Analysis
-
max time kernel
114s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-08-2024 01:40
Static task
static1
Behavioral task
behavioral1
Sample
dfc22ad60a3e5c942e56e20a9b634aa0N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
dfc22ad60a3e5c942e56e20a9b634aa0N.exe
Resource
win10v2004-20240802-en
General
-
Target
dfc22ad60a3e5c942e56e20a9b634aa0N.exe
-
Size
281KB
-
MD5
dfc22ad60a3e5c942e56e20a9b634aa0
-
SHA1
24cba7c577b7083f4c403d041fe9ae3eae8e7ad5
-
SHA256
ad519fbe45377b1ba91db0b8bf615a733950433ad6b913f6dda64e1b9f6fa9f8
-
SHA512
86da6334ba54bd75250044bd498781f8ab8e0ff30321fc5905ca38f85ba5e2d6b57298d4d45ce553693ae0b9a864294dfc99acf0706eb4c398a54c1e415e5f77
-
SSDEEP
6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66fKkfv:boSeGUA5YZazpXUmZhZ6Si
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
dfc22ad60a3e5c942e56e20a9b634aa0N.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation dfc22ad60a3e5c942e56e20a9b634aa0N.exe -
Executes dropped EXE 1 IoCs
Processes:
a1punf5t2of.exepid process 2952 a1punf5t2of.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
dfc22ad60a3e5c942e56e20a9b634aa0N.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe" dfc22ad60a3e5c942e56e20a9b634aa0N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
a1punf5t2of.exedfc22ad60a3e5c942e56e20a9b634aa0N.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1punf5t2of.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dfc22ad60a3e5c942e56e20a9b634aa0N.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
dfc22ad60a3e5c942e56e20a9b634aa0N.exea1punf5t2of.exedescription pid process target process PID 1256 wrote to memory of 2952 1256 dfc22ad60a3e5c942e56e20a9b634aa0N.exe a1punf5t2of.exe PID 1256 wrote to memory of 2952 1256 dfc22ad60a3e5c942e56e20a9b634aa0N.exe a1punf5t2of.exe PID 1256 wrote to memory of 2952 1256 dfc22ad60a3e5c942e56e20a9b634aa0N.exe a1punf5t2of.exe PID 2952 wrote to memory of 3644 2952 a1punf5t2of.exe a1punf5t2of.exe PID 2952 wrote to memory of 3644 2952 a1punf5t2of.exe a1punf5t2of.exe PID 2952 wrote to memory of 3644 2952 a1punf5t2of.exe a1punf5t2of.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dfc22ad60a3e5c942e56e20a9b634aa0N.exe"C:\Users\Admin\AppData\Local\Temp\dfc22ad60a3e5c942e56e20a9b634aa0N.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"3⤵PID:3644
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
281KB
MD50384a1616c3b7794892f88e46c4ca743
SHA1950bcd5a65e9196c4342c31b057f2c402deaeefd
SHA2569a34d6202e02051d366306bc21a08bc51ea46f7e41c1dcedbf9308da531b06ce
SHA51246f3e4e83fec944dc3e71c70014c11ceea992dc12e01e804fb77f242b4a7fa0832f083838cee5d5a39099c81d50937de1d5a0410169ef0a44befc030b4076dc7