Analysis
-
max time kernel
170s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09-04-2024 22:16
Behavioral task
behavioral1
Sample
3e0d33efe3c6c4255c2a831a2aad7e98.exe
Resource
win7-20240221-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
3e0d33efe3c6c4255c2a831a2aad7e98.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
3e0d33efe3c6c4255c2a831a2aad7e98.exe
-
Size
2.0MB
-
MD5
3e0d33efe3c6c4255c2a831a2aad7e98
-
SHA1
c0d51e74652b7d3e0057217febb144366118e304
-
SHA256
2cf6491aaca2e48a5e726da399c47e4fc45f2a30418909ceed9737cc159f89e5
-
SHA512
d39a0f98c032888ed0dcf36c3d3e7ba6a72b9a14d81c2cb658c7a23c613019d11e694a52e603a7c2791d10d7190b720153a872db5c3f6b484465ca0167020ff8
-
SSDEEP
49152:C2R5N3N9qdhCvIAzj1wLcQiHWciKvfK7k5WMOwwg:C2R7NYMqcQqJl67fZg
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 3e0d33efe3c6c4255c2a831a2aad7e98.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 3e0d33efe3c6c4255c2a831a2aad7e98.exe -
resource yara_rule behavioral2/memory/2536-0-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/2536-1-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/2536-4-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/2536-5-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/2536-7-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/2536-8-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/2536-9-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/640-10-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/5036-11-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/2536-12-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/files/0x000800000002324b-14.dat upx behavioral2/memory/3764-19-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/640-20-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/5036-21-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/2536-22-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/2536-27-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/2536-31-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/2536-35-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/2536-39-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/2536-43-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/2536-47-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/2536-51-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/2536-56-0x0000000000400000-0x0000000000420000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" 3e0d33efe3c6c4255c2a831a2aad7e98.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: 3e0d33efe3c6c4255c2a831a2aad7e98.exe File opened (read-only) \??\H: 3e0d33efe3c6c4255c2a831a2aad7e98.exe File opened (read-only) \??\I: 3e0d33efe3c6c4255c2a831a2aad7e98.exe File opened (read-only) \??\L: 3e0d33efe3c6c4255c2a831a2aad7e98.exe File opened (read-only) \??\N: 3e0d33efe3c6c4255c2a831a2aad7e98.exe File opened (read-only) \??\T: 3e0d33efe3c6c4255c2a831a2aad7e98.exe File opened (read-only) \??\U: 3e0d33efe3c6c4255c2a831a2aad7e98.exe File opened (read-only) \??\K: 3e0d33efe3c6c4255c2a831a2aad7e98.exe File opened (read-only) \??\O: 3e0d33efe3c6c4255c2a831a2aad7e98.exe File opened (read-only) \??\V: 3e0d33efe3c6c4255c2a831a2aad7e98.exe File opened (read-only) \??\X: 3e0d33efe3c6c4255c2a831a2aad7e98.exe File opened (read-only) \??\A: 3e0d33efe3c6c4255c2a831a2aad7e98.exe File opened (read-only) \??\E: 3e0d33efe3c6c4255c2a831a2aad7e98.exe File opened (read-only) \??\G: 3e0d33efe3c6c4255c2a831a2aad7e98.exe File opened (read-only) \??