Analysis

  • max time kernel
    96s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-08-2024 00:39

General

  • Target

    98d5e4539d010d7fcfb6aa3d8d9b117f4f03ffb743f6fe345ef2c8ff7134e8d8.exe

  • Size

    282KB

  • MD5

    930b881844c3567acf81f0965fa35975

  • SHA1

    559d769f6d6205ff6a2d3a206467ea5cb883fa17

  • SHA256

    98d5e4539d010d7fcfb6aa3d8d9b117f4f03ffb743f6fe345ef2c8ff7134e8d8

  • SHA512

    e33dbeac484de2937d82eda3471fa38cfcea8f59bff12c165a19151c5517940c6365c245dc954f1df9ee19025f8b151f3210b5259e0497d0f6ddf3fa2ac8881b

  • SSDEEP

    6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66fKkfP:boSeGUA5YZazpXUmZhZ6Su

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\98d5e4539d010d7fcfb6aa3d8d9b117f4f03ffb743f6fe345ef2c8ff7134e8d8.exe
    "C:\Users\Admin\AppData\Local\Temp\98d5e4539d010d7fcfb6aa3d8d9b117f4f03ffb743f6fe345ef2c8ff7134e8d8.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2916
    • C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
      "C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3956
      • C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
        "C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
        3⤵
          PID:3268

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

      Filesize

      282KB

      MD5

      a8c5bd69b68e347fb06ae90976e83173

      SHA1

      172faa2975b97c602a5095780aed70c5ba495054

      SHA256

      f4c3ce570a29ffcefb6ebea585c939822ee17e5db4273b02952a9e1d759fb219

      SHA512

      52b1f4fbcd687578e5093d88f35828f350f85551a570d21a77a906b78b8cd1176630772b1ce76fa8e84361c8f8678c932d30c239520882d49d2e249c6837b157

    • memory/2916-0-0x0000000075242000-0x0000000075243000-memory.dmp

      Filesize

      4KB

    • memory/2916-1-0x0000000075240000-0x00000000757F1000-memory.dmp

      Filesize

      5.7MB

    • memory/2916-2-0x0000000075240000-0x00000000757F1000-memory.dmp

      Filesize

      5.7MB

    • memory/2916-3-0x0000000075240000-0x00000000757F1000-memory.dmp

      Filesize

      5.7MB

    • memory/2916-18-0x0000000075240000-0x00000000757F1000-memory.dmp

      Filesize

      5.7MB

    • memory/3956-17-0x0000000075240000-0x00000000757F1000-memory.dmp

      Filesize

      5.7MB

    • memory/3956-19-0x0000000075240000-0x00000000757F1000-memory.dmp

      Filesize

      5.7MB

    • memory/3956-20-0x0000000075240000-0x00000000757F1000-memory.dmp

      Filesize

      5.7MB

    • memory/3956-22-0x0000000075240000-0x00000000757F1000-memory.dmp

      Filesize

      5.7MB