Resubmissions

24-06-2024 13:27

240624-qqbq2sthna 10

06-04-2024 12:50

240406-p2yvaabc36 10

Analysis

  • max time kernel
    108s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-04-2024 12:50

General

  • Target

    6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe

  • Size

    145KB

  • MD5

    c00352e2857075c8f757ea9be769b652

  • SHA1

    2a100aa5902ba6f9f35187117182afabf220071b

  • SHA256

    6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c

  • SHA512

    94d7e90ebd6b1d37daa43617a345c463d59096903a55621ff3eb490179411cb7bb58f75bb396a5d2b8720701833dc623ddfb259ad35c0716703a8e4bc66018ad

  • SSDEEP

    3072:m6glyuxE4GsUPnliByocWepbN3/1rtqd:m6gDBGpvEByocWeFN3/F8

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe
    "C:\Users\Admin\AppData\Local\Temp\6371b930d541e441cb5a9234b327395e05501f3405fb45ef13d9c2dabb6aa40c.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3272
    • C:\ProgramData\4D21.tmp
      "C:\ProgramData\4D21.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:3172
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\4D21.tmp >> NUL
        3⤵
          PID:1496
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1380 --field-trial-handle=2496,i,15897292497548307209,13920214570023230813,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:3840

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-1904519900-954640453-4250331663-1000\desktop.ini

        Filesize

        129B

        MD5

        b463da9a48d64dfd98bf30128296af66

        SHA1

        564dde659e1a217bc618b6613a84abe9c2064c2f

        SHA256

        927b002ca0692cf6d4a382022c1a55e999de758fd1123600034f8e69d8b15cb4

        SHA512

        82be637c039f1c21d272d9af1750d6a94a6ea633ff4f8d6288d09ed563f826e58733cef52111afc7df391187db972b99656cf6e19e3d644e8d0fe2f03352d4c4

      • C:\2P7jdGpHD.README.txt

        Filesize

        354B

        MD5

        82477511bd66d813474e640b636bba76

        SHA1

        045c9f40e45f02e9154166a012e5a021ae5e3ca8

        SHA256

        bc381eb017ab84d17eb6f3ae994305ef1edd3898d5ec140b2dd5ba478c81e428

        SHA512

        12d62cece6f54188720ea3381b4695129e06aed7c7ff9f0170f349b47bfdb8eff93fa3d682bb2e995310586088cd5a27e28b14a2f85bedd9568d3451ab9966c4

      • C:\ProgramData\4D21.tmp

        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

        Filesize

        145KB

        MD5

        0f4bd8209a4c53b0fb3dfb62e3dcd4b1

        SHA1

        1995a4d95facd2497de3014b1e32fee72265b1a2

        SHA256

        9cb7f1d1177727ad95b18127cd5b11b3eee215e2d7756bf6c7e381f3172d3484

        SHA512

        a8846000f1cc68afb2dd9d7ba14ba5123c42f097aa4531fbfef13f83855ad86e91174e3510137d7cf49fc95c613bfd0f8d0547c11eaf57282774aa9bbd000121

      • F:\$RECYCLE.BIN\S-1-5-21-1904519900-954640453-4250331663-1000\EEEEEEEEEEE

        Filesize

        129B

        MD5

        31c32fa2d32a705d85f4d00b6ba81099

        SHA1

        b4c5d92ac8fd4005e2c6421a36eb2d1da5d8a635

        SHA256

        b7116a8a1be94f686dbbe585bccd7c1c5ef6a71d511e9b33cc19c3c459c9b25c

        SHA512

        527ea372977068eac21dff7ea28405859060bba807696c9aad4064b8addd3213d6eb7ab0ab94f0471691406be0032652ba609cd8cf91c7d9ce0256feceedf0fb

      • memory/3172-119-0x0000000000530000-0x0000000000540000-memory.dmp

        Filesize

        64KB

      • memory/3172-117-0x000000007FE40000-0x000000007FE41000-memory.dmp

        Filesize

        4KB

      • memory/3172-118-0x0000000000530000-0x0000000000540000-memory.dmp

        Filesize

        64KB

      • memory/3172-120-0x000000007FE20000-0x000000007FE21000-memory.dmp

        Filesize

        4KB

      • memory/3172-121-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

        Filesize

        4KB

      • memory/3172-150-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

        Filesize

        4KB

      • memory/3172-151-0x000000007FE00000-0x000000007FE01000-memory.dmp

        Filesize

        4KB

      • memory/3272-110-0x00000000027B0000-0x00000000027C0000-memory.dmp

        Filesize

        64KB

      • memory/3272-111-0x00000000027B0000-0x00000000027C0000-memory.dmp

        Filesize

        64KB

      • memory/3272-112-0x00000000027B0000-0x00000000027C0000-memory.dmp

        Filesize

        64KB

      • memory/3272-1-0x00000000027B0000-0x00000000027C0000-memory.dmp

        Filesize

        64KB

      • memory/3272-0-0x00000000027B0000-0x00000000027C0000-memory.dmp

        Filesize

        64KB

      • memory/3272-2-0x00000000027B0000-0x00000000027C0000-memory.dmp

        Filesize

        64KB