07e9a7732890cf06e479fee41218eefe404eff1bb29f888d9384752ec8d51e6c

Analysis

max time kernel
149s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07e9a7732890cf06e479fee41218eefe404eff1bb29f888d9384752ec8d51e6c.exe
Size

1.5MB
MD5

18f4a01dc6640db5daacf4c675f2cee9
SHA1

cc816c7f032c1cfb28b57c24b7afdd7a5534b59a
SHA256

07e9a7732890cf06e479fee41218eefe404eff1bb29f888d9384752ec8d51e6c
SHA512

e9877dfe3b213f65b69008e4022e118521da91f3c43f037d1636465603b42f797f393c4c7f6624d664e3acf364f53c56706edae3591c8b8e2a62e0ecb461a179
SSDEEP

24576:nQM01OCFdVxszHq+ccHLes6Lypkh3nQTmRgxrI7oZBzI4rEnD:QHpV6rxqm84mRgpsoZB4

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

07e9a7732890cf06e479fee41218eefe404eff1bb29f888d9384752ec8d51e6c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	07e9a7732890cf06e479fee41218eefe404eff1bb29f888d9384752ec8d51e6c.exe

Executes dropped EXE 1 IoCs

Processes:

TailoredDeploy.exe

pid process

3160 TailoredDeploy.exe
Loads dropped DLL 1 IoCs

Processes:

TailoredDeploy.exe

pid process

3160 TailoredDeploy.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

TailoredDeploy.exe

pid process

3160 TailoredDeploy.exe
3160 TailoredDeploy.exe
3160 TailoredDeploy.exe
3160 TailoredDeploy.exe

pid	process
3160	TailoredDeploy.exe

pid	process
3160	TailoredDeploy.exe

pid	process
3160	TailoredDeploy.exe
3160	TailoredDeploy.exe
3160	TailoredDeploy.exe
3160	TailoredDeploy.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

07e9a7732890cf06e479fee41218eefe404eff1bb29f888d9384752ec8d51e6c.exe

pid	process
4000	07e9a7732890cf06e479fee41218eefe404eff1bb29f888d9384752ec8d51e6c.exe
4000	07e9a7732890cf06e479fee41218eefe404eff1bb29f888d9384752ec8d51e6c.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

07e9a7732890cf06e479fee41218eefe404eff1bb29f888d9384752ec8d51e6c.exe

description	pid	process	target process
PID 4000 wrote to memory of 3160	4000	07e9a7732890cf06e479fee41218eefe404eff1bb29f888d9384752ec8d51e6c.exe	TailoredDeploy.exe
PID 4000 wrote to memory of 3160	4000	07e9a7732890cf06e479fee41218eefe404eff1bb29f888d9384752ec8d51e6c.exe	TailoredDeploy.exe

C:\Users\Admin\AppData\Local\Temp\07e9a7732890cf06e479fee41218eefe404eff1bb29f888d9384752ec8d51e6c.exe
"C:\Users\Admin\AppData\Local\Temp\07e9a7732890cf06e479fee41218eefe404eff1bb29f888d9384752ec8d51e6c.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4000

C:\ProgramData\spptools\TailoredDeploy.exe
"C:\ProgramData\spptools\TailoredDeploy.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\spptools\CoreCLR.dll

Filesize
535KB

MD5
29eff7c30e343de87e083a2477423989

SHA1
53c33460cd38e97d45e72696bd838a50b477e1cc

SHA256
0032bbdeae5aeda5573bbc713d977667c4c85de9d01b2ae157d840e925878e6d

SHA512
192111d48712cc9899bf521b50b6e21c16ebc16518703b5604152c83e7296a243bba9dc5677f4b934c32e2e7b27ceb0c00d0a46fa76d4aaf9e24bf04bdbda378

Download Submit
C:\ProgramData\spptools\TailoredDeploy.exe

Filesize
344KB

MD5
83c5a1d9ef909dbcf4b00224c4163616

SHA1
24897b939bcd2981c705001683a0bc846ceb0de7

SHA256
09d69306c8689f9d47a20b881b441b6e207b897aa6e79888c608aec9181137a8

SHA512
a807c8c2b5c41d5c1a04d9f93e8a83f77e7b17646d0a309ad639c4513a573034a9cfac7613de98646666f02430d951179f22bfd764fd52d0dd22b0700f66d2a9

Download Submit
C:\ProgramData\spptools\smcache.dat

Filesize
1KB

MD5
1deb6d5a65e00a9b54dae914038d8f47

SHA1
da4f9dbcefee339cde27b2460d066c96fd27acda

SHA256
087be8739ef0eb801b56c0c8f80ddb81503d0569290955a84631ee9f2f72dec5

SHA512
382f1ebb696e394478fa962c4f0e1a0f6c96b7ea3498d52b48365aa74b8c5ec35d783a4080d83c4eb566aec89ae2d8f09829cdd9a6cf4766f7a519ab7f0d2717

Download Submit
memory/3160-25-0x0000000180000000-0x000000018009B000-memory.dmp

Filesize
620KB

Download
memory/3160-36-0x000002706A610000-0x000002706A6A8000-memory.dmp

Filesize
608KB

Download
memory/3160-35-0x00007FFD69F70000-0x00007FFD69F71000-memory.dmp

Filesize
4KB

Download
memory/3160-43-0x00007FFD6C2A0000-0x00007FFD6C2A1000-memory.dmp

Filesize
4KB

Download
memory/3160-44-0x000002706A270000-0x000002706A2F3000-memory.dmp

Filesize
524KB

Download