Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
25-04-2024 04:24
General
-
Target
6c4d1e32647f1d4d0278ceb4ab0c9a3096e1266bd709bd97bcbb3ae836e3bdd1.exe
-
Size
780KB
-
MD5
35e232756bc4d30fd77cab54e27ab8c2
-
SHA1
55d49ace6a2e6bcb41d68b8030e26fa9673e54d5
-
SHA256
6c4d1e32647f1d4d0278ceb4ab0c9a3096e1266bd709bd97bcbb3ae836e3bdd1
-
SHA512
965b51aa1dcaac9aa75ced89419a79d47495d285d5561df4d6605e81cbe410086beff91aee94116428e4eb4f42fad2608c101987e2a3f8e426efdbbb348f8c88
-
SSDEEP
12288:MOqhqlAEH2QBblNWl5VaFgt6O+q90kdX7ThOH:1qwlAEWQJ3I52g6lq9DdX71OH
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c4d1e32647f1d4d0278ceb4ab0c9a3096e1266bd709bd97bcbb3ae836e3bdd1.exe"C:\Users\Admin\AppData\Local\Temp\6c4d1e32647f1d4d0278ceb4ab0c9a3096e1266bd709bd97bcbb3ae836e3bdd1.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6c4d1e32647f1d4d0278ceb4ab0c9a3096e1266bd709bd97bcbb3ae836e3bdd1mgr.exeC:\Users\Admin\AppData\Local\Temp\6c4d1e32647f1d4d0278ceb4ab0c9a3096e1266bd709bd97bcbb3ae836e3bdd1mgr.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 2643⤵
- Program crash
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://121.204.253.47:88/xx/2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4908 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4160 -ip 41601⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
105KB
MD5dfb5daabb95dcfad1a5faf9ab1437076
SHA14a199569a9b52911bee7fb19ab80570cc5ff9ed1
SHA25654282ec29d4993ed6e9972122cfbb70bba4898a21d527bd9e72a166d7ec2fdc0
SHA5125d31c34403ab5f8db4a6d84f2b5579d4ea18673914b626d78e458a648ac20ddd8e342818e807331036d7bb064f596a02b9737acac42fbead29260343a30717e8
-
Filesize
364KB
-
Filesize
4KB
-
Filesize
364KB
-
Filesize
880KB
-
Filesize
880KB