Overview

overview

10

Static

static

3

cd92a293cb...51.exe

windows7-x64

10

cd92a293cb...51.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 03:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cd92a293cbae54cbbf646d747d70905cc9e4d60dc42ee40d3044c138012df451.exe

  • Size

    120KB

  • MD5

    89e6e948d69c3bb0ec0e3711cae65952

  • SHA1

    ddeaa13e7d941447a9debb4b8e5f040778d92b15

  • SHA256

    cd92a293cbae54cbbf646d747d70905cc9e4d60dc42ee40d3044c138012df451

  • SHA512

    3c8ab0366c59c2b4904b45e857b14232ac0855b2864bccf2cfbc1cbfbab53d5957e8c401fae0b391159ab36ed09e03d8ec431f19530f377f71c5ac0bf71e2d38

  • SSDEEP

    3072:xGpbUpd1/l0izZF6yCenK2iGlefx8X1/:xGp+1pzZF44K3AAKX1

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 51 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cd92a293cbae54cbbf646d747d70905cc9e4d60dc42ee40d3044c138012df451.exe
    "C:\Users\Admin\AppData\Local\Temp\cd92a293cbae54cbbf646d747d70905cc9e4d60dc42ee40d3044c138012df451.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4972
    • C:\Users\Admin\piateaq.exe
      "C:\Users\Admin\piateaq.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4388

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\piateaq.exe
    Filesize

    120KB

    MD5

    f949f729c26efe277e36d2cf782d5523

    SHA1

    6a7a56651a5658aed35ceb7522a445a665e9b76f

    SHA256

    c0bf45911e5b0cb724737dc072af89bef9ca03a5d5a9b158117426956ed7d4fe

    SHA512

    749db93cf26ac14ed1674844affdf85ba748f9a1288350859df6f98f7fb7584066d8ef185b04b09e2b3bdd0016e194069d5f018a56173732fd61512908ee8aa9

    Download Submit