Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12/06/2024, 04:54
Static task
static1
Behavioral task
behavioral1
Sample
d8526bf93c489c5e634cf3028d4b80a9f4c353364ba634748cfe618ebc01f505.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
d8526bf93c489c5e634cf3028d4b80a9f4c353364ba634748cfe618ebc01f505.exe
Resource
win10v2004-20240611-en
General
-
Target
d8526bf93c489c5e634cf3028d4b80a9f4c353364ba634748cfe618ebc01f505.exe
-
Size
59KB
-
MD5
4437faaf86f1245b6ef383fb3a2732b9
-
SHA1
ac1f075eac9417fb2b776bc53c36865f00d7cc87
-
SHA256
d8526bf93c489c5e634cf3028d4b80a9f4c353364ba634748cfe618ebc01f505
-
SHA512
cfb3d32c433d0263c32be07ad8e3af0e21244a3ea02f648cdfad6d0daea833e6c69de7bf2d8badf08f82dcdb706f4741c844b8c5f77696fa5f83e251ba37fbbb
-
SSDEEP
768:JKe7zUTWVlTVV0uIaOoRPmTPsED3VK2+ZtyOjgO4r9vFAg2rqB47KI+IUb:JKe7zUm9FIaOHYTjipvF2SI+d
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation d8526bf93c489c5e634cf3028d4b80a9f4c353364ba634748cfe618ebc01f505.exe -
Executes dropped EXE 1 IoCs
pid Process 2704 codecupdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4932 wrote to memory of 2704 4932 d8526bf93c489c5e634cf3028d4b80a9f4c353364ba634748cfe618ebc01f505.exe 80 PID 4932 wrote to memory of 2704 4932 d8526bf93c489c5e634cf3028d4b80a9f4c353364ba634748cfe618ebc01f505.exe 80 PID 4932 wrote to memory of 2704 4932 d8526bf93c489c5e634cf3028d4b80a9f4c353364ba634748cfe618ebc01f505.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8526bf93c489c5e634cf3028d4b80a9f4c353364ba634748cfe618ebc01f505.exe"C:\Users\Admin\AppData\Local\Temp\d8526bf93c489c5e634cf3028d4b80a9f4c353364ba634748cfe618ebc01f505.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Users\Admin\AppData\Local\Temp\codecupdate.exe"C:\Users\Admin\AppData\Local\Temp\codecupdate.exe"2⤵
- Executes dropped EXE
PID:2704
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
59KB
MD5c75d13c161a2eeff6f81cb1d2eb61ce8
SHA1f995b38f6ac0af26dff65e2b2e8ac6ef86ac0a17
SHA256b2222f3a0a5c042279a2e49874acd23fbe042b7857b19d28232356867026701e
SHA512471f9e7412883ab37ec9f202fcbc917169509a5ff333022701acd8ead1b2955db79b3c4a863d3e4781cfdc02a2dc7182e04c2be841ec18095e8b1c3941c86fdf