Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-07-2024 16:55
Static task
static1
Behavioral task
behavioral1
Sample
66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223.exe
Resource
win10v2004-20240508-en
General
-
Target
66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223.exe
-
Size
955KB
-
MD5
94f798a6cc5738e8924c9c0b3d2abb1e
-
SHA1
5714cb7b382dab9977c99c94294561bc42d3166e
-
SHA256
66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223
-
SHA512
7b301bddf5d8a3602805754dc995bb4ee88c957b1029e3a17a0ed10d85cc60b1c603a8953a521cae283c39e2ecf69e1253db92cc89dacd46a45d2c72837ce0e4
-
SSDEEP
24576:duDXTIGaPhEYzUzA0qxUAUBqG8DCRG7F9V5:ADjlabwz9M7WRG59V5
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223.exe -
Executes dropped EXE 1 IoCs
pid Process 900 InternalLoader2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3704 wrote to memory of 900 3704 66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223.exe 81 PID 3704 wrote to memory of 900 3704 66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223.exe 81 PID 900 wrote to memory of 4396 900 InternalLoader2.exe 84 PID 900 wrote to memory of 4396 900 InternalLoader2.exe 84 PID 4396 wrote to memory of 2364 4396 cmd.exe 85 PID 4396 wrote to memory of 2364 4396 cmd.exe 85 PID 4396 wrote to memory of 884 4396 cmd.exe 86 PID 4396 wrote to memory of 884 4396 cmd.exe 86 PID 4396 wrote to memory of 3176 4396 cmd.exe 87 PID 4396 wrote to memory of 3176 4396 cmd.exe 87 PID 900 wrote to memory of 3984 900 InternalLoader2.exe 90 PID 900 wrote to memory of 3984 900 InternalLoader2.exe 90 PID 900 wrote to memory of 548 900 InternalLoader2.exe 96 PID 900 wrote to memory of 548 900 InternalLoader2.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223.exe"C:\Users\Admin\AppData\Local\Temp\66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\InternalLoader2.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\InternalLoader2.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\RarSFX0\InternalLoader2.exe" MD5 | find /i /v "md5" | find /i /v "certutil"3⤵
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\RarSFX0\InternalLoader2.exe" MD54⤵PID:2364
-
-
C:\Windows\system32\find.exefind /i /v "md5"4⤵PID:884
-
-
C:\Windows\system32\find.exefind /i /v "certutil"4⤵PID:3176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:3984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:548
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
588KB
MD52582a8dfdf77e54747a2e84a27377131
SHA187a91b5cd34f2ed215a0092997ce2989a333b920
SHA25638ea6534608e1496b285dadaa545a968c2b128111fc3841ba84f162f1a3f8e20
SHA512f6193e490b95ef0ac3e2c66c2e83d8f582d4d86c4360b117a7ed11079a612ef62c2408968b96d3a55453cc0ac01b48773377ca090855650c368210235883ba3c