Analysis
-
max time kernel
94s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06-08-2024 19:21
Static task
static1
Behavioral task
behavioral1
Sample
dc2533b0feef85c78e45c3e1fb49d0f0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
dc2533b0feef85c78e45c3e1fb49d0f0N.exe
Resource
win10v2004-20240802-en
General
-
Target
dc2533b0feef85c78e45c3e1fb49d0f0N.exe
-
Size
281KB
-
MD5
dc2533b0feef85c78e45c3e1fb49d0f0
-
SHA1
fa690783d8f1f704581d7c46c01b630aca361e4a
-
SHA256
90115d512cb84ffadc9a85aaddc077fb817fa37198a863928291e9780cfa763f
-
SHA512
c8c7354680c6fd9ffc5ff8211f264c15dca8b9a5e5afa92a9262abbcfedd2afeee20c32d0e970de5ac1358694b7c55a045aacfb6a4edee2e28d91612bbcc6795
-
SSDEEP
6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66fKkfMs:boSeGUA5YZazpXUmZhZ6SQ
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
dc2533b0feef85c78e45c3e1fb49d0f0N.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation dc2533b0feef85c78e45c3e1fb49d0f0N.exe -
Executes dropped EXE 1 IoCs
Processes:
a1punf5t2of.exepid process 3220 a1punf5t2of.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
dc2533b0feef85c78e45c3e1fb49d0f0N.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe" dc2533b0feef85c78e45c3e1fb49d0f0N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
dc2533b0feef85c78e45c3e1fb49d0f0N.exea1punf5t2of.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dc2533b0feef85c78e45c3e1fb49d0f0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1punf5t2of.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
dc2533b0feef85c78e45c3e1fb49d0f0N.exea1punf5t2of.exedescription pid process target process PID 1516 wrote to memory of 3220 1516 dc2533b0feef85c78e45c3e1fb49d0f0N.exe a1punf5t2of.exe PID 1516 wrote to memory of 3220 1516 dc2533b0feef85c78e45c3e1fb49d0f0N.exe a1punf5t2of.exe PID 1516 wrote to memory of 3220 1516 dc2533b0feef85c78e45c3e1fb49d0f0N.exe a1punf5t2of.exe PID 3220 wrote to memory of 4528 3220 a1punf5t2of.exe a1punf5t2of.exe PID 3220 wrote to memory of 4528 3220 a1punf5t2of.exe a1punf5t2of.exe PID 3220 wrote to memory of 4528 3220 a1punf5t2of.exe a1punf5t2of.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc2533b0feef85c78e45c3e1fb49d0f0N.exe"C:\Users\Admin\AppData\Local\Temp\dc2533b0feef85c78e45c3e1fb49d0f0N.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"3⤵PID:4528
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
281KB
MD522fdc9b13f72669f452ddc2f61930d9c
SHA1ae98e7eb2c345996375d1c10424587a15a5dae77
SHA256a9dcd608f344d28c2dd4c6496854f35311d4d86f7177d2e7dd74aab3e94ed264
SHA5124433855b1d28255d02b62d13f05af83899a79a818563a77f3ebb69c8d32ca70fd65500b78cb2c6d06bd60cc8f1116c7b36c1031c4839a937b2a04d499fb68186