Analysis
-
max time kernel
96s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05-08-2024 00:39
Static task
static1
Behavioral task
behavioral1
Sample
98d5e4539d010d7fcfb6aa3d8d9b117f4f03ffb743f6fe345ef2c8ff7134e8d8.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
98d5e4539d010d7fcfb6aa3d8d9b117f4f03ffb743f6fe345ef2c8ff7134e8d8.exe
Resource
win10v2004-20240802-en
General
-
Target
98d5e4539d010d7fcfb6aa3d8d9b117f4f03ffb743f6fe345ef2c8ff7134e8d8.exe
-
Size
282KB
-
MD5
930b881844c3567acf81f0965fa35975
-
SHA1
559d769f6d6205ff6a2d3a206467ea5cb883fa17
-
SHA256
98d5e4539d010d7fcfb6aa3d8d9b117f4f03ffb743f6fe345ef2c8ff7134e8d8
-
SHA512
e33dbeac484de2937d82eda3471fa38cfcea8f59bff12c165a19151c5517940c6365c245dc954f1df9ee19025f8b151f3210b5259e0497d0f6ddf3fa2ac8881b
-
SSDEEP
6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66fKkfP:boSeGUA5YZazpXUmZhZ6Su
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
98d5e4539d010d7fcfb6aa3d8d9b117f4f03ffb743f6fe345ef2c8ff7134e8d8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation 98d5e4539d010d7fcfb6aa3d8d9b117f4f03ffb743f6fe345ef2c8ff7134e8d8.exe -
Executes dropped EXE 1 IoCs
Processes:
a1punf5t2of.exepid process 3956 a1punf5t2of.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
98d5e4539d010d7fcfb6aa3d8d9b117f4f03ffb743f6fe345ef2c8ff7134e8d8.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe" 98d5e4539d010d7fcfb6aa3d8d9b117f4f03ffb743f6fe345ef2c8ff7134e8d8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
98d5e4539d010d7fcfb6aa3d8d9b117f4f03ffb743f6fe345ef2c8ff7134e8d8.exea1punf5t2of.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 98d5e4539d010d7fcfb6aa3d8d9b117f4f03ffb743f6fe345ef2c8ff7134e8d8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1punf5t2of.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
98d5e4539d010d7fcfb6aa3d8d9b117f4f03ffb743f6fe345ef2c8ff7134e8d8.exea1punf5t2of.exedescription pid process target process PID 2916 wrote to memory of 3956 2916 98d5e4539d010d7fcfb6aa3d8d9b117f4f03ffb743f6fe345ef2c8ff7134e8d8.exe a1punf5t2of.exe PID 2916 wrote to memory of 3956 2916 98d5e4539d010d7fcfb6aa3d8d9b117f4f03ffb743f6fe345ef2c8ff7134e8d8.exe a1punf5t2of.exe PID 2916 wrote to memory of 3956 2916 98d5e4539d010d7fcfb6aa3d8d9b117f4f03ffb743f6fe345ef2c8ff7134e8d8.exe a1punf5t2of.exe PID 3956 wrote to memory of 3268 3956 a1punf5t2of.exe a1punf5t2of.exe PID 3956 wrote to memory of 3268 3956 a1punf5t2of.exe a1punf5t2of.exe PID 3956 wrote to memory of 3268 3956 a1punf5t2of.exe a1punf5t2of.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\98d5e4539d010d7fcfb6aa3d8d9b117f4f03ffb743f6fe345ef2c8ff7134e8d8.exe"C:\Users\Admin\AppData\Local\Temp\98d5e4539d010d7fcfb6aa3d8d9b117f4f03ffb743f6fe345ef2c8ff7134e8d8.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"3⤵PID:3268
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
282KB
MD5a8c5bd69b68e347fb06ae90976e83173
SHA1172faa2975b97c602a5095780aed70c5ba495054
SHA256f4c3ce570a29ffcefb6ebea585c939822ee17e5db4273b02952a9e1d759fb219
SHA51252b1f4fbcd687578e5093d88f35828f350f85551a570d21a77a906b78b8cd1176630772b1ce76fa8e84361c8f8678c932d30c239520882d49d2e249c6837b157