Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-06-2024 05:38

General

  • Target

    fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe

  • Size

    40KB

  • MD5

    0fcd032837b2c2bad9df78bb8f1b11b9

  • SHA1

    4e6b7b19cdc2cd65e98c4016de63ebc3f865a5db

  • SHA256

    fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c

  • SHA512

    ed26a02ed5995f9b9e83063b36056ae89d47f0c4f991821e2d8899f294b391e5bf401be8830025f652eb43719fb1f5fdf78aeacba090a57692c9e3dce3a1214f

  • SSDEEP

    768:eLPXwagzrIoXWOFBsTBkbHrHXd4fCJcEHwzOx0vc:ej8I4sTB4bqh1vc

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe
    "C:\Users\Admin\AppData\Local\Temp\fdea0f81d0cb619ab8e9b3f8769ef805d4531e2d3d803f3b3eca9d3af5ed0c3c.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2680
    • C:\Users\Admin\Admin.exe
      "C:\Users\Admin\Admin.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Admin.exe

    Filesize

    40KB

    MD5

    d2eb18ac0ac5cce86c03f086b838fc29

    SHA1

    fac03cb2a0baf07fadb374cb66997c1256cd977c

    SHA256

    c7f9e86f8e370d16719d607b53e74cffb0c98f3a77af2b5e2346a0deac359041

    SHA512

    7423704851934dd509516f0118351599f67692983464b2dcb6a42dfa918f5821ecc74884e7ceb34b8e0c9c14fa5568dbad7b1b720d8f86ff7a9530ac4d2ac9ef