Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/06/2024, 07:55

General

  • Target

    bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe

  • Size

    4.9MB

  • MD5

    edb15fae78e06173987f7e42ad8c5702

  • SHA1

    f32094e4977d9ee90b397c99a15f317494e027c1

  • SHA256

    bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99

  • SHA512

    1fe2aa356b0d07d089351abd26d65cee3a502e3e2395f05cf32827332d86e0e175a2a2f93260775cc22496ce1690a11f98dd2bbae16004fdc08201af6523e909

  • SSDEEP

    98304:HqkCqz0BYDzXMEGQ07//6U4CKwLR53TWML9qFHoDGfn:KkABYfXMVCU4QR587

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe
    "C:\Users\Admin\AppData\Local\Temp\bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3216
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G34RSETT13.bat" "
      2⤵
      • Drops file in Drivers directory
      PID:968
    • C:\Users\Admin\AppData\Local\Temp\CracKingD0M_ULTRAIS0.EXE
      "C:\Users\Admin\AppData\Local\Temp\CracKingD0M_ULTRAIS0.EXE"
      2⤵
      • Executes dropped EXE
      PID:3412

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CracKingD0M_ULTRAIS0.EXE

    Filesize

    4.8MB

    MD5

    38be3a3a5b9e13d14e0b02bda895987d

    SHA1

    7c6feb666012e0468cebeffb45cd094161469cdf

    SHA256

    7875eb995e32a29d10e878f76fe2dab6da32e4042bb5d2f7f427673db3b82a91

    SHA512

    4b40050fd159fb79075b9a8ffaa47501444a3b88ed85c38f93f14927072df03c57c321bf1cec40cdd6196d0514ff71c4a4a32851e1f3a74e217b58262a8c1454

  • C:\Users\Admin\AppData\Local\Temp\G34RSETT13.bat

    Filesize

    8KB

    MD5

    a335f477a541d2600481c71ee64c1f62

    SHA1

    b9fa6b64d0e5e36db9ec6162679d2df897515bc9

    SHA256

    0779a9432a71f02299e9078b58f512d9667949d4eb9ea60283daec64a6526bae

    SHA512

    918f74f1a80ae6b555f8831d23285aef514eaeb58deefa58b28f626bc980af2a88523d52f1ff40c238a9bdb577718535784a9e87610f92b13d6460b2b5dc520b

  • C:\Windows\System32\drivers\etc\hosts

    Filesize

    4KB

    MD5

    6b0dd15ed54a35c29b0f2e58f30d89a9

    SHA1

    d3be5b9b0095c59799a166d2ff0346f45d914ff1

    SHA256

    0412e9ae87a345df6590192a6f975d0c50bdf35eb80ca793592018259fef67c6

    SHA512

    689b2453ba4b969baf7e5f7a3e5e03983dd4e617afe8df0ba5f743929ff55cbad7b08925a2d654c7c1e68dc721b41bb46abd9a127e55dede34c8b277c081cdf5