Overview

overview

10

Static

static

3

3763170476...92.exe

windows10-2004-x64

10

a00f993805...f5.exe

windows10-2004-x64

6

a27aa292f9...96.exe

windows10-2004-x64

10

a3960e88c7...c6.exe

windows10-2004-x64

8

b1adee00a1...f4.exe

windows10-2004-x64

10

b9c037384e...e3.exe

windows10-2004-x64

10

c0592acd47...d2.exe

windows10-2004-x64

1

c14987c4c6...03.exe

windows10-2004-x64

10

c203192bf3...c1.exe

windows10-2004-x64

3

cf2652dc2a...c4.dll

windows10-2004-x64

10

d2ba18358b...17.exe

windows10-2004-x64

3

d6b7cb431b...74.exe

windows10-2004-x64

8

db246897a0...b0.exe

windows10-2004-x64

3

df16940f38...e0.exe

windows10-2004-x64

10

e39833949c...ab.exe

windows10-2004-x64

10

e98170984c...66.dll

windows10-2004-x64

1

ea2a2d0b59...cd.exe

windows10-2004-x64

10

eaffdf51b1...f1.exe

windows10-2004-x64

10

eda6bb813c...f9.exe

windows10-2004-x64

10

f4f625c6ec...fc.exe

windows10-2004-x64

10

f72762cd37...ac.exe

windows10-2004-x64

10

fce3d69b9c...e2.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-07-2024 10:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a3960e88c72a663734c17d85f5015571b340789d3a9646aa71a8d7ded643a7c6.exe

  • Size

    1.2MB

  • MD5

    351781e9708914f6ad166bb3b932ffe1

  • SHA1

    bce99eb27b677455ba33cd7d9fac544013be4efc

  • SHA256

    a3960e88c72a663734c17d85f5015571b340789d3a9646aa71a8d7ded643a7c6

  • SHA512

    459c75ce17b642ad15ebf27378437a2af4318f7c77de92de7b6f9c86c91d842c47e27b29211f43c8fb7833800fd14a5126c40e23678960413da7cc99d1377cda

  • SSDEEP

    24576:ZBT1ZpcNUoktiPzcWgyuhpuwvq8qLduQgfbZi9jnv5Hz:D1ZpTUPohTvq8qLBgjZsjNz

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a3960e88c72a663734c17d85f5015571b340789d3a9646aa71a8d7ded643a7c6.exe
    "C:\Users\Admin\AppData\Local\Temp\a3960e88c72a663734c17d85f5015571b340789d3a9646aa71a8d7ded643a7c6.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:544
    • C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
      "C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2200
      • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
        "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        PID:928
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1004
        3⤵
        • Program crash
        PID:2892
    • C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
      "C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2488
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c LvTasfZdX
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4036
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c cmd < Rapiva.mov
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3428
        • C:\Windows\SysWOW64\cmd.exe
          cmd
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2692
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V /R "^pAvofqIrkohjdrCgCTcBhWrPbuXmHqloifUaNcpwSZexQIXXPwRGojGjbGKoroclYytqolBuKxJgUJZOpqKGoDZUJIVuKqXJDRcKDXOFmLVODaaNHWZrnPwxulsAgccJvZKehgkkktubI$" Sento.mov
            5⤵
            • System Location Discovery: System Language Discovery
            PID:532
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Arteria.exe.com
            Arteria.exe.com U
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3648
            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Arteria.exe.com
              C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Arteria.exe.com U
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Checks processor information in registry
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:3992
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\rvrygxioh.vbs"
                7⤵
                • Blocklisted process makes network request
                • System Location Discovery: System Language Discovery
                PID:3296
          • C:\Windows\SysWOW64\PING.EXE
            ping localhost -n 30
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4980
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2200 -ip 2200
    1⤵
      PID:2668

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\57D0.tmp
      Filesize

      311B

      MD5

      9105750f17d90587cfdb3073e3db4b41

      SHA1

      68299e57ccb94050710511c9fba7f144af55038d

      SHA256

      325bea9d40295cd711d613b7dcb0958e04a537f751b177573a9c40303a4879f9

      SHA512

      07fcd8e2811bc7d8a481694d32a8d220a03ec99dfd8b9f55de99ff8327d392c6afbd821358b5087e29120b5a6d706f258c723585d3c69a26c1b0c385722256de

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Arteria.exe.com
      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Disconosci.mov
      Filesize

      139KB

      MD5

      21f79182b467153526fb9e97b33ef0d5

      SHA1

      c9f7939dc228b53f3993e6262f609bd915187ef1

      SHA256

      4cae657014aa9d240dca1339626ea9ff4442695b7c758e77146803da475d31a0

      SHA512

      8ce012401417e02c90b09f18cf736355fb2628f0f97bc4fa6bbab3e123ae107713e774ddd7628748d2407443e001734a6d0d8418d849827104d5c0721a88ed37

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mutato.mov
      Filesize

      713KB

      MD5

      a4f3ac1965f029dfee419427023a353f

      SHA1

      747f357205809bb3732d65d1dd4c814ec2c5bf47

      SHA256

      13cf314114608f1b8277ca7647b5210a60275469567967080a689c6c0fdf4533

      SHA512

      7f471b096547015c69a886c7d376a352fc7c93aee7ed18b57079768027d557902d5c32a314ab4bee00f79c284981e2c3571e8314b9914bf00e984503ec450178

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rapiva.mov
      Filesize

      497B

      MD5

      83641c3aa461594855a69ea3be59c332

      SHA1

      d45ea8168604649acc3a896c4b4a06ed63f8413e

      SHA256

      e64a1cb9aa2c169c8edb5d962f9bc679f852b6ae4364cca86e7b01b1c0d4479d

      SHA512

      5bca38d69d9f959d762e52fa69e3471c90f052d664f7fb899183fa099835e1a03e71fa14379ad99f5198d5d64ac2522145e3bc6056a67af0a7d4412e5a9cd084

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sento.mov
      Filesize

      872KB

      MD5

      37612b1671d135e0be914f0106f397f7

      SHA1

      cde049dcdc196d2174925b5a06fbb22d424ad2ac

      SHA256

      7167e77a7461f0acb586e23ec43ad218fa5cea2ecd6dd80c62d35be452680912

      SHA512

      4d08c4b79fcb70d70a82e365231354f5f6e67d0a3ccb58a97733e416cf731422479525a45a0e3a782dc045420e89f6fa79e3a8665ff2ef44a8fb1e2dc6f621a5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
      Filesize

      358KB

      MD5

      d956587c4a2b63a8650dc6324b493802

      SHA1

      e352fd1e0e5f7ca2f8a5b925001bd4027afbbdb6

      SHA256

      3fcbfc25fd4d57ed1b34a55c8afab3eac0d26695c9435ca7f248730d2c0f5d75

      SHA512

      4ed0e606813529697bb353ab4dbd1600724e9064613d4803da5a470303f7c25478f3dd837df19d1d7808fa09c08680d76ab617842d23643384cc86e78978d21a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
      Filesize

      1.0MB

      MD5

      c947291b42012d2f82b7d9896630584b

      SHA1

      0854ce780aa21d642d03269fb6977370af1a254c

      SHA256

      b317a4e36ea8c4f943d6f1d3f933bb96d29aa6ba16c48a7b5c9db07b5a17bbd2

      SHA512

      f74987266c2df4acfb2c02a162e0028ca2a7b3c611ff041531c34d3a0cf5bcd4f458f846713e1384731087848c42a84b6b51ed6e6f6ead6a75c14845e808276e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsgE2DF.tmp\UAC.dll
      Filesize

      14KB

      MD5

      adb29e6b186daa765dc750128649b63d

      SHA1

      160cbdc4cb0ac2c142d361df138c537aa7e708c9

      SHA256

      2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

      SHA512

      b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\rvrygxioh.vbs
      Filesize

      135B

      MD5

      b6dbce92daa0610886b101fce555f238

      SHA1

      ff55bf6ffa464940845d4c537ae2264f7ba66d87

      SHA256

      769f38cb6afee8c830e44f066beb21869d9f794458e17d260c309a95ec3083bf

      SHA512

      5e693c799831ab4d3516ca6e92122bc2e7f037fe9f594c820dc85bfb68e87d3d83e6e1ebfafc3d29e5af73170557dd1fdf577eb68612eaca77a0741b7fb082fa

      Download Submit

    • memory/928-48-0x0000000000400000-0x0000000003255000-memory.dmp

      Filesize

      46.3MB

      Download

    • memory/2200-47-0x0000000000400000-0x0000000003255000-memory.dmp

      Filesize

      46.3MB

      Download

    • memory/3992-51-0x0000000003D90000-0x0000000003DB7000-memory.dmp

      Filesize

      156KB

      Download

    • memory/3992-52-0x0000000003D90000-0x0000000003DB7000-memory.dmp

      Filesize

      156KB

      Download

    • memory/3992-53-0x0000000003D90000-0x0000000003DB7000-memory.dmp

      Filesize

      156KB

      Download

    • memory/3992-54-0x0000000003D90000-0x0000000003DB7000-memory.dmp

      Filesize

      156KB

      Download

    • memory/3992-50-0x0000000003D90000-0x0000000003DB7000-memory.dmp

      Filesize

      156KB

      Download

    • memory/3992-49-0x0000000003D90000-0x0000000003DB7000-memory.dmp

      Filesize

      156KB

      Download