Analysis

  • max time kernel
    129s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/05/2024, 09:20

General

  • Target

    $WINDIR/SVCPACK/XPLODE.exe

  • Size

    371KB

  • MD5

    8a6383ae6cd83a17049c1d921ea552bb

  • SHA1

    6c7412ae972490bbac70720165be642670dcf3d7

  • SHA256

    df1d9b5af884b44a3e525131a3da01f757afda43322c1e2b96158d575e62233f

  • SHA512

    5c587f1c71e4263fd4c6188e13b2196820a306dd2ecce858725476127f89569f36d17b6097f5063e3b8642838a9b9cbabe2bdb8fdde0722bdae756b0d928033f

  • SSDEEP

    6144:BW8OwKNksCpmVEqxshkP5b+kyp1IqSKcNXgZy6Fh1k:B5Ow0CpmVEqukP5b+HLMgZyok

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\XPLODE.exe
    "C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\XPLODE.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4412
    • C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\CLEAN.EXE
      "C:\Users\Admin\AppData\Local\Temp\$WINDIR\SVCPACK\CLEAN.EXE" /S
      2⤵
      • Drops file in System32 directory
      PID:4392

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/4412-0-0x0000000000770000-0x0000000000784000-memory.dmp

          Filesize

          80KB