Analysis
-
max time kernel
133s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
07/06/2024, 07:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b4f88ffb784866e7407d06a4a1e32c9a0fa56abb9712c28db4aeb1121f61c15c.exe
Resource
win7-20240508-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
b4f88ffb784866e7407d06a4a1e32c9a0fa56abb9712c28db4aeb1121f61c15c.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
b4f88ffb784866e7407d06a4a1e32c9a0fa56abb9712c28db4aeb1121f61c15c.exe
-
Size
4.4MB
-
MD5
a47712c805095e850e45816569807f2e
-
SHA1
06ed7b4843790af99d107daad33ea047415efc3d
-
SHA256
b4f88ffb784866e7407d06a4a1e32c9a0fa56abb9712c28db4aeb1121f61c15c
-
SHA512
07bcc3341de1679c03b3bfe99c7dbc836cbc2b1be617a02abe7818256c866b9728be69e580d2e9c05c24c22d93338c0d20f1c01cc2171760106d523b924997e9
-
SSDEEP
98304:1JeVusCcg53j1qLd9z/Wro8xSFIsGegFLOAkGkzdnEVomFHKnPs:/shG3Q+o8xSF1GegFLOyomFHKnPs
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3716 °²×°°ü.exe 2068 °²×°°ü.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: °²×°°ü.exe File opened (read-only) \??\V: °²×°°ü.exe File opened (read-only) \??\Z: °²×°°ü.exe File opened (read-only) \??\E: °²×°°ü.exe File opened (read-only) \??\G: °²×°°ü.exe File opened (read-only) \??\P: °²×°°ü.exe File opened (read-only) \??\Q: °²×°°ü.exe File opened (read-only) \??\R: °²×°°ü.exe File opened (read-only) \??\S: °²×°°ü.exe File opened (read-only) \??\W: °²×°°ü.exe File opened (read-only) \??\X: °²×°°ü.exe File opened (read-only) \??\K: °²×°°ü.exe File opened (read-only) \??\N: °²×°°ü.exe File opened (read-only) \??\O: °²×°°ü.exe File opened (read-only) \??\M: °²×°°ü.exe File opened (read-only) \??\T: °²×°°ü.exe File opened (read-only) \??\J: °²×°°ü.exe File opened (read-only) \??\L: °²×°°ü.exe File opened (read-only) \??\Y: °²×°°ü.exe File opened (read-only) \??\B: °²×°°ü.exe File opened (read-only) \??\H: °²×°°ü.exe File opened (read-only) \??\I: °²×°°ü.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\°²×°°ü.exe b4f88ffb784866e7407d06a4a1e32c9a0fa56abb9712c28db4aeb1121f61c15c.exe File opened for modification C:\Windows\SysWOW64\°²×°°ü.exe b4f88ffb784866e7407d06a4a1e32c9a0fa56abb9712c28db4aeb1121f61c15c.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 °²×°°ü.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz °²×°°ü.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software °²×°°ü.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft °²×°°ü.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie °²×°°ü.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" °²×°°ü.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum °²×°°ü.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2352 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2432 b4f88ffb784866e7407d06a4a1e32c9a0fa56abb9712c28db4aeb1121f61c15c.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2432 b4f88ffb784866e7407d06a4a1e32c9a0fa56abb9712c28db4aeb1121f61c15c.exe 2432 b4f88ffb784866e7407d06a4a1e32c9a0fa56abb9712c28db4aeb1121f61c15c.exe 3716 °²×°°ü.exe 3716 °²×°°ü.exe 2068 °²×°°ü.exe 2068 °²×°°ü.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2432 wrote to memory of 4284 2432 b4f88ffb784866e7407d06a4a1e32c9a0fa56abb9712c28db4aeb1121f61c15c.exe 94 PID 2432 wrote to memory of 4284 2432 b4f88ffb784866e7407d06a4a1e32c9a0fa56abb9712c28db4aeb1121f61c15c.exe 94 PID 2432 wrote to memory of 4284 2432 b4f88ffb784866e7407d06a4a1e32c9a0fa56abb9712c28db4aeb1121f61c15c.exe 94 PID 3716 wrote to memory of 2068 3716 °²×°°ü.exe 95 PID 3716 wrote to memory of 2068 3716 °²×°°ü.exe 95 PID 3716 wrote to memory of 2068 3716 °²×°°ü.exe 95 PID 4284 wrote to memory of 2352 4284 cmd.exe 97 PID 4284 wrote to memory of 2352 4284 cmd.exe 97 PID 4284 wrote to memory of 2352 4284 cmd.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4f88ffb784866e7407d06a4a1e32c9a0fa56abb9712c28db4aeb1121f61c15c.exe"C:\Users\Admin\AppData\Local\Temp\b4f88ffb784866e7407d06a4a1e32c9a0fa56abb9712c28db4aeb1121f61c15c.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\B4F88F~1.EXE > nul2⤵
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
PID:2352
-
-
-
C:\Windows\SysWOW64\°²×°°ü.exeC:\Windows\SysWOW64\°²×°°ü.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\SysWOW64\°²×°°ü.exeC:\Windows\SysWOW64\°²×°°ü.exe -acsi2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3884,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=4356 /prefetch:81⤵PID:812
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.4MB
MD5a47712c805095e850e45816569807f2e
SHA106ed7b4843790af99d107daad33ea047415efc3d
SHA256b4f88ffb784866e7407d06a4a1e32c9a0fa56abb9712c28db4aeb1121f61c15c
SHA51207bcc3341de1679c03b3bfe99c7dbc836cbc2b1be617a02abe7818256c866b9728be69e580d2e9c05c24c22d93338c0d20f1c01cc2171760106d523b924997e9