Analysis

  • max time kernel
    90s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-04-2024 01:50

General

  • Target

    EA Crypto Hunter v4.0 MT4.rar

  • Size

    10.8MB

  • MD5

    1137667d7029b58692250444ce1368e8

  • SHA1

    2caecddf632e35f74608e6dec91e01ea44ee330c

  • SHA256

    c738e6735c575421100a31108799e1c577d83e0feeae0cc8e974d10f642fc5c8

  • SHA512

    cb907117844309ef74e477f5536292b924a04e7ee7a9cf2a479106fe7d6afe576112c0dd3f20cd6892396fe0cb7ceeb4c5ce26d602555b2e8c2d363a6a1a199b

  • SSDEEP

    196608:dYQ3xZrRuwHp6OrF4Wr3JjEFgoEbaHpQxXYNPU6ECy6lyHYdSNCQCEQP:1x9xJvFZJoDExYNPUdQAYq5QP

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\EA Crypto Hunter v4.0 MT4.rar"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4644
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\EA Crypto Hunter v4.0 MT4.rar"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1600
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:5116
    • C:\Windows\system32\mspaint.exe
      "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\EA Crypto Hunter v4.0 MT4\Gendor.jpg" /ForceBootstrapPaint3D
      1⤵
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1708
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
      1⤵
      • Drops file in System32 directory
      PID:3652
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:2200
    • C:\Windows\system32\mspaint.exe
      "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\EA Crypto Hunter v4.0 MT4\GNR-ForeX.jpg" /ForceBootstrapPaint3D
      1⤵
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4652
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:3244
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\EA Crypto Hunter v4.0 MT4\GNR-ForeX.txt
      1⤵
        PID:2136

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\Desktop\EA Crypto Hunter v4.0 MT4\GNR-ForeX.jpg

        Filesize

        59KB

        MD5

        63e423d22b8f61ec17d43f192c422076

        SHA1

        4578ac191df355c513e965a0f8794a5ff7c3d505

        SHA256

        c4810ecd8d59adea29cc143d73841dbd0632f8b9db5c97e6436751ff70132342

        SHA512

        832ebf6412bcc00196092f607edc7aac82c9709fdd64957552e10a3a095d2e8a54cab18fc9a3be2d0b91d4ec53f448540f1da39f0d3a0d02c02ff87d365877ce

      • C:\Users\Admin\Desktop\EA Crypto Hunter v4.0 MT4\GNR-ForeX.txt

        Filesize

        652B

        MD5

        05ee1d9ffc8b8d2a8acec93d2de221c4

        SHA1

        04652a41cda8c14535bb3898a1f224155b2ba982

        SHA256

        a0a205719bb86362376dea048c739180fd2fe374c00e3cefcde2a3d1fe15a772

        SHA512

        adef8cf7810b2659ca32013373e684728d490aba7942ade33188a5767f7be5dcd1f815ef819b312d28b4be9a7e507f5fcf22efb98637c808d797d42a0f389aa3

      • C:\Users\Admin\Desktop\EA Crypto Hunter v4.0 MT4\Gendor.jpg

        Filesize

        77KB

        MD5

        adc01c8b915b26dfca3f96c2161a38f8

        SHA1

        59f56d1380ad57b661fc36d8bbf40b7be07865f7

        SHA256

        fe977e58d2d592ddff2c72bb517a4c7216f04a2b6c73e40591a4ffc08cbe20da

        SHA512

        c9f4f960a28cf67bb609060b782f8c78c52cc8de4f44e8f28e9f2d90cb62d85204d0f47657261580730b7ec751b6fa99f8669efc700af0517528d14d8d91b67f

      • memory/3652-12-0x0000023295B60000-0x0000023295B70000-memory.dmp

        Filesize

        64KB

      • memory/3652-16-0x0000023295BA0000-0x0000023295BB0000-memory.dmp

        Filesize

        64KB

      • memory/3652-23-0x000002329DE70000-0x000002329DE71000-memory.dmp

        Filesize

        4KB

      • memory/3652-25-0x000002329DEF0000-0x000002329DEF1000-memory.dmp

        Filesize

        4KB

      • memory/3652-27-0x000002329DEF0000-0x000002329DEF1000-memory.dmp

        Filesize

        4KB

      • memory/3652-28-0x000002329DF80000-0x000002329DF81000-memory.dmp

        Filesize

        4KB

      • memory/3652-29-0x000002329DF80000-0x000002329DF81000-memory.dmp

        Filesize

        4KB

      • memory/3652-30-0x000002329DF90000-0x000002329DF91000-memory.dmp

        Filesize

        4KB

      • memory/3652-31-0x000002329DF90000-0x000002329DF91000-memory.dmp

        Filesize

        4KB