Overview

overview

8

Static

static

3

f5245ad61b...b6.exe

windows7-x64

8

f5245ad61b...b6.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    141s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/04/2024, 18:07

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    f5245ad61b4e0c85c3a7e5f1d835e43d334fcb4d5f5aa0b8a5b0405ee3bfb6b6.exe

  • Size

    2.1MB

  • MD5

    865554ed822848c29ccc151c3a9e9087

  • SHA1

    9b3838023e211b4937b37bb578129ed02d1d4b0e

  • SHA256

    f5245ad61b4e0c85c3a7e5f1d835e43d334fcb4d5f5aa0b8a5b0405ee3bfb6b6

  • SHA512

    ec81c02d7bbb7130505caf003ca1e131d3451fc10bb7de55525ccdd26a18b715070de1cbc5f75b594ca00c7a908fbff603caa0c7eeea488035a7f2562498e6ae

  • SSDEEP

    49152:j5219/B28j5219/BUxXrHTkdEFzdHMfgLV4dSmwISz5niVdpFV:jG952UG95UxPkdEFRsfgLmST/ViVdd

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 16 IoCs
    evasion
  • Suspicious use of WriteProcessMemory 46 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5245ad61b4e0c85c3a7e5f1d835e43d334fcb4d5f5aa0b8a5b0405ee3bfb6b6.exe
    "C:\Users\Admin\AppData\Local\Temp\f5245ad61b4e0c85c3a7e5f1d835e43d334fcb4d5f5aa0b8a5b0405ee3bfb6b6.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4484
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Addon\Arquivos de Programas\Adicionais\PRIVATE-USER.cmd" "
      2⤵
      • Drops file in Drivers directory
      • Suspicious use of WriteProcessMemory
      PID:4712
      • C:\Windows\system32\cacls.exe
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        3⤵
          PID:2952
        • C:\Windows\system32\attrib.exe
          attrib -r C:\Windows\system32\drivers\etc\hosts
          3⤵
          • Drops file in Drivers directory
          • Views/modifies file attributes
          PID:1208
        • C:\Windows\system32\attrib.exe
          attrib +r C:\Windows\system32\drivers\etc\hosts
          3⤵
          • Drops file in Drivers directory
          • Views/modifies file attributes
          PID:2368
      • C:\Users\Admin\AppData\Local\Temp\Addon\Arquivos de Programas\Adicionais\SUPORTE.exe
        "C:\Users\Admin\AppData\Local\Temp\Addon\Arquivos de Programas\Adicionais\SUPORTE.exe"
        2⤵
        • Executes dropped EXE
        PID:1492
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Addon\Arquivos de Programas\Adicionais\ACTIVATED.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2480
        • C:\Windows\system32\mode.com
          mode con: cols=80 lines=10
          3⤵
            PID:2100
          • C:\Windows\system32\timeout.exe
            timeout /t 1 /nobreak
            3⤵
            • Delays execution with timeout.exe
            PID:980
          • C:\Windows\system32\timeout.exe
            timeout /t 1 /nobreak
            3⤵
            • Delays execution with timeout.exe
            PID:2516
          • C:\Windows\system32\timeout.exe
            timeout /t 1 /nobreak
            3⤵
            • Delays execution with timeout.exe
            PID:1544
          • C:\Windows\system32\timeout.exe
            timeout /t 1 /nobreak
            3⤵
            • Delays execution with timeout.exe
            PID:1468
          • C:\Windows\system32\timeout.exe
            timeout /t 1 /nobreak
            3⤵
            • Delays execution with timeout.exe
            PID:1440
          • C:\Windows\system32\timeout.exe
            timeout /t 1 /nobreak
            3⤵
            • Delays execution with timeout.exe
            PID:4444
          • C:\Windows\system32\timeout.exe
            timeout /t 1 /nobreak
            3⤵
            • Delays execution with timeout.exe
            PID:4852
          • C:\Windows\system32\timeout.exe
            timeout /t 1 /nobreak
            3⤵
            • Delays execution with timeout.exe
            PID:2376
          • C:\Windows\system32\timeout.exe
            timeout /t 1 /nobreak
            3⤵
            • Delays execution with timeout.exe
            PID:3440
          • C:\Windows\system32\timeout.exe
            timeout /t 1 /nobreak
            3⤵
            • Delays execution with timeout.exe
            PID:3692
          • C:\Windows\system32\timeout.exe
            timeout /t 1 /nobreak
            3⤵
            • Delays execution with timeout.exe
            PID:500
          • C:\Windows\system32\timeout.exe
            timeout /t 1 /nobreak
            3⤵
            • Delays execution with timeout.exe
            PID:2424
          • C:\Windows\system32\timeout.exe
            timeout /t 1 /nobreak
            3⤵
            • Delays execution with timeout.exe
            PID:4544
          • C:\Windows\system32\timeout.exe
            timeout /t 1 /nobreak
            3⤵
            • Delays execution with timeout.exe
            PID:1404
          • C:\Windows\system32\timeout.exe
            timeout /t 1 /nobreak
            3⤵
            • Delays execution with timeout.exe
            PID:3408
          • C:\Windows\system32\timeout.exe
            timeout /t 3
            3⤵
            • Delays execution with timeout.exe
            PID:1204
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:2960

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\Addon\Arquivos de Programas\Adicionais\ACTIVATED.bat
                Filesize

                641B

                MD5

                d6ac638f591dba96bbf9e33faf401f29

                SHA1

                42631098992a88920732cbc9eee0ee72d65f84d0

                SHA256

                e8220d84abad5ce2362917f6a0f1a213fc4e65f72c7a5284bbd95cf453175ca0

                SHA512

                d99d185bbaa7b1cc3f9a8ccdc7c63d00db1a309a1d1aff8f8c714acba47432569183acab52187d49abf2c62b2c31fa8cb4c69123344ec80c3f1853ec2b4b064d

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Addon\Arquivos de Programas\Adicionais\PRIVATE-USER.cmd
                Filesize

                9KB

                MD5

                0c739d0021c968abbd85ac72f1109754

                SHA1

                e4fb728296286bb927e33558d0f70f8d07fda6ac

                SHA256

                9057f37af86063ffc0d4c553e418f25888090ed6be97790f46556626edfc698b

                SHA512

                ff45765783d7bbf63a44dd853373d93df7676afd5c36e9bd74b746ce92c365a66cc8ba356536c96262e2a9181e9331cf87f34e2ad94795501f18295c211feead

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Addon\Arquivos de Programas\Adicionais\SUPORTE.exe
                Filesize

                1.6MB

                MD5

                57e31a60a690725dc65c2fb6e9b21762

                SHA1

                9d2f2c166e828b9a73a23253d2e64a05e4a27d60

                SHA256

                4d296e115922566a3e56afcea77eb9a436c1b70ec84c32f047ffd866940b1b16

                SHA512

                70f48d81e59f38518813b60fe93fc34e5944fea0254def03f8ea17e78c5ba686f5a31ca025075cd43e02745d843408e7df5db54be11663d9a45410a031aa68fb

                Download Submit

              • C:\Windows\system32\drivers\etc\hosts
                Filesize

                8KB

                MD5

                246299d2385306132314f36346f0a642

                SHA1

                825b9b675bcb1f991be778c429ab1bcdb26ba832

                SHA256

                149640bff7e404334999f040576ea3dbebee0e3203ac761898591669c305e88a

                SHA512

                6239fd5820cc365a8842073c836e24a8fe92843e538bea876fd61da389e79031582e1a7bc26d92ae20fce535961ad63184cda2f4267cce5d1feb1b857a29fc63

                Download Submit