Overview
overview
10Static
static
3Office_201...ll.exe
windows10-2004-x64
10Office_201...te.exe
windows10-2004-x64
7Office_201...re.xml
windows10-2004-x64
1Office_201...ll.xml
windows10-2004-x64
1Office_201...pp.exe
windows10-2004-x64
1Office_201...00.dll
windows10-2004-x64
1Office_201...pp.exe
windows10-2004-x64
1Office_201...00.dll
windows10-2004-x64
3Analysis
-
max time kernel
449s -
max time network
452s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 19:50
Static task
static1
Behavioral task
behavioral1
Sample
Office_2013-2024_C2R_Install/OInstall.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
Office_2013-2024_C2R_Install/activate.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Office_2013-2024_C2R_Install/files/Configure.xml
Resource
win10v2004-20240319-en
Behavioral task
behavioral4
Sample
Office_2013-2024_C2R_Install/files/Uninstall.xml
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Office_2013-2024_C2R_Install/files/x64/cleanospp.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral6
Sample
Office_2013-2024_C2R_Install/files/x64/msvcr100.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Office_2013-2024_C2R_Install/files/x86/cleanospp.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral8
Sample
Office_2013-2024_C2R_Install/files/x86/msvcr100.dll
Resource
win10v2004-20240226-en
General
-
Target
Office_2013-2024_C2R_Install/activate.exe
-
Size
332.5MB
-
MD5
858dd6a097f4745df576c37e01119ec2
-
SHA1
9c5c603f8eb74f6f3101611a94a597eb0d46765d
-
SHA256
1257b591c67c8fc0d3c4490fd80c62ff98760f1a1a74b24920f38b24698e44be
-
SHA512
d341e636146dd2e987cf3b5c6e128d0d32531f89719e088f6bec7912c54ee14b1abf2c60856bbe064b264252559351a9e6746a78134792cd7a08961070d860e5
-
SSDEEP
98304:zd2rIjP+6mg6sNHvmmzPwshcxfre/W6I/vuOFmCJl+6KZCOVgb:zd2rg+75sRmmLThcd6qmCyoOV0
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
activate.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation activate.exe -
Executes dropped EXE 1 IoCs
Processes:
Davonevur.exepid process 1292 Davonevur.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
activate.exepid process 1680 activate.exe 1680 activate.exe -
Drops file in Windows directory 2 IoCs
Processes:
expand.exedescription ioc process File opened for modification C:\Windows\LOGS\DPX\setuperr.log expand.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log expand.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
activate.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 activate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString activate.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
activate.exepid process 1680 activate.exe 1680 activate.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
activate.execmd.execmd.exedescription pid process target process PID 1680 wrote to memory of 3696 1680 activate.exe cmd.exe PID 1680 wrote to memory of 3696 1680 activate.exe cmd.exe PID 1680 wrote to memory of 3696 1680 activate.exe cmd.exe PID 3696 wrote to memory of 2488 3696 cmd.exe expand.exe PID 3696 wrote to memory of 2488 3696 cmd.exe expand.exe PID 3696 wrote to memory of 2488 3696 cmd.exe expand.exe PID 1680 wrote to memory of 4396 1680 activate.exe cmd.exe PID 1680 wrote to memory of 4396 1680 activate.exe cmd.exe PID 1680 wrote to memory of 4396 1680 activate.exe cmd.exe PID 4396 wrote to memory of 1568 4396 cmd.exe schtasks.exe PID 4396 wrote to memory of 1568 4396 cmd.exe schtasks.exe PID 4396 wrote to memory of 1568 4396 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\activate.exe"C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\activate.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c expand.exe "C:\Users\Admin\AppData\Roaming\ServiceData\c2Gt4H.tmp" -F:* "C:\Users\Admin\AppData\Roaming\ServiceData"2⤵
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\expand.exeexpand.exe "C:\Users\Admin\AppData\Roaming\ServiceData\c2Gt4H.tmp" -F:* "C:\Users\Admin\AppData\Roaming\ServiceData"3⤵
- Drops file in Windows directory
PID:2488 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c schtasks /create /tn \Service\Data /tr """"C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe""" """C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.jpg"""" /st 00:01 /du 9800:59 /sc once /ri 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \Service\Data /tr """"C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe""" """C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.jpg"""" /st 00:01 /du 9800:59 /sc once /ri 1 /f3⤵
- Creates scheduled task(s)
PID:1568
-
C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exeC:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe "C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.jpg"1⤵
- Executes dropped EXE
PID:1292
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
925KB
MD50adb9b817f1df7807576c2d7068dd931
SHA14a1b94a9a5113106f40cd8ea724703734d15f118
SHA25698e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b
SHA512883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a
-
Filesize
495KB
MD5b36280ab2514b1772d2058fe14633850
SHA157b4b40365eb4e26aa9f9125acc9965210776195
SHA256a3b628be13ef3a1f09ab8e4af4f59203e7e721283bd9414f2a35c03abd0ecf46
SHA5127c13c658c2be4430aa7e6fa4a6b6116a91e5cf5c9ce425eb698236193b96d12656d264ce3f19940a17b8a59f7b7e5dfb1ea0c0c9dc381a788c3acf4f8fdfddfa
-
Filesize
491KB
MD59533ba8d9930f60f0b6257bdb79b2384
SHA1b0b9dc920e83343784e818dcf4d9607de51118bb
SHA2566a30579a54855ff5899cd73278d61e6b3d69abadc7ffedc6c0e0c3aa03594131
SHA512e86c782b98b28e8eefc03cb703eb2c640d6b748285b76c93f8a892e2427a20de00c7dd4c141e1c38e69b2f78b54f6705e2ae40071aaba0392193fc1a7071259d