Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23/07/2024, 14:16
Static task
static1
Behavioral task
behavioral1
Sample
entry001/FILE0039.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
entry001/FILE0039.exe
Resource
win10v2004-20240709-en
General
-
Target
entry001/FILE0039.exe
-
Size
1.5MB
-
MD5
15aee466f47357a6f92385c57e050730
-
SHA1
e42caaab64dda15a44c854c1733614c2a58fa371
-
SHA256
ac0528667e7cf1e1bd877e66e1dc0451c3e830229baa5120bce7f7ce6e5bd921
-
SHA512
1cf3936e3de41029335380606ca2fb1cf03f63fff09e6feead7cc2c2f142887d9fd66d728e62df4781bf723351ca00b7e060a003a386ccb307333d03b30f10a4
-
SSDEEP
6144:6afsiuvAQ+tTm6cyERSiytj71cWE4jKS6vwnhB9Y5EwAQVAyhV:XCvAQ+q6ctRt636WfjO4hB9Y5EwAQV/
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation FILE0039.exe -
Executes dropped EXE 1 IoCs
pid Process 2112 msn.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\apo5 = "C:\\Program Files (x86)\\win\\msn.exe" FILE0039.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\a: msn.exe File opened (read-only) \??\b: msn.exe File opened (read-only) \??\u: msn.exe File opened (read-only) \??\v: msn.exe File opened (read-only) \??\k: msn.exe File opened (read-only) \??\x: msn.exe File opened (read-only) \??\e: msn.exe File opened (read-only) \??\i: msn.exe File opened (read-only) \??\m: msn.exe File opened (read-only) \??\o: msn.exe File opened (read-only) \??\p: msn.exe File opened (read-only) \??\r: msn.exe File opened (read-only) \??\s: msn.exe File opened (read-only) \??\t: msn.exe File opened (read-only) \??\y: msn.exe File opened (read-only) \??\z: msn.exe File opened (read-only) \??\g: msn.exe File opened (read-only) \??\h: msn.exe File opened (read-only) \??\j: msn.exe File opened (read-only) \??\l: msn.exe File opened (read-only) \??\n: msn.exe File opened (read-only) \??\q: msn.exe File opened (read-only) \??\w: msn.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\win\msn.exe FILE0039.exe File opened for modification C:\Program Files (x86)\win FILE0039.exe File created C:\Program Files (x86)\win\msn.exe FILE0039.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 msn.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2112 msn.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2400 wrote to memory of 2112 2400 FILE0039.exe 87 PID 2400 wrote to memory of 2112 2400 FILE0039.exe 87 PID 2400 wrote to memory of 2112 2400 FILE0039.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\entry001\FILE0039.exe"C:\Users\Admin\AppData\Local\Temp\entry001\FILE0039.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Program Files (x86)\win\msn.exe"C:\Program Files (x86)\win\msn.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
PID:2112
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD515aee466f47357a6f92385c57e050730
SHA1e42caaab64dda15a44c854c1733614c2a58fa371
SHA256ac0528667e7cf1e1bd877e66e1dc0451c3e830229baa5120bce7f7ce6e5bd921
SHA5121cf3936e3de41029335380606ca2fb1cf03f63fff09e6feead7cc2c2f142887d9fd66d728e62df4781bf723351ca00b7e060a003a386ccb307333d03b30f10a4