Analysis

  • max time kernel
    150s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-06-2024 05:43

General

  • Target

    ff85635cfd08235a16e0afa04cdaedaea88c5a815edc343c3d5299231e0e9472.exe

  • Size

    312KB

  • MD5

    0ee9b41689676c79004980e3245cc5b8

  • SHA1

    5731264114d4d589b7d927ac7fc0a75d7e7789fd

  • SHA256

    ff85635cfd08235a16e0afa04cdaedaea88c5a815edc343c3d5299231e0e9472

  • SHA512

    3265389ff1cc228ab0d819d526617dc29629ab388a645b406ccfea8c9fe567cd873012d4605cbc49c439d2f176f56866c649838049b23dd5460e297b03b487ea

  • SSDEEP

    6144:HIbc0f7XP+g3AGJpWVzuQGRHeEgRK/fObT/bGiJKv6R7MkZ4lUr8W9HuOGKhvsM6:ow27/XvLWpuQUeEgRK/fObT/bGiJlMks

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 53 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ff85635cfd08235a16e0afa04cdaedaea88c5a815edc343c3d5299231e0e9472.exe
    "C:\Users\Admin\AppData\Local\Temp\ff85635cfd08235a16e0afa04cdaedaea88c5a815edc343c3d5299231e0e9472.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4444
    • C:\Users\Admin\mfzup.exe
      "C:\Users\Admin\mfzup.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\mfzup.exe

    Filesize

    312KB

    MD5

    e944c458f293a42c4689ff20a0be568e

    SHA1

    f681fd06f13b713e0363f2165ed67360e5dc3e41

    SHA256

    455d79805b5826143a5475280b7b380206dd2db8ef1447a3464a5b741907721c

    SHA512

    c5871ba66a749247b533262cb41bc2d8333408378577045956c2357a35cf7d382348025ca59c4bc9056070a25d0d47e7255b7c613687ffd9dc3fd671ad8e2b7b