Analysis
-
max time kernel
148s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 18:13
Static task
static1
Behavioral task
behavioral1
Sample
03d36b44c351bb98f22012c59a318d536e2ee638d760d3fb91c1afbdfab83f84.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
03d36b44c351bb98f22012c59a318d536e2ee638d760d3fb91c1afbdfab83f84.exe
Resource
win10v2004-20240426-en
General
-
Target
03d36b44c351bb98f22012c59a318d536e2ee638d760d3fb91c1afbdfab83f84.exe
-
Size
94KB
-
MD5
35ac6eed58d341bacd36487d4c83f3fe
-
SHA1
b219ab41ca935c98496f694d5bb8bf3a5c79e0e9
-
SHA256
03d36b44c351bb98f22012c59a318d536e2ee638d760d3fb91c1afbdfab83f84
-
SHA512
cba6bc2bc9e062fd68cc408b03da0dde9f94cb2f8a1ae69e14c5215e244d8ebdadd15e0cad5461bbccb3e19233682104cb8bee05f6061ca627cb3bc3c38af54b
-
SSDEEP
1536:PGYU/W2/HG6QMauSV3ixJHABLrmhH7i9CO+WHg7zRZICrWaGZh7uje:PfU/WF6QMauSuiWNi9CO+WARJrWNZye
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
03d36b44c351bb98f22012c59a318d536e2ee638d760d3fb91c1afbdfab83f84.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation 03d36b44c351bb98f22012c59a318d536e2ee638d760d3fb91c1afbdfab83f84.exe -
Executes dropped EXE 1 IoCs
Processes:
wuauclt.exepid process 2496 wuauclt.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
03d36b44c351bb98f22012c59a318d536e2ee638d760d3fb91c1afbdfab83f84.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\wuauclt.exe\" /run" 03d36b44c351bb98f22012c59a318d536e2ee638d760d3fb91c1afbdfab83f84.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
03d36b44c351bb98f22012c59a318d536e2ee638d760d3fb91c1afbdfab83f84.exedescription pid process target process PID 2680 wrote to memory of 2496 2680 03d36b44c351bb98f22012c59a318d536e2ee638d760d3fb91c1afbdfab83f84.exe wuauclt.exe PID 2680 wrote to memory of 2496 2680 03d36b44c351bb98f22012c59a318d536e2ee638d760d3fb91c1afbdfab83f84.exe wuauclt.exe PID 2680 wrote to memory of 2496 2680 03d36b44c351bb98f22012c59a318d536e2ee638d760d3fb91c1afbdfab83f84.exe wuauclt.exe PID 2680 wrote to memory of 1996 2680 03d36b44c351bb98f22012c59a318d536e2ee638d760d3fb91c1afbdfab83f84.exe cmd.exe PID 2680 wrote to memory of 1996 2680 03d36b44c351bb98f22012c59a318d536e2ee638d760d3fb91c1afbdfab83f84.exe cmd.exe PID 2680 wrote to memory of 1996 2680 03d36b44c351bb98f22012c59a318d536e2ee638d760d3fb91c1afbdfab83f84.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\03d36b44c351bb98f22012c59a318d536e2ee638d760d3fb91c1afbdfab83f84.exe"C:\Users\Admin\AppData\Local\Temp\03d36b44c351bb98f22012c59a318d536e2ee638d760d3fb91c1afbdfab83f84.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\ProgramData\Update\wuauclt.exe"C:\ProgramData\Update\wuauclt.exe" /run2⤵
- Executes dropped EXE
PID:2496 -
C:\windows\SysWOW64\cmd.exe"C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\03d36b44c351bb98f22012c59a318d536e2ee638d760d3fb91c1afbdfab83f84.exe" >> NUL2⤵PID:1996
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Update\wuauclt.exeFilesize
94KB
MD51d02343fbe046edd43f21541d46c0a87
SHA11bf83c6bea92f1d436aa39f683dfb450e0621759
SHA256eeb21040fe3487ab6e8db9058ce06348440248d493884a157e461ae1e09e91b7
SHA5123c4067e2409e071cd2a6326a6ace3196c2fb23148c4baba21f4c355bf313ff2fc6ac38c7fcb8614bcb5a1828b1f80bbc43fcd6b27ab726e4b62b1470ad0a6ad2