Overview

overview

7

Static

static

3

947a92cc1e...6b.exe

windows7-x64

7

947a92cc1e...6b.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/05/2024, 23:58

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    947a92cc1edffd7462dc2cd99f51392a5e8122b372a65030bd57c33c06ff956b.exe

  • Size

    44KB

  • MD5

    038038ae7470c581cea31ceb9be0ebaf

  • SHA1

    3d0e0011cf238657e8b0681537ff59edc2ae6647

  • SHA256

    947a92cc1edffd7462dc2cd99f51392a5e8122b372a65030bd57c33c06ff956b

  • SHA512

    355d638ac0d4570dcdf26230ad2778ff8b095b384d846dfba03561f53295b0b647dafe17b167db48ef384e4c38308160527570a89542226ce8129e61533cf480

  • SSDEEP

    768:MlH9AdIGjGizA6PAEc9pvu9JwM/3ed/iTAi90G7nobXdv1Ez:MlH9cj9w7vu9JwI3eRiMiz7nobtvCz

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\947a92cc1edffd7462dc2cd99f51392a5e8122b372a65030bd57c33c06ff956b.exe
    "C:\Users\Admin\AppData\Local\Temp\947a92cc1edffd7462dc2cd99f51392a5e8122b372a65030bd57c33c06ff956b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:764
    • C:\Users\Admin\AppData\Roaming\SkipeTurns.exe
      "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4304
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CHWXU.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1192
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SkipeTurns" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe" /f
          4⤵
          • Adds Run key to start application
          PID:772

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\CHWXU.txt
          Filesize

          142B

          MD5

          7aab82a958be0bdc325ec075c874ca64

          SHA1

          f4ab3d6776f6ffc569a878a003df9a4f0a331eb6

          SHA256

          446e766a1c4c57cf38c3b70b1152a5c1216cc86388fefe5d7d39522458436144

          SHA512

          1737e41a539341737e4fc5c22f13c10b34e5054b2e1b44e604490c4faaf943442c596581fb28b0c967935cfd92c5fd4e7331fb72ae2d4f6ef1b8acc64b46f240

          Download Submit

        • C:\Users\Admin\AppData\Roaming\SkipeTurns.exe
          Filesize

          44KB

          MD5

          56c77761d0cf4f2969bd812cf05eebdb

          SHA1

          07bcea7cdc5c2a2a4c787e00431453b3dd66ea9e

          SHA256

          d7eb3bcc95400ba4a7b4a6949e744f60730a79f1aa2e900f3a5aa844d5699910

          SHA512

          45e91359ac5d19290d7b86774d5fe8a2fb2028a030cfb6db91c27aa9ecff0d810809c27546549038e5acbcfbc79cb1faa82829d0f6a7d8189b2f711032445c5b

          Download Submit

        • memory/764-0-0x0000000000400000-0x000000000040C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/4304-15-0x0000000000400000-0x000000000040C000-memory.dmp

          Filesize

          48KB

          Download