Analysis
-
max time kernel
96s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06-08-2024 15:38
Static task
static1
Behavioral task
behavioral1
Sample
c7d3425a23b5b8d3d00eded5b83c0710N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
c7d3425a23b5b8d3d00eded5b83c0710N.exe
Resource
win10v2004-20240802-en
General
-
Target
c7d3425a23b5b8d3d00eded5b83c0710N.exe
-
Size
281KB
-
MD5
c7d3425a23b5b8d3d00eded5b83c0710
-
SHA1
f58026846eeb92e4999fbca16578d41c144fceed
-
SHA256
c9e7703faad3960594c4a4135f5ca3a6dca4dd0113af162e56b50c30fc55fa45
-
SHA512
f3a7408856bcf97d22bfb2a6f07bfe45252b306bca374aa43cffccf7408864a6095d48af90930fb983fe9820b2f7797c8752fc4405d10927d3620aa279087a50
-
SSDEEP
6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66fK8:boSeGUA5YZazpXUmZhZ6S8
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c7d3425a23b5b8d3d00eded5b83c0710N.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7d3425a23b5b8d3d00eded5b83c0710N.exe -
Executes dropped EXE 1 IoCs
Processes:
a1punf5t2of.exepid process 4860 a1punf5t2of.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
c7d3425a23b5b8d3d00eded5b83c0710N.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe" c7d3425a23b5b8d3d00eded5b83c0710N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
c7d3425a23b5b8d3d00eded5b83c0710N.exea1punf5t2of.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7d3425a23b5b8d3d00eded5b83c0710N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1punf5t2of.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c7d3425a23b5b8d3d00eded5b83c0710N.exea1punf5t2of.exedescription pid process target process PID 2504 wrote to memory of 4860 2504 c7d3425a23b5b8d3d00eded5b83c0710N.exe a1punf5t2of.exe PID 2504 wrote to memory of 4860 2504 c7d3425a23b5b8d3d00eded5b83c0710N.exe a1punf5t2of.exe PID 2504 wrote to memory of 4860 2504 c7d3425a23b5b8d3d00eded5b83c0710N.exe a1punf5t2of.exe PID 4860 wrote to memory of 3932 4860 a1punf5t2of.exe a1punf5t2of.exe PID 4860 wrote to memory of 3932 4860 a1punf5t2of.exe a1punf5t2of.exe PID 4860 wrote to memory of 3932 4860 a1punf5t2of.exe a1punf5t2of.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7d3425a23b5b8d3d00eded5b83c0710N.exe"C:\Users\Admin\AppData\Local\Temp\c7d3425a23b5b8d3d00eded5b83c0710N.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"3⤵PID:3932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
281KB
MD5791a10fd1c80039cb9e3f4d2667e75f3
SHA1850af1ddc02a37a7660cd3c2a05e40875943fd7b
SHA2567821cffe27ba8b113562c7c2e3baebbc1a7c8c63cef8ac8aa1d0220dd9456ce2
SHA512b5a3e8c1286135e78c4f7c45a7f37dbaf271c50dadbcef75f166d9ea80069c6ecad4201eda9c0d2d9a7461e677e6eaa82465c16cb12c59f34edff7e5a5010be3