Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09/06/2024, 07:55
Static task
static1
Behavioral task
behavioral1
Sample
bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe
Resource
win10v2004-20240426-en
General
-
Target
bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe
-
Size
4.9MB
-
MD5
edb15fae78e06173987f7e42ad8c5702
-
SHA1
f32094e4977d9ee90b397c99a15f317494e027c1
-
SHA256
bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99
-
SHA512
1fe2aa356b0d07d089351abd26d65cee3a502e3e2395f05cf32827332d86e0e175a2a2f93260775cc22496ce1690a11f98dd2bbae16004fdc08201af6523e909
-
SSDEEP
98304:HqkCqz0BYDzXMEGQ07//6U4CKwLR53TWML9qFHoDGfn:KkABYfXMVCU4QR587
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe -
Executes dropped EXE 1 IoCs
pid Process 3412 CracKingD0M_ULTRAIS0.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3216 wrote to memory of 968 3216 bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe 83 PID 3216 wrote to memory of 968 3216 bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe 83 PID 3216 wrote to memory of 968 3216 bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe 83 PID 3216 wrote to memory of 3412 3216 bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe 85 PID 3216 wrote to memory of 3412 3216 bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe 85 PID 3216 wrote to memory of 3412 3216 bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe"C:\Users\Admin\AppData\Local\Temp\bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G34RSETT13.bat" "2⤵
- Drops file in Drivers directory
PID:968
-
-
C:\Users\Admin\AppData\Local\Temp\CracKingD0M_ULTRAIS0.EXE"C:\Users\Admin\AppData\Local\Temp\CracKingD0M_ULTRAIS0.EXE"2⤵
- Executes dropped EXE
PID:3412
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.8MB
MD538be3a3a5b9e13d14e0b02bda895987d
SHA17c6feb666012e0468cebeffb45cd094161469cdf
SHA2567875eb995e32a29d10e878f76fe2dab6da32e4042bb5d2f7f427673db3b82a91
SHA5124b40050fd159fb79075b9a8ffaa47501444a3b88ed85c38f93f14927072df03c57c321bf1cec40cdd6196d0514ff71c4a4a32851e1f3a74e217b58262a8c1454
-
Filesize
8KB
MD5a335f477a541d2600481c71ee64c1f62
SHA1b9fa6b64d0e5e36db9ec6162679d2df897515bc9
SHA2560779a9432a71f02299e9078b58f512d9667949d4eb9ea60283daec64a6526bae
SHA512918f74f1a80ae6b555f8831d23285aef514eaeb58deefa58b28f626bc980af2a88523d52f1ff40c238a9bdb577718535784a9e87610f92b13d6460b2b5dc520b
-
Filesize
4KB
MD56b0dd15ed54a35c29b0f2e58f30d89a9
SHA1d3be5b9b0095c59799a166d2ff0346f45d914ff1
SHA2560412e9ae87a345df6590192a6f975d0c50bdf35eb80ca793592018259fef67c6
SHA512689b2453ba4b969baf7e5f7a3e5e03983dd4e617afe8df0ba5f743929ff55cbad7b08925a2d654c7c1e68dc721b41bb46abd9a127e55dede34c8b277c081cdf5