Analysis
-
max time kernel
150s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 18:43
Static task
static1
Behavioral task
behavioral1
Sample
04649c0a877ac6fa6d3388376df7a558d4151f81ef0eed781e6f3b541c328295.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
04649c0a877ac6fa6d3388376df7a558d4151f81ef0eed781e6f3b541c328295.exe
Resource
win10v2004-20240508-en
General
-
Target
04649c0a877ac6fa6d3388376df7a558d4151f81ef0eed781e6f3b541c328295.exe
-
Size
5KB
-
MD5
93d31b97555fed253eb666b32510b9b2
-
SHA1
ab0247ed3e1b99b5157697dd64734928d02651f9
-
SHA256
04649c0a877ac6fa6d3388376df7a558d4151f81ef0eed781e6f3b541c328295
-
SHA512
0eb5d9e07f80fee441ba18f0c2585e1175654f428affedb974395fb4dc2ae5f411ad15d9e8cd7c8777d6f67b3112a182294ff9ce4f4fb0426732e09464fe6510
-
SSDEEP
48:6hecFbLUTctoGevLHmCyYymx7RfMRNptUzEVnQBG/RACalGUF2CS7DD0//YX:QUYtevLGayMUXptwAnQWRRUF2CqD0YX
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
04649c0a877ac6fa6d3388376df7a558d4151f81ef0eed781e6f3b541c328295.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 04649c0a877ac6fa6d3388376df7a558d4151f81ef0eed781e6f3b541c328295.exe -
Executes dropped EXE 1 IoCs
Processes:
kdeohw.exepid process 2660 kdeohw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
04649c0a877ac6fa6d3388376df7a558d4151f81ef0eed781e6f3b541c328295.exedescription pid process target process PID 1392 wrote to memory of 2660 1392 04649c0a877ac6fa6d3388376df7a558d4151f81ef0eed781e6f3b541c328295.exe kdeohw.exe PID 1392 wrote to memory of 2660 1392 04649c0a877ac6fa6d3388376df7a558d4151f81ef0eed781e6f3b541c328295.exe kdeohw.exe PID 1392 wrote to memory of 2660 1392 04649c0a877ac6fa6d3388376df7a558d4151f81ef0eed781e6f3b541c328295.exe kdeohw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04649c0a877ac6fa6d3388376df7a558d4151f81ef0eed781e6f3b541c328295.exe"C:\Users\Admin\AppData\Local\Temp\04649c0a877ac6fa6d3388376df7a558d4151f81ef0eed781e6f3b541c328295.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Users\Admin\AppData\Local\Temp\kdeohw.exe"C:\Users\Admin\AppData\Local\Temp\kdeohw.exe"2⤵
- Executes dropped EXE
PID:2660
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5cb565232cf4b5ad157feeb9b22e0faa6
SHA10e40f1ba04a01332db9f3194f1678712804f5da4
SHA25671b258ef903c71b3fd5c2dbdfb837abf987d8dd7dc1dee39c459697a1c427e74
SHA51245ae76cdc0dfc139e87eff85c5a6fd12cd1615a3e3897606235d98df4930536885255fb650d5e67bedbae5b2f48d38e9be3124fa5d58398885a32d46f212e8c9