\J: 3e0d33efe3c6c4255c2a831a2aad7e98.exe File opened (read-only) \??\P: 3e0d33efe3c6c4255c2a831a2aad7e98.exe File opened (read-only) \??\W: 3e0d33efe3c6c4255c2a831a2aad7e98.exe File opened (read-only) \??\Y: 3e0d33efe3c6c4255c2a831a2aad7e98.exe File opened (read-only) \??\Z: 3e0d33efe3c6c4255c2a831a2aad7e98.exe File opened (read-only) \??\M: 3e0d33efe3c6c4255c2a831a2aad7e98.exe File opened (read-only) \??\Q: 3e0d33efe3c6c4255c2a831a2aad7e98.exe File opened (read-only) \??\R: 3e0d33efe3c6c4255c2a831a2aad7e98.exe File opened (read-only) \??\S: 3e0d33efe3c6c4255c2a831a2aad7e98.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\root\Templates\japanese fetish lingerie full movie titts .mpg.exe 3e0d33efe3c6c4255c2a831a2aad7e98.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\trambling several models hairy .zip.exe 3e0d33efe3c6c4255c2a831a2aad7e98.exe File created C:\Program Files\Microsoft Office\Updates\Download\brasilian action blowjob hidden glans mistress .rar.exe 3e0d33efe3c6c4255c2a831a2aad7e98.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\american cum blowjob voyeur high heels .mpeg.exe 3e0d33efe3c6c4255c2a831a2aad7e98.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\lesbian hot (!) glans .rar.exe 3e0d33efe3c6c4255c2a831a2aad7e98.exe File created C:\Program Files\Common Files\microsoft shared\hardcore lesbian blondie .avi.exe 3e0d33efe3c6c4255c2a831a2aad7e98.exe File created C:\Program Files\dotnet\shared\swedish porn bukkake girls hole ash (Janette).mpg.exe 3e0d33efe3c6c4255c2a831a2aad7e98.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\xxx voyeur upskirt .rar.exe 3e0d33efe3c6c4255c2a831a2aad7e98.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\japanese beastiality horse uncut titts .rar.exe 3e0d33efe3c6c4255c2a831a2aad7e98.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\gay hot (!) blondie .zip.exe 3e0d33efe3c6c4255c2a831a2aad7e98.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\xxx big bedroom .zip.exe 3e0d33efe3c6c4255c2a831a2aad7e98.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\indian nude fucking girls swallow .mpg.exe 3e0d33efe3c6c4255c2a831a2aad7e98.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\mssrv.exe 3e0d33efe3c6c4255c2a831a2aad7e98.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2536 3e0d33efe3c6c4255c2a831a2aad7e98.exe 2536 3e0d33efe3c6c4255c2a831a2aad7e98.exe 3764 3e0d33efe3c6c4255c2a831a2aad7e98.exe 3764 3e0d33efe3c6c4255c2a831a2aad7e98.exe 2536 3e0d33efe3c6c4255c2a831a2aad7e98.exe 2536 3e0d33efe3c6c4255c2a831a2aad7e98.exe 640 3e0d33efe3c6c4255c2a831a2aad7e98.exe 640 3e0d33efe3c6c4255c2a831a2aad7e98.exe 2536 3e0d33efe3c6c4255c2a831a2aad7e98.exe 2536 3e0d33efe3c6c4255c2a831a2aad7e98.exe 5036 3e0d33efe3c6c4255c2a831a2aad7e98.exe 5036 3e0d33efe3c6c4255c2a831a2aad7e98.exe 3764 3e0d33efe3c6c4255c2a831a2aad7e98.exe 3764 3e0d33efe3c6c4255c2a831a2aad7e98.exe 640 3e0d33efe3c6c4255c2a831a2aad7e98.exe 640 3e0d33efe3c6c4255c2a831a2aad7e98.exe 2536 3e0d33efe3c6c4255c2a831a2aad7e98.exe 2536 3e0d33efe3c6c4255c2a831a2aad7e98.exe 5036 3e0d33efe3c6c4255c2a831a2aad7e98.exe 5036 3e0d33efe3c6c4255c2a831a2aad7e98.exe 3764 3e0d33efe3c6c4255c2a831a2aad7e98.exe 3764 3e0d33efe3c6c4255c2a831a2aad7e98.exe 640 3e0d33efe3c6c4255c2a831a2aad7e98.exe 640 3e0d33efe3c6c4255c2a831a2aad7e98.exe 2536 3e0d33efe3c6c4255c2a831a2aad7e98.exe 2536 3e0d33efe3c6c4255c2a831a2aad7e98.exe 5036 3e0d33efe3c6c4255c2a831a2aad7e98.exe 5036 3e0d33efe3c6c4255c2a831a2aad7e98.exe 3764 