Analysis
-
max time kernel
98s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
10-07-2024 21:08
General
-
Target
9d8114e44f2e383298e097c1a53671df65d99c48ed610d704922ada5a85a6b9c.exe
-
Size
1.1MB
-
MD5
8239e4b1405d8b7855048a00f079a1ad
-
SHA1
b976d994d476075d5dbd5dec6c3bccad1002af66
-
SHA256
9d8114e44f2e383298e097c1a53671df65d99c48ed610d704922ada5a85a6b9c
-
SHA512
e0ec149b46de6776cfaadb8e929caec9aa518d92902a8eb58760f17a0d6b310640c951ba2cffd026522c9271e8225acf7dc652d0865e55d63e643c20461cc36f
-
SSDEEP
24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q7:CcaClSFlG4ZM7QzMM
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d8114e44f2e383298e097c1a53671df65d99c48ed610d704922ada5a85a6b9c.exe"C:\Users\Admin\AppData\Local\Temp\9d8114e44f2e383298e097c1a53671df65d99c48ed610d704922ada5a85a6b9c.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
753B
MD5745eadc6f954c2ea1a3460534d587f81
SHA1e4a2bcf773316f39fae0b0131fd53d3369a95adb
SHA256d4268b1ec86e27679d8a1e935b9c7bb7f7609c013e8e6fd156d073bdb649dab0
SHA5128d85306fec1c25c46ef9ee5aa0d04f72fb9786142e7cbe45bb22a40b4781e46edb3d760f070fc4435442da1d65048c8c49607712ee30f53535a91ca71a0724ae
-
Filesize
1.1MB
MD523a38fc6d1e526f8967ec68bf74ab761
SHA1c72ca6d618f4fc39bae41dff2758252ba883881e
SHA256df6d120f589e4310ddae4769908a57b27adcf479f3e0df5d22da0170db7b8e56
SHA512bcbcf4a03886b9fc0a055dd378eae6eb966f80843fbac35d794eda130c6549e85961b6ebf97e0bd8efd0e519ad47b4a55df8e4551e989f976f651ebb8a3077e3
-
Filesize
1.3MB