Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-07-2024 16:55

General

  • Target

    66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223.exe

  • Size

    955KB

  • MD5

    94f798a6cc5738e8924c9c0b3d2abb1e

  • SHA1

    5714cb7b382dab9977c99c94294561bc42d3166e

  • SHA256

    66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223

  • SHA512

    7b301bddf5d8a3602805754dc995bb4ee88c957b1029e3a17a0ed10d85cc60b1c603a8953a521cae283c39e2ecf69e1253db92cc89dacd46a45d2c72837ce0e4

  • SSDEEP

    24576:duDXTIGaPhEYzUzA0qxUAUBqG8DCRG7F9V5:ADjlabwz9M7WRG59V5

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223.exe
    "C:\Users\Admin\AppData\Local\Temp\66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3704
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\InternalLoader2.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\InternalLoader2.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:900
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\RarSFX0\InternalLoader2.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4396
        • C:\Windows\system32\certutil.exe
          certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\RarSFX0\InternalLoader2.exe" MD5
          4⤵
            PID:2364
          • C:\Windows\system32\find.exe
            find /i /v "md5"
            4⤵
              PID:884
            • C:\Windows\system32\find.exe
              find /i /v "certutil"
              4⤵
                PID:3176
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c cls
              3⤵
                PID:3984
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c cls
                3⤵
                  PID:548

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\RarSFX0\InternalLoader2.exe

              Filesize

              588KB

              MD5

              2582a8dfdf77e54747a2e84a27377131

              SHA1

              87a91b5cd34f2ed215a0092997ce2989a333b920

              SHA256

              38ea6534608e1496b285dadaa545a968c2b128111fc3841ba84f162f1a3f8e20

              SHA512

              f6193e490b95ef0ac3e2c66c2e83d8f582d4d86c4360b117a7ed11079a612ef62c2408968b96d3a55453cc0ac01b48773377ca090855650c368210235883ba3c