3e0d33efe3c6c4255c2a831a2aad7e98.exe 3764 3e0d33efe3c6c4255c2a831a2aad7e98.exe 640 3e0d33efe3c6c4255c2a831a2aad7e98.exe 640 3e0d33efe3c6c4255c2a831a2aad7e98.exe 2536 3e0d33efe3c6c4255c2a831a2aad7e98.exe 2536 3e0d33efe3c6c4255c2a831a2aad7e98.exe 5036 3e0d33efe3c6c4255c2a831a2aad7e98.exe 5036 3e0d33efe3c6c4255c2a831a2aad7e98.exe 3764 3e0d33efe3c6c4255c2a831a2aad7e98.exe 3764 3e0d33efe3c6c4255c2a831a2aad7e98.exe 640 3e0d33efe3c6c4255c2a831a2aad7e98.exe 640 3e0d33efe3c6c4255c2a831a2aad7e98.exe 2536 3e0d33efe3c6c4255c2a831a2aad7e98.exe 2536 3e0d33efe3c6c4255c2a831a2aad7e98.exe 5036 3e0d33efe3c6c4255c2a831a2aad7e98.exe 5036 3e0d33efe3c6c4255c2a831a2aad7e98.exe 3764 3e0d33efe3c6c4255c2a831a2aad7e98.exe 3764 3e0d33efe3c6c4255c2a831a2aad7e98.exe 640 3e0d33efe3c6c4255c2a831a2aad7e98.exe 640 3e0d33efe3c6c4255c2a831a2aad7e98.exe 2536 3e0d33efe3c6c4255c2a831a2aad7e98.exe 2536 3e0d33efe3c6c4255c2a831a2aad7e98.exe 5036 3e0d33efe3c6c4255c2a831a2aad7e98.exe 5036 3e0d33efe3c6c4255c2a831a2aad7e98.exe 3764 3e0d33efe3c6c4255c2a831a2aad7e98.exe 3764 3e0d33efe3c6c4255c2a831a2aad7e98.exe 640 3e0d33efe3c6c4255c2a831a2aad7e98.exe 640 3e0d33efe3c6c4255c2a831a2aad7e98.exe 2536 3e0d33efe3c6c4255c2a831a2aad7e98.exe 2536 3e0d33efe3c6c4255c2a831a2aad7e98.exe 5036 3e0d33efe3c6c4255c2a831a2aad7e98.exe 5036 3e0d33efe3c6c4255c2a831a2aad7e98.exe 3764 3e0d33efe3c6c4255c2a831a2aad7e98.exe 3764 3e0d33efe3c6c4255c2a831a2aad7e98.exe 640 3e0d33efe3c6c4255c2a831a2aad7e98.exe 640 3e0d33efe3c6c4255c2a831a2aad7e98.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2536 wrote to memory of 3764 2536 3e0d33efe3c6c4255c2a831a2aad7e98.exe 98 PID 2536 wrote to memory of 3764 2536 3e0d33efe3c6c4255c2a831a2aad7e98.exe 98 PID 2536 wrote to memory of 3764 2536 3e0d33efe3c6c4255c2a831a2aad7e98.exe 98 PID 2536 wrote to memory of 640 2536 3e0d33efe3c6c4255c2a831a2aad7e98.exe 99 PID 2536 wrote to memory of 640 2536 3e0d33efe3c6c4255c2a831a2aad7e98.exe 99 PID 2536 wrote to memory of 640 2536 3e0d33efe3c6c4255c2a831a2aad7e98.exe 99 PID 3764 wrote to memory of 5036 3764 3e0d33efe3c6c4255c2a831a2aad7e98.exe 100 PID 3764 wrote to memory of 5036 3764 3e0d33efe3c6c4255c2a831a2aad7e98.exe 100 PID 3764 wrote to memory of 5036 3764 3e0d33efe3c6c4255c2a831a2aad7e98.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e0d33efe3c6c4255c2a831a2aad7e98.exe"C:\Users\Admin\AppData\Local\Temp\3e0d33efe3c6c4255c2a831a2aad7e98.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Users\Admin\AppData\Local\Temp\3e0d33efe3c6c4255c2a831a2aad7e98.exe"C:\Users\Admin\AppData\Local\Temp\3e0d33efe3c6c4255c2a831a2aad7e98.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Users\Admin\AppData\Local\Temp\3e0d33efe3c6c4255c2a831a2aad7e98.exe"C:\Users\Admin\AppData\Local\Temp\3e0d33efe3c6c4255c2a831a2aad7e98.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5036
-
-
-
C:\Users\Admin\AppData\Local\Temp\3e0d33efe3c6c4255c2a831a2aad7e98.exe"C:\Users\Admin\AppData\Local\Temp\3e0d33efe3c6c4255c2a831a2aad7e98.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3276 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:81⤵PID:3552
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\xxx voyeur upskirt .rar.exe
Filesize1.5MB
MD5723fb367556370dc4c951236d074ab3a
SHA15dcd0fd58c8d2ccbe9a96fa527c64622a32d5da9
SHA256df23bd19938576e40adaf9b3e6e8223b9e6d4e5ca7cd181705259ca7cb0cd571
SHA512f5b55c1b880bffe3ab3977329c09cc50666dde67136aeca33ab750daf6abb3a68cf2cdcad7ec7f0a74a9b221506a07df0f957198ba282974dac26ea22235781b