Analysis

  • max time kernel
    94s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-08-2024 19:21

General

  • Target

    dc2533b0feef85c78e45c3e1fb49d0f0N.exe

  • Size

    281KB

  • MD5

    dc2533b0feef85c78e45c3e1fb49d0f0

  • SHA1

    fa690783d8f1f704581d7c46c01b630aca361e4a

  • SHA256

    90115d512cb84ffadc9a85aaddc077fb817fa37198a863928291e9780cfa763f

  • SHA512

    c8c7354680c6fd9ffc5ff8211f264c15dca8b9a5e5afa92a9262abbcfedd2afeee20c32d0e970de5ac1358694b7c55a045aacfb6a4edee2e28d91612bbcc6795

  • SSDEEP

    6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66fKkfMs:boSeGUA5YZazpXUmZhZ6SQ

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dc2533b0feef85c78e45c3e1fb49d0f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\dc2533b0feef85c78e45c3e1fb49d0f0N.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1516
    • C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
      "C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3220
      • C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
        "C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
        3⤵
          PID:4528

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

      Filesize

      281KB

      MD5

      22fdc9b13f72669f452ddc2f61930d9c

      SHA1

      ae98e7eb2c345996375d1c10424587a15a5dae77

      SHA256

      a9dcd608f344d28c2dd4c6496854f35311d4d86f7177d2e7dd74aab3e94ed264

      SHA512

      4433855b1d28255d02b62d13f05af83899a79a818563a77f3ebb69c8d32ca70fd65500b78cb2c6d06bd60cc8f1116c7b36c1031c4839a937b2a04d499fb68186

    • memory/1516-0-0x0000000074CB2000-0x0000000074CB3000-memory.dmp

      Filesize

      4KB

    • memory/1516-1-0x0000000074CB0000-0x0000000075261000-memory.dmp

      Filesize

      5.7MB

    • memory/1516-2-0x0000000074CB0000-0x0000000075261000-memory.dmp

      Filesize

      5.7MB

    • memory/1516-3-0x0000000074CB0000-0x0000000075261000-memory.dmp

      Filesize

      5.7MB

    • memory/1516-18-0x0000000074CB0000-0x0000000075261000-memory.dmp

      Filesize

      5.7MB

    • memory/3220-17-0x0000000074CB0000-0x0000000075261000-memory.dmp

      Filesize

      5.7MB

    • memory/3220-19-0x0000000074CB0000-0x0000000075261000-memory.dmp

      Filesize

      5.7MB

    • memory/3220-21-0x0000000074CB0000-0x0000000075261000-memory.dmp

      Filesize

      5.7MB