8fdbf2e7885aed7b918d92f0e1def1d4e441d454950c557f154019fc344abda2

Analysis

max time kernel
142s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dll/WinSCP.exe
Size

277KB
MD5

50c182293fef31782db383b5f5fb5a3f
SHA1

f884abacee9918bd3d454e531638aa16219d3f2b
SHA256

24e98f04948e730121af8c6f186b8b288a66bfdf88dcf4d11b7ef2878463bd89
SHA512

0399940f9661cbc156395700a0c3a5e6d69d02f7cb9bc43c7437cdcc4106e4e3a813ebd615e016e842b0ed93b14435f9134cd0d61a985b840fe922db65e6ba62
SSDEEP

6144:skdBy6tHmG676IS8i5cSXX6a8sg4iAA+KVI:By6tHe76IS8i5LXviAAje

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WinSCP.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation WinSCP.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WinSCP.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

WinSCP.exe

description	ioc	process
File opened (read-only)	\??\G:	WinSCP.exe
File opened (read-only)	\??\J:	WinSCP.exe
File opened (read-only)	\??\R:	WinSCP.exe
File opened (read-only)	\??\S:	WinSCP.exe
File opened (read-only)	\??\V:	WinSCP.exe
File opened (read-only)	\??\X:	WinSCP.exe
File opened (read-only)	\??\A:	WinSCP.exe
File opened (read-only)	\??\B:	WinSCP.exe
File opened (read-only)	\??\H:	WinSCP.exe
File opened (read-only)	\??\I:	WinSCP.exe
File opened (read-only)	\??\M:	WinSCP.exe
File opened (read-only)	\??\P:	WinSCP.exe
File opened (read-only)	\??\Z:	WinSCP.exe
File opened (read-only)	\??\E:	WinSCP.exe
File opened (read-only)	\??\K:	WinSCP.exe
File opened (read-only)	\??\L:	WinSCP.exe
File opened (read-only)	\??\N:	WinSCP.exe
File opened (read-only)	\??\U:	WinSCP.exe
File opened (read-only)	\??\Y:	WinSCP.exe
File opened (read-only)	\??\O:	WinSCP.exe
File opened (read-only)	\??\Q:	WinSCP.exe
File opened (read-only)	\??\T:	WinSCP.exe
File opened (read-only)	\??\W:	WinSCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WinSCP.exe

pid process

3104 WinSCP.exe
3104 WinSCP.exe
3104 WinSCP.exe
3104 WinSCP.exe

pid	process
3104	WinSCP.exe
3104	WinSCP.exe
3104	WinSCP.exe
3104	WinSCP.exe

C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe
"C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
PID:3104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3104-1-0x0000000001A90000-0x0000000001A91000-memory.dmp

Filesize
4KB

Download
memory/3104-0-0x0000000000100000-0x000000000140F000-memory.dmp

Filesize
19.1MB

Download
memory/3104-7-0x0000000000100000-0x000000000140F000-memory.dmp

Filesize
19.1MB

Download
memory/3104-9-0x0000000001A90000-0x0000000001A91000-memory.dmp

Filesize
4KB

Download