Analysis
-
max time kernel
95s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07/08/2024, 04:14
Static task
static1
Behavioral task
behavioral1
Sample
60e6e801300be8b2744597c9b46f92d0N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
60e6e801300be8b2744597c9b46f92d0N.exe
Resource
win10v2004-20240802-en
General
-
Target
60e6e801300be8b2744597c9b46f92d0N.exe
-
Size
29KB
-
MD5
60e6e801300be8b2744597c9b46f92d0
-
SHA1
2d7d4f0272b413cfb51505aa501e53767640a9d4
-
SHA256
ba6f187d25bab435a00463bfd5bb06a1207338cee99d3c6ff06c3ae70a85b206
-
SHA512
e8fe24e1d227d437591bc81ca332977f00702d2eb0e46a90ed61137259adfe4d977de8d374181dd74d01a35d77a268abb50743da55389883e199b2905800c457
-
SSDEEP
384:AGNkzd6k6qeGOIuQt50yV3GQhn93MKguGikhscLIFxJEpAI0Bnd0H:A+6lS4N3GQP3XLBgwx6pA7oH
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation 60e6e801300be8b2744597c9b46f92d0N.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation jkgfddk.exe -
Executes dropped EXE 1 IoCs
pid Process 3184 jkgfddk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60e6e801300be8b2744597c9b46f92d0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jkgfddk.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3096 wrote to memory of 3184 3096 60e6e801300be8b2744597c9b46f92d0N.exe 85 PID 3096 wrote to memory of 3184 3096 60e6e801300be8b2744597c9b46f92d0N.exe 85 PID 3096 wrote to memory of 3184 3096 60e6e801300be8b2744597c9b46f92d0N.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\60e6e801300be8b2744597c9b46f92d0N.exe"C:\Users\Admin\AppData\Local\Temp\60e6e801300be8b2744597c9b46f92d0N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Users\Admin\AppData\Local\Temp\jkgfddk.exe"C:\Users\Admin\AppData\Local\Temp\jkgfddk.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3184
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD59ebc7e0caab09d69a07a69cf14d39578
SHA127a25e17d6d36712fcf4b305606f1f2c46019b9e
SHA2566b4ef7d82479c8ed4788ae2fa6dd5a576e332f60d48f99d11f144d37b5647114
SHA51254b1ab97c77b3e29dbdacbbc5c5fce627fcc88c3e1a50c41ef32b1d33cae72d9eafded767146ecdd5576967684cdf0828a2c1d67877350b7b4d34df4461bec67