Analysis

  • max time kernel
    144s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-06-2024 04:01

General

  • Target

    daca4dfea716ff4d698330910a45df0cb0697c7910f0197a3be30797014b5dae.exe

  • Size

    84KB

  • MD5

    b61574b6846ed7c7892b0f8a9a07bf79

  • SHA1

    71f5eca7dce975125047a5b1ce871225ace79048

  • SHA256

    daca4dfea716ff4d698330910a45df0cb0697c7910f0197a3be30797014b5dae

  • SHA512

    5e5758bed93ef3f393c6af9ce006439773f3fc3ef1c05f6df9dc9bb475ae32d2d733d3b5d69d799286cdaca17d37572d097ddb8f36a46bf890d300e56fa64463

  • SSDEEP

    1536:yr3Z5IfQmv81a7pP1xF3yX2tM/jTEwwwEiiiixM1:WJOfQm01q9X3yX2q/jTJ1

Score
9/10

Malware Config

Signatures

  • Detects Windows executables referencing non-Windows User-Agents 4 IoCs
  • UPX dump on OEP (original entry point) 4 IoCs
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\daca4dfea716ff4d698330910a45df0cb0697c7910f0197a3be30797014b5dae.exe
    "C:\Users\Admin\AppData\Local\Temp\daca4dfea716ff4d698330910a45df0cb0697c7910f0197a3be30797014b5dae.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:800
    • C:\Windows\SysWOW64\attrib.exe
      attrib +a +s +h +r C:\Windows\Debug\egkhost.exe
      2⤵
      • Sets file to hidden
      • Drops file in Windows directory
      • Views/modifies file attributes
      PID:5088
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\DACA4D~1.EXE > nul
      2⤵
        PID:5068
    • C:\Windows\Debug\egkhost.exe
      C:\Windows\Debug\egkhost.exe
      1⤵
      • Executes dropped EXE
      PID:1364

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Debug\egkhost.exe

      Filesize

      84KB

      MD5

      7cfc923037eb277c91f139e3f2540c99

      SHA1

      6837710d5ae670183571ad9b75c71565e7811f3d

      SHA256

      992b723ade16bab81e8fa91ea7355594526f4c64fa90db254d653e61e55f987b

      SHA512

      1164e33db39c94fdf399d27aa8e8f34189e21af4129eb222eca2e72710d7a5324cc82052f7db6e76c77b9c9aa2e67b974edd29141a43c74a059909c15f36addc

    • memory/800-0-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

    • memory/800-5-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

    • memory/1364-6-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB