Analysis
-
max time kernel
135s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 08:29
Static task
static1
Behavioral task
behavioral1
Sample
PLAY_M~1.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
PLAY_M~1.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
PLAY_M~2.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
PLAY_M~2.exe
Resource
win10v2004-20240412-en
General
-
Target
PLAY_M~1.exe
-
Size
108KB
-
MD5
98094ee7c276311c0e42343eb0490c2a
-
SHA1
b7eda9913827d1a79904aeca8409004545a06cff
-
SHA256
6c08e8d6becf780b048cd4875ce7a97c91454d9f47c294a71c51dd820cd6c8ae
-
SHA512
30344279100a9957a1561cbe6d203a52cc0c463e191cb7ac9ad48ce210280d75c92a5d9a37be3fdbc45c44cc76c82410a869855e90e069f9befefc6c00afb002
-
SSDEEP
3072:dGi5y/OdKDgNZldeJ+c2k3GHDP2t5+aVeFIb:v5y/OdCqZP4BGjS+av
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
PLAY_M~1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation PLAY_M~1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
PLAY_M~1.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier PLAY_M~1.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
PLAY_M~1.exedescription pid process target process PID 4436 wrote to memory of 4304 4436 PLAY_M~1.exe cmd.exe PID 4436 wrote to memory of 4304 4436 PLAY_M~1.exe cmd.exe PID 4436 wrote to memory of 4304 4436 PLAY_M~1.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PLAY_M~1.exe"C:\Users\Admin\AppData\Local\Temp\PLAY_M~1.exe"1⤵
- Checks computer location settings
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Acf..bat" > nul 2> nul2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Acf..batFilesize
162B
MD5ef2de85034184bf891954bab199a01b0
SHA1b6b641381028c2325e0aa664606db085742e5009
SHA2560cf87dd0ea259774b343edbe7d832c35573215bba48814c3c466396923cc0d4c
SHA512e3a5fd1bf087eca69e70a2adcc43585ee2cb3972c274ac11e212e6be2fb55730c9a026f932501eae907b8f2a424c81c888df0fe5e6b4e94601ac1562fef9b3d6
-
memory/4436-0-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4436-1-0x00000000021E0000-0x00000000021E1000-memory.dmpFilesize
4KB
-
memory/4436-2-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4436-3-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4436-5-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB