Overview

overview

10

Static

static

3

4ef6108f32...6f.exe

windows7-x64

10

4ef6108f32...6f.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 21:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4ef6108f321f76f193c7baf20bc796bfc390e366ac0d4b970d1058200e09a56f.exe

  • Size

    4.8MB

  • MD5

    c0329c0e18c26522384226fa29286299

  • SHA1

    122695ef8988a5d82bc40e38d5589192fa86e27e

  • SHA256

    4ef6108f321f76f193c7baf20bc796bfc390e366ac0d4b970d1058200e09a56f

  • SHA512

    40c7ca5047caa00df0c4d5003ab306cc9027819722c400570cece03c16a5ae4dd0d0d2c02edb6f195513a25a64fa58cee76b41e057638a5d1ea8b3da59f764ca

  • SSDEEP

    98304:i1CnMSXP+zIUs8SoxxlFvITIkz5hcT/96nKJtKIwQPoE9:2YH/+zFGoL/ahyVJXwQAW

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 18 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4ef6108f321f76f193c7baf20bc796bfc390e366ac0d4b970d1058200e09a56f.exe
    "C:\Users\Admin\AppData\Local\Temp\4ef6108f321f76f193c7baf20bc796bfc390e366ac0d4b970d1058200e09a56f.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:880
    • C:\Program Files\@t.exe
      "C:\Program Files\@t.exe"
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4388
    • C:\Program Files\1.exe
      "C:\Program Files\1.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      PID:2428

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\1.exe
    Filesize

    4.2MB

    MD5

    6cbacbdb55d4593a15f535ee3216bd5f

    SHA1

    3c9993aa5f35021988b0eb5cc45b2be7add73f87

    SHA256

    d5bcb75b44c43546653fa68bbcb8bb43815046f9f4a7e542d0e5d4f2bafe648f

    SHA512

    5ce36661b6d72b92e240df0a796e91d34385d94c5642e69180df6ef0599ee09931549e22d43ddf07dbdbe61dc5dc61ecac28de2f952e97488413ce91246dc376

    Download Submit

  • C:\Program Files\@t.exe
    Filesize

    5.9MB

    MD5

    d46b51a17ba5f6156d8be6b4333b5bbc

    SHA1

    7930ef98c114a04f66813fc4e54e75950ebc080f

    SHA256

    81c65a2dae639865de22c7f8baffd939bcebc1c19fe17d6409c9165dd6bf7de9

    SHA512

    8a0932a3f7c57e42f425b736afe5d9957fa2c347de5d897a7eca89ec7cb219c6aea44f018b6200b5184929b7f28c9a4023ac8d3f82609aed89aba0cf87746508

    Download Submit

  • memory/2428-24-0x0000000000D60000-0x000000000119A000-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/2428-25-0x00007FF8F4050000-0x00007FF8F4072000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2428-32-0x0000000003250000-0x000000000326A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4388-34-0x0000000180000000-0x0000000180218000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/4388-35-0x0000000180000000-0x0000000180218000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/4388-33-0x0000000180000000-0x0000000180218000-memory.dmp

    Filesize

    2.1MB

    Download