Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 22:29
Static task
static1
Behavioral task
behavioral1
Sample
5c8fc022fbe712cba4b8285d2464a9d72c98f80036fb403db0599a57ca262769.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5c8fc022fbe712cba4b8285d2464a9d72c98f80036fb403db0599a57ca262769.exe
Resource
win10v2004-20240426-en
General
-
Target
5c8fc022fbe712cba4b8285d2464a9d72c98f80036fb403db0599a57ca262769.exe
-
Size
43KB
-
MD5
8d69472f3eb77fb0ce04dd8bc4c749f2
-
SHA1
8fdb6f48f6fe12a1b3a75e8ca297b689a7a39bf6
-
SHA256
5c8fc022fbe712cba4b8285d2464a9d72c98f80036fb403db0599a57ca262769
-
SHA512
7845fb14687068493f8417b8b76e096f0ba4ddb1bc959f275b4b54823ed20bc3ee48a70c61eedda6c8d35fe88a9c2c9fb2726b58b666894bea027646f25dbf3f
-
SSDEEP
384:zk6dvGD8hcv7kyAPzJSjlgK2WlM2BDU8sposh6VbCiSfppzhjhv1xlr62wLDYeqf:fuycTSGlgkKAU8Uh+Yfl1B/wLUe2L
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation 5c8fc022fbe712cba4b8285d2464a9d72c98f80036fb403db0599a57ca262769.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation true_update.exe -
Executes dropped EXE 1 IoCs
pid Process 3932 true_update.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1176 wrote to memory of 3932 1176 5c8fc022fbe712cba4b8285d2464a9d72c98f80036fb403db0599a57ca262769.exe 82 PID 1176 wrote to memory of 3932 1176 5c8fc022fbe712cba4b8285d2464a9d72c98f80036fb403db0599a57ca262769.exe 82 PID 1176 wrote to memory of 3932 1176 5c8fc022fbe712cba4b8285d2464a9d72c98f80036fb403db0599a57ca262769.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c8fc022fbe712cba4b8285d2464a9d72c98f80036fb403db0599a57ca262769.exe"C:\Users\Admin\AppData\Local\Temp\5c8fc022fbe712cba4b8285d2464a9d72c98f80036fb403db0599a57ca262769.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Users\Admin\AppData\Local\Temp\true_update.exe"C:\Users\Admin\AppData\Local\Temp\true_update.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3932
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD5887a720bd7433ffc7a3546c22122acde
SHA151bdbb69387e0989adb47cbfdd77355450bd71ee
SHA256ad5ab19740a0db433d88b21cce5e9d345626006446a34334c55c60ef05a08928
SHA5126584e2856e39b266e26dc57b7997ab77990d28251424e161672042bf292030b6e5f183eb194123b1648aa74f29e96cd1c1debb79da15311ddb42de580e29ae41