Overview

overview

7

Static

static

3

c4cdd9b638...f7.exe

windows7-x64

3

c4cdd9b638...f7.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    137s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-04-2024 20:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c4cdd9b6388a6a7e0c35475cf7e1eef7.exe

  • Size

    87KB

  • MD5

    c4cdd9b6388a6a7e0c35475cf7e1eef7

  • SHA1

    c351f90e6ef17e51dbe88eb274a2a956799b94e3

  • SHA256

    c451ac9fcabd54258a3188d9d9fcef8b5f03627d8770f05b98e4e28670c7f977

  • SHA512

    d78798ea3362572156f897394efbb3a5fe99a948d1fd0555b639a5c528493fa9451895b717f471503f303af3a4bf770b948ef7f3229f84de8bae8f167be5acea

  • SSDEEP

    1536:77fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfsxTOA:Xq6+ouCpk2mpcWJ0r+QNTBfsl

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c4cdd9b6388a6a7e0c35475cf7e1eef7.exe
    "C:\Users\Admin\AppData\Local\Temp\c4cdd9b6388a6a7e0c35475cf7e1eef7.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4456
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\38AF.tmp\391D.tmp\391E.bat C:\Users\Admin\AppData\Local\Temp\c4cdd9b6388a6a7e0c35475cf7e1eef7.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3212
      • C:\Windows\system32\net.exe
        net user administrator /active:yes
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2820
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 user administrator /active:yes
          4⤵
            PID:2904
        • C:\Windows\system32\net.exe
          net user circleci Oscar1181272372. /add
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:232
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 user circleci Oscar1181272372. /add
            4⤵
              PID:4200
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:4012

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\38AF.tmp\391D.tmp\391E.bat
          Filesize

          691B

          MD5

          8062a05562ee5c5ec6ed1b0a0df0c14c

          SHA1

          f911e3a4bd4e0ab04e287a84f52579f72dfdae93

          SHA256

          7bfd7fb4221175189cb5867d7eb1ebe334436314863af209a3ed18c987bd0111

          SHA512

          10cc8d9e4808316f2c87e29418014db268241685f29cabb986d8088c2e409db81f427cc491740d4b6ae063202a148cc249dbdaae0ad392ee48ca163cb5648c85

          Download Submit