Analysis
-
max time kernel
62s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10/06/2024, 21:53
Behavioral task
behavioral1
Sample
4d1e5f808b9e90b9b7ac9e32b4e11b2ef223745fa707aa4c34f60e3bd72ae42a.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
4d1e5f808b9e90b9b7ac9e32b4e11b2ef223745fa707aa4c34f60e3bd72ae42a.exe
Resource
win10v2004-20240508-en
General
-
Target
4d1e5f808b9e90b9b7ac9e32b4e11b2ef223745fa707aa4c34f60e3bd72ae42a.exe
-
Size
134KB
-
MD5
b3b9455487c8b7e0200fd886bd4da330
-
SHA1
8b8d0118d9b155363e283bf492c7b873b4f79578
-
SHA256
4d1e5f808b9e90b9b7ac9e32b4e11b2ef223745fa707aa4c34f60e3bd72ae42a
-
SHA512
1c0a008123801ea3375c02f98417353a19ec831a652b58a5ea14c85245a8ace6b3019f6836899d66743410784b43f246055b98e382d0cef709beffca38222380
-
SSDEEP
1536:YGYU/W2/HG6QMauSV3ixJHABLrmhH7i9eNOOg00GqMIK7aGZh3SO7:YfU/WF6QMauSuiWNi9eNOl0007NZIO7
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 6 IoCs
resource yara_rule behavioral2/memory/3112-0-0x00000000009B0000-0x00000000009D8000-memory.dmp UPX behavioral2/files/0x00080000000233f1-3.dat UPX behavioral2/memory/3528-4-0x0000000000DD0000-0x0000000000DF8000-memory.dmp UPX behavioral2/memory/3112-6-0x00000000009B0000-0x00000000009D8000-memory.dmp UPX behavioral2/memory/3528-7-0x0000000000DD0000-0x0000000000DF8000-memory.dmp UPX behavioral2/memory/3112-8-0x00000000009B0000-0x00000000009D8000-memory.dmp UPX -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 4d1e5f808b9e90b9b7ac9e32b4e11b2ef223745fa707aa4c34f60e3bd72ae42a.exe -
Executes dropped EXE 1 IoCs
pid Process 3528 wuauclt.exe -
resource yara_rule behavioral2/memory/3112-0-0x00000000009B0000-0x00000000009D8000-memory.dmp upx behavioral2/files/0x00080000000233f1-3.dat upx behavioral2/memory/3528-4-0x0000000000DD0000-0x0000000000DF8000-memory.dmp upx behavioral2/memory/3112-6-0x00000000009B0000-0x00000000009D8000-memory.dmp upx behavioral2/memory/3528-7-0x0000000000DD0000-0x0000000000DF8000-memory.dmp upx behavioral2/memory/3112-8-0x00000000009B0000-0x00000000009D8000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\wuauclt.exe\" /run" 4d1e5f808b9e90b9b7ac9e32b4e11b2ef223745fa707aa4c34f60e3bd72ae42a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3112 wrote to memory of 3528 3112 4d1e5f808b9e90b9b7ac9e32b4e11b2ef223745fa707aa4c34f60e3bd72ae42a.exe 82 PID 3112 wrote to memory of 3528 3112 4d1e5f808b9e90b9b7ac9e32b4e11b2ef223745fa707aa4c34f60e3bd72ae42a.exe 82 PID 3112 wrote to memory of 3528 3112 4d1e5f808b9e90b9b7ac9e32b4e11b2ef223745fa707aa4c34f60e3bd72ae42a.exe 82 PID 3112 wrote to memory of 2672 3112 4d1e5f808b9e90b9b7ac9e32b4e11b2ef223745fa707aa4c34f60e3bd72ae42a.exe 91 PID 3112 wrote to memory of 2672 3112 4d1e5f808b9e90b9b7ac9e32b4e11b2ef223745fa707aa4c34f60e3bd72ae42a.exe 91 PID 3112 wrote to memory of 2672 3112 4d1e5f808b9e90b9b7ac9e32b4e11b2ef223745fa707aa4c34f60e3bd72ae42a.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d1e5f808b9e90b9b7ac9e32b4e11b2ef223745fa707aa4c34f60e3bd72ae42a.exe"C:\Users\Admin\AppData\Local\Temp\4d1e5f808b9e90b9b7ac9e32b4e11b2ef223745fa707aa4c34f60e3bd72ae42a.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\ProgramData\Update\wuauclt.exe"C:\ProgramData\Update\wuauclt.exe" /run2⤵
- Executes dropped EXE
PID:3528
-
-
C:\windows\SysWOW64\cmd.exe"C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\4d1e5f808b9e90b9b7ac9e32b4e11b2ef223745fa707aa4c34f60e3bd72ae42a.exe" >> NUL2⤵PID:2672
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD57308cf2a1b7a86816824b65a82f8ee63
SHA1b47f84862ce71a3d20875dab2d979986d54dcb03
SHA2569def86394fcb1aa5376cefce8247c096fb3827c5e060805e2dcbf93226aa93e6
SHA512c68c85cc85227aba0ac7f46ddac04c408503a619ecba1933518983265f569bcb0a65ae071b32d0530aa511bf9ad35c45465239b277c2870e912de36d33c6fe62