Analysis

  • max time kernel
    96s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-08-2024 15:38

General

  • Target

    c7d3425a23b5b8d3d00eded5b83c0710N.exe

  • Size

    281KB

  • MD5

    c7d3425a23b5b8d3d00eded5b83c0710

  • SHA1

    f58026846eeb92e4999fbca16578d41c144fceed

  • SHA256

    c9e7703faad3960594c4a4135f5ca3a6dca4dd0113af162e56b50c30fc55fa45

  • SHA512

    f3a7408856bcf97d22bfb2a6f07bfe45252b306bca374aa43cffccf7408864a6095d48af90930fb983fe9820b2f7797c8752fc4405d10927d3620aa279087a50

  • SSDEEP

    6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66fK8:boSeGUA5YZazpXUmZhZ6S8

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c7d3425a23b5b8d3d00eded5b83c0710N.exe
    "C:\Users\Admin\AppData\Local\Temp\c7d3425a23b5b8d3d00eded5b83c0710N.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2504
    • C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
      "C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4860
      • C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
        "C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
        3⤵
          PID:3932

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

      Filesize

      281KB

      MD5

      791a10fd1c80039cb9e3f4d2667e75f3

      SHA1

      850af1ddc02a37a7660cd3c2a05e40875943fd7b

      SHA256

      7821cffe27ba8b113562c7c2e3baebbc1a7c8c63cef8ac8aa1d0220dd9456ce2

      SHA512

      b5a3e8c1286135e78c4f7c45a7f37dbaf271c50dadbcef75f166d9ea80069c6ecad4201eda9c0d2d9a7461e677e6eaa82465c16cb12c59f34edff7e5a5010be3

    • memory/2504-0-0x0000000075142000-0x0000000075143000-memory.dmp

      Filesize

      4KB

    • memory/2504-1-0x0000000075140000-0x00000000756F1000-memory.dmp

      Filesize

      5.7MB

    • memory/2504-2-0x0000000075140000-0x00000000756F1000-memory.dmp

      Filesize

      5.7MB

    • memory/2504-3-0x0000000075140000-0x00000000756F1000-memory.dmp

      Filesize

      5.7MB

    • memory/2504-17-0x0000000075140000-0x00000000756F1000-memory.dmp

      Filesize

      5.7MB

    • memory/4860-19-0x0000000075140000-0x00000000756F1000-memory.dmp

      Filesize

      5.7MB

    • memory/4860-18-0x0000000075140000-0x00000000756F1000-memory.dmp

      Filesize

      5.7MB

    • memory/4860-20-0x0000000075140000-0x00000000756F1000-memory.dmp

      Filesize

      5.7MB

    • memory/4860-22-0x0000000075140000-0x00000000756F1000-memory.dmp

      Filesize

      5.7MB