0e26ca7fcb43d78a6ba26fd549b563620543e9812ec7f8d75fb187ee66d5b218

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e26ca7fcb43d78a6ba26fd549b563620543e9812ec7f8d75fb187ee66d5b218.exe
Size

85KB
MD5

12f3016d3e7a0fcc13e97a3521a0f8f0
SHA1

15e59e2a5c7c1dc53a516c2445866e6e3180b58c
SHA256

0e26ca7fcb43d78a6ba26fd549b563620543e9812ec7f8d75fb187ee66d5b218
SHA512

69f31f8b057c4774e85b786338e6ac5920225a78b00bf425459671025a3f2bbc069ee45be79bf9e41b00378c6b5bf27ddff96817bb93d197d7693a22bbaad8bc
SSDEEP

1536:D00URPnKfZrT2DawRR8JfP3JZB355B/CYTjipvF2a:D00URSfsGyREZB355BqYvQd2a

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0e26ca7fcb43d78a6ba26fd549b563620543e9812ec7f8d75fb187ee66d5b218.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0e26ca7fcb43d78a6ba26fd549b563620543e9812ec7f8d75fb187ee66d5b218.exe

Executes dropped EXE 1 IoCs

Processes:

odbc32.exe

pid process

1144 odbc32.exe

pid	process
1144	odbc32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

odbc32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Network Services = "\"C:\\Windows\\SysWOW64\\odbc32.exe\" /O0"	odbc32.exe

Drops file in System32 directory 1 IoCs

Processes:

0e26ca7fcb43d78a6ba26fd549b563620543e9812ec7f8d75fb187ee66d5b218.exe

description ioc process

File created C:\Windows\SysWOW64\odbc32.exe 0e26ca7fcb43d78a6ba26fd549b563620543e9812ec7f8d75fb187ee66d5b218.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SysWOW64\odbc32.exe	0e26ca7fcb43d78a6ba26fd549b563620543e9812ec7f8d75fb187ee66d5b218.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

0e26ca7fcb43d78a6ba26fd549b563620543e9812ec7f8d75fb187ee66d5b218.exe

description	pid	process	target process
PID 3424 wrote to memory of 1144	3424	0e26ca7fcb43d78a6ba26fd549b563620543e9812ec7f8d75fb187ee66d5b218.exe	odbc32.exe
PID 3424 wrote to memory of 1144	3424	0e26ca7fcb43d78a6ba26fd549b563620543e9812ec7f8d75fb187ee66d5b218.exe	odbc32.exe
PID 3424 wrote to memory of 1144	3424	0e26ca7fcb43d78a6ba26fd549b563620543e9812ec7f8d75fb187ee66d5b218.exe	odbc32.exe

C:\Users\Admin\AppData\Local\Temp\0e26ca7fcb43d78a6ba26fd549b563620543e9812ec7f8d75fb187ee66d5b218.exe
"C:\Users\Admin\AppData\Local\Temp\0e26ca7fcb43d78a6ba26fd549b563620543e9812ec7f8d75fb187ee66d5b218.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3424

C:\Windows\SysWOW64\odbc32.exe
"C:\Windows\system32\odbc32.exe" /O0
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\odbc32.exe

Filesize
85KB

MD5
9174707d7d05a44e55a52e8482aa4e36

SHA1
17c122e06cc304c41c3f818bbfab4d8cdf764bdd

SHA256
f85437f08aba07c6e9caad6798c8bbe60fc218a9d10d2f5bc97c16f6ddd58824

SHA512
6c9b0a28748ec6d5829a6e7efbf9b064af47b9236edf4a8977270ef09fb61db9bba9d0ac0ad5a40ef6938f3ded4742fadd02cffa5668d7b3d92278657d7081d0

Download Submit