Analysis
-
max time kernel
115s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
02/08/2024, 02:37
Static task
static1
Behavioral task
behavioral1
Sample
3ff37570833246feca450570b488af90N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
3ff37570833246feca450570b488af90N.exe
Resource
win10v2004-20240730-en
General
-
Target
3ff37570833246feca450570b488af90N.exe
-
Size
57KB
-
MD5
3ff37570833246feca450570b488af90
-
SHA1
b65787d1914bf58afcc604a38ea2b7dc6f5bd8a8
-
SHA256
9f4d93da633a2b25b0fd5a2a37ce120499ce6d94b4bd8c688bd015b504a930ab
-
SHA512
7cd9b4f767f45f1192b064bfea51fa6009351cfa0f98f72614da5dabfdc0615a8236eec1b94004de8ed269fb2c7882ced80b76887af439cc71dd5e51b2ecf5d8
-
SSDEEP
384:asjPGY2HXgrkEYYhQ98E8I1XAV/QcaYpATUgch1A9NB/erxFpkM:aePG5H8XhKD8ISZQjkgs1lxFj
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\Control Panel\International\Geo\Nation 3ff37570833246feca450570b488af90N.exe -
Executes dropped EXE 1 IoCs
pid Process 1208 winupdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ff37570833246feca450570b488af90N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 868 wrote to memory of 1208 868 3ff37570833246feca450570b488af90N.exe 85 PID 868 wrote to memory of 1208 868 3ff37570833246feca450570b488af90N.exe 85 PID 868 wrote to memory of 1208 868 3ff37570833246feca450570b488af90N.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ff37570833246feca450570b488af90N.exe"C:\Users\Admin\AppData\Local\Temp\3ff37570833246feca450570b488af90N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Users\Admin\AppData\Local\Temp\winupdate.exe"C:\Users\Admin\AppData\Local\Temp\winupdate.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1208
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57KB
MD5a010ec7ca8d3dcc199af2352870f2e42
SHA1bbb93ffe66f3944d3bd8e84294a1429567c899ab
SHA256f53be85c5174e513767ed3eebfbe23ac13cf1d1a7b2ef5cbf980db8e1fb85a92
SHA51220fd1a1d5531a96dac6a4d498c5dd2f9421fe05f7f89b31aab2729f301507eff75a666f5492abae00b3e038bef78d9ddfd6534f17c93b2d26bf3f149d2b5400e