Overview

overview

7

Static

static

3

d3a50abae9...0b.exe

windows7-x64

7

d3a50abae9...0b.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/04/2024, 14:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d3a50abae9ab782b293d7e06c7cd518bbcec16df867f2bdcc106dec1e75dc80b.exe

  • Size

    461KB

  • MD5

    b03192389159b15f5552c82a29c747fe

  • SHA1

    a9d64e615171b05a402422056ddfcd250febae93

  • SHA256

    d3a50abae9ab782b293d7e06c7cd518bbcec16df867f2bdcc106dec1e75dc80b

  • SHA512

    acc12fd9cd4b4ddf3dcab060be01f6369ef8f8b77af6757e065c22df43a3d8796e8c46b485e9c68f37816c6f439ddf23e9fc9e1f647438e80f589418da7b5a40

  • SSDEEP

    12288:bxmIJQvPkitVCR3pPuIyDxs/db32AVUKo:NmoO8itVsZPuxlkj28UKo

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d3a50abae9ab782b293d7e06c7cd518bbcec16df867f2bdcc106dec1e75dc80b.exe
    "C:\Users\Admin\AppData\Local\Temp\d3a50abae9ab782b293d7e06c7cd518bbcec16df867f2bdcc106dec1e75dc80b.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3364
    • C:\Users\Admin\AppData\Roaming\apple.exe
      "C:\Users\Admin\AppData\Roaming\apple.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2212
      • C:\Users\Admin\Wmi Player\siteadv.exe
        "C:\Users\Admin\Wmi Player\siteadv.exe" stat cc.tmp
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4180
        • C:\Users\Admin\Wmi Player\siteadv.exe
          "C:\Users\Admin\Wmi Player\siteadv.exe" install_del cc.tmp C:\Users\Admin\AppData\Roaming\apple.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          PID:4488
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\0417.doc" /o ""
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1916
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4416 --field-trial-handle=2972,i,4036376905309803364,5412922217215781933,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3964

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\0417.doc
      Filesize

      64KB

      MD5

      a75c81a18e3965b5942e7b1669db16ca

      SHA1

      aad3241fd23372523528a99f4c18127a3ebbea59

      SHA256

      3e57ca992c235b68027cb62740d8e86a3294ac0ebcff4a2683b29bdaec016646

      SHA512

      3b8e11170ea7379ce8130dbd6d3a220cf4aa810308dc24f0c1b2fc1399200a7e8d8e258d0d2f5025e269c131dc2d6ac5dc28beedce839b9815574ed248c3a335

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
      Filesize

      241B

      MD5

      fa4d67ec5c66e6be06e0b1fd6394699c

      SHA1

      be115bd7f01a8ab2c253f82a3796395adec38ddb

      SHA256

      744988a5cb0984faac84617d2ee7a2bd46e401a1f655e8ae70687eefb8f2135f

      SHA512

      ffc7ff5a514e57b45e4f52b6c578d36cbba8830ceb7c8c805afa5eb5f349577b5345be6ada4ab9942734114f2903ebdebdda8ae465d7606132e556ea9c9ffb1d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
      Filesize

      3KB

      MD5

      f8607eb76de477b1911f2b6949bbdef9

      SHA1

      2f966ddbc0ba7645990de4d52438e50168144172

      SHA256

      9a1e0fb0649ddd1467f44b03aa23c833223b8f6f7860200e85275eee30fbdc81

      SHA512

      698e0290efef69ab6bbccb562d959d1ba9c3baa92b8f41d4910c6b3fd5832f0eb4423584a494d82bb58b9f59d9b50b8b2d4a96530be0024150242138eab13da3

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
      Filesize

      3KB

      MD5

      9328a7d826c2c0ee44c042d66be0ff99

      SHA1

      1e86076b7dc8c90db8bfe3e44728e0c243fdcb21

      SHA256

      e8ff07f76004221efb292046782bcdb8de38daecdb562abc4f4e12efb9e4cc5d

      SHA512

      6a28e0ab878b061e0128284798547b76fbf0b96e847d0ff5de6135017081b0657f3579e0b6257b12c0da853a4c9ecbc54237f6c312aa9cd842a4f4370ee2f2d4

      Download Submit

    • C:\Users\Admin\AppData\Roaming\apple.exe
      Filesize

      290KB

      MD5

      b1f907379148c1e09009cda3cbd3877b

      SHA1

      e29b263a89217412f45d6c7a0235b19af030755a

      SHA256

      c3415bddc506839614cbb7186bfc6643713806de4f5b1c15445e96a644b44bea

      SHA512

      ced809231a420a63210edd3cb13a2b0696435bc043c1a61bfb8b025f242e562cdfd843a65ecdea97aaea2b86d4d5a384f9233787e6509bc88341c5cfed1bd5be

      Download Submit

    • C:\Users\Admin\Wmi Player\SiteAdv.dll
      Filesize

      70KB

      MD5

      343a9cc37cc9843cf862dd946c7eb714

      SHA1

      d5ce13a66e8407baec0f447c7fb41d493fd8d73a

      SHA256

      50f035100948f72b6f03ccc02f9c6073c9060d6e9c53c563a3fdb1d0c454916e

      SHA512

      5210640adf6ebfeb724e7700dcc4bb7e251541b59a2c2b1dd80e5a683e209a90f4af92de438dacec6b54c12c0c5922af3c5e12e8ab9c0f467ff13d9005a7ca81

      Download Submit

    • C:\Users\Admin\Wmi Player\cc.tmp
      Filesize

      85KB

      MD5

      27ea69e0233f32d521c7bb1330690731

      SHA1

      ec928047d511286c4db2580045d02ced34b639ea

      SHA256

      69863ba336156f4e559364b63a39f16e08ac3a6e3a0fa4ce11486ea16827f772

      SHA512

      fa6936f6b66add038c007ec530e7703e426d8c2bff32faf0dc0688512fdbc7331f423edc89f90ffeb059d25baef977b69fcdc8b43e89af4f467dbb077e062e6c

      Download Submit

    • C:\Users\Admin\Wmi Player\siteadv.exe
      Filesize

      34KB

      MD5

      0584b8020e41db48e267d26c641339c3

      SHA1

      de8b5b36e3638dc757cc3e7e7345b52f3e14b72e

      SHA256

      eb3b4e82ddfdb118d700a853587c9589c93879f62f576e104a62bdaa5a338d7b

      SHA512

      3a81b260a37b3bdfc0fffa08ab98cf6ebff3123a76c6f637d83471187e357d0af2e8d9eefe6ea32af9274dde732a7795312dded500a92c6bf3bedaf408abab07

      Download Submit

    • memory/1916-52-0x00007FF9331F0000-0x00007FF9333E5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1916-55-0x00007FF9331F0000-0x00007FF9333E5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1916-43-0x00007FF8F3270000-0x00007FF8F3280000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1916-42-0x00007FF9331F0000-0x00007FF9333E5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1916-44-0x00007FF9331F0000-0x00007FF9333E5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1916-45-0x00007FF9331F0000-0x00007FF9333E5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1916-46-0x00007FF9331F0000-0x00007FF9333E5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1916-47-0x00007FF9331F0000-0x00007FF9333E5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1916-48-0x00007FF9331F0000-0x00007FF9333E5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1916-49-0x00007FF9331F0000-0x00007FF9333E5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1916-50-0x00007FF9331F0000-0x00007FF9333E5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1916-51-0x00007FF9331F0000-0x00007FF9333E5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1916-40-0x00007FF9331F0000-0x00007FF9333E5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1916-53-0x00007FF9331F0000-0x00007FF9333E5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1916-54-0x00007FF8F0BE0000-0x00007FF8F0BF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1916-41-0x00007FF8F3270000-0x00007FF8F3280000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1916-57-0x00007FF9331F0000-0x00007FF9333E5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1916-59-0x00007FF8F0BE0000-0x00007FF8F0BF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1916-38-0x00007FF8F3270000-0x00007FF8F3280000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1916-39-0x00007FF9331F0000-0x00007FF9333E5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1916-83-0x00007FF9331F0000-0x00007FF9333E5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1916-84-0x00007FF9331F0000-0x00007FF9333E5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1916-85-0x00007FF9331F0000-0x00007FF9333E5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1916-37-0x00007FF8F3270000-0x00007FF8F3280000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1916-36-0x00007FF8F3270000-0x00007FF8F3280000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1916-118-0x00007FF8F3270000-0x00007FF8F3280000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1916-119-0x00007FF8F3270000-0x00007FF8F3280000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1916-120-0x00007FF8F3270000-0x00007FF8F3280000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1916-121-0x00007FF8F3270000-0x00007FF8F3280000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1916-122-0x00007FF9331F0000-0x00007FF9333E5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1916-123-0x00007FF9331F0000-0x00007FF9333E5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1916-124-0x00007FF9331F0000-0x00007FF9333E5000-memory.dmp

      Filesize

      2.0MB

      Download