f5f97c9b9405941051a3b99b027ce0349d1f6e5abb69

  • SHA512

    cc989cf079b2ce3c7b307e54dca332b4fce69a6041fcf84c15bc95032fe953b61c958beee2a448629721ad5706835ff802bbda58d81e1f50728f27b7f3a6ce65

  • SSDEEP

    6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCOO:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXX/

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f0f74400fc18908065b8f5f97c9b9405941051a3b99b027ce0349d1f6e5abb69.exe
    "C:\Users\Admin\AppData\Local\Temp\f0f74400fc18908065b8f5f97c9b9405941051a3b99b027ce0349d1f6e5abb69.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:532
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\F0F744~1.EXE > nul
      2⤵
        PID:2256
    • C:\Windows\Debug\gsqhost.exe
      C:\Windows\Debug\gsqhost.exe
      1⤵
      • Executes dropped EXE
      • Checks processor information in registry
      PID:4072

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\debug\gsqhost.exe
      Filesize

      197KB

      MD5

      44f0cbe3a3b75abcb4b0166c897b23ed

      SHA1

      572efc842420fe9e4f8d5834d54a2f9714313b42

      SHA256

      ab82c52f40f035362ed30d26d7085ea104ff62e712fa0cec75de5498841d2c80

      SHA512

      2f94381e0b9e9cc36d5a0583caf9680ba734ec975e666140bea55df1030567d569b028cffd5750a1cb7d6fe7908e22435927c0f41a866de96eb325c8cd3bf7af

      Download Submit