Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 18:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
095a509859a5993c024a038862ad080794de40d3f91347db6a0264f7f8709c07.exe
Resource
win7-20240508-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
095a509859a5993c024a038862ad080794de40d3f91347db6a0264f7f8709c07.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
095a509859a5993c024a038862ad080794de40d3f91347db6a0264f7f8709c07.exe
-
Size
53KB
-
MD5
18cc8fbfa8cd10d3e45829ea16cb4a3c
-
SHA1
bc67a5229f09a0c797f9969dee86451b96b91f63
-
SHA256
095a509859a5993c024a038862ad080794de40d3f91347db6a0264f7f8709c07
-
SHA512
347a987c127e04ce6676f96cdea96300149d6c4b20d3a6bfe46ea00abf655ad8c6f27c225d123e36f88f0f2f521af0bcdcef323c9744a7f7db0438b36858b541
-
SSDEEP
1536:vNzg8r8QU+tvk7Kp3StjEMjmLM3ztDJWZsXy4JzxPMU:O+tMJJjmLM3zRJWZsXy4J9
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" pofet.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 095a509859a5993c024a038862ad080794de40d3f91347db6a0264f7f8709c07.exe -
Executes dropped EXE 1 IoCs
pid Process 2552 pofet.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pofet = "C:\\Users\\Admin\\pofet.exe" pofet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe 2552 pofet.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5016 095a509859a5993c024a038862ad080794de40d3f91347db6a0264f7f8709c07.exe 2552 pofet.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5016 wrote to memory of 2552 5016 095a509859a5993c024a038862ad080794de40d3f91347db6a0264f7f8709c07.exe 86 PID 5016 wrote to memory of 2552 5016 095a509859a5993c024a038862ad080794de40d3f91347db6a0264f7f8709c07.exe 86 PID 5016 wrote to memory of 2552 5016 095a509859a5993c024a038862ad080794de40d3f91347db6a0264f7f8709c07.exe 86 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81 PID 2552 wrote to memory of 5016 2552 pofet.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\095a509859a5993c024a038862ad080794de40d3f91347db6a0264f7f8709c07.exe"C:\Users\Admin\AppData\Local\Temp\095a509859a5993c024a038862ad080794de40d3f91347db6a0264f7f8709c07.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Users\Admin\pofet.exe"C:\Users\Admin\pofet.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2552
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD521cfe270caadc6d8787a411a3bc9b6b1
SHA18f9990453919dd3da5ab0be3130130f832a9c8c7
SHA2562cb20236cf8c27a5f5446a243fefd54b4d8a5f86f8151d1198c6e0c8e5e1a330
SHA512ee9c8b7c6dca7db55cd4cf100ea96891eec1d065a9497f94030276f246e50c38475b33a22afe68bbdb21c13ef9bc5d1fc292127206f6647bfff30132a978292d