Analysis

  • max time kernel
    150s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/05/2024, 03:20

General

  • Target

    d27f28076e97c63401e3397c8e2a7d945da13f2292da9a6c214b6a39dc432e6c.exe

  • Size

    311KB

  • MD5

    44508d7d25e5a3d394ad7199cb35a6af

  • SHA1

    65e5c84c4b3ceef9a27a1dc2358c1d2726b335c2

  • SHA256

    d27f28076e97c63401e3397c8e2a7d945da13f2292da9a6c214b6a39dc432e6c

  • SHA512

    2d3f785980de8273dac3d66bd379a52b2dc9aeab358063be90db1cc3eacbaeaaf1a024ef108e0797a43b92ed6ffdf7a8f0a8af8315dafa1f90f471a155200e6b

  • SSDEEP

    6144:uY7BO63UKCweQ7Ovc93dRBsIpJwK8aWlIeD4d2WYcSA2MuLH1bJp:D7mECN3A2T5X

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 53 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d27f28076e97c63401e3397c8e2a7d945da13f2292da9a6c214b6a39dc432e6c.exe
    "C:\Users\Admin\AppData\Local\Temp\d27f28076e97c63401e3397c8e2a7d945da13f2292da9a6c214b6a39dc432e6c.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1320
    • C:\Users\Admin\modey.exe
      "C:\Users\Admin\modey.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:376

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\modey.exe

    Filesize

    311KB

    MD5

    616ef5b8c2f8b6f1a82cfa4918ff944f

    SHA1

    36069b316bc93e3c5f7da10cc1c9d2fde1b2625c

    SHA256

    9843b5a11f029ce9e51436ecac7424e27cfde20d17bfab9dbea5a2d6fda04bbd

    SHA512

    5d759256f1764a7bda61e5382d965afea66648a267b92f21c084d46ebe8e96bd108e41f264fa7a4ffb743a43b52de47234f44947d74d406f1b1019b6959fea